🚀 Release v1.0.103

- Tipo: patch
- Database schema: database-schema/schema.sql (solo struttura)
- Data: 2026-01-02 16:33:13

.replit

@@ -14,14 +14,6 @@ run = ["npm", "run", "start"]
 localPort = 5000
 externalPort = 80
 
-[[ports]]
-localPort = 41303
-externalPort = 3002
-
-[[ports]]
-localPort = 43803
-externalPort = 3000
-
 [env]
 PORT = "5000"
 

MIKROTIK_API_FIX.md

@@ -0,0 +1,311 @@
+# Fix Connessione MikroTik API
+
+## 🐛 PROBLEMA RISOLTO
+
+**Errore**: Timeout connessione API MikroTik - router non rispondeva a richieste HTTP.
+
+**Causa Root**: Confusione tra **API Binary** (porta 8728) e **API REST** (porta 80/443).
+
+## 🔍 API MikroTik: Binary vs REST
+
+MikroTik RouterOS ha **DUE tipi di API completamente diversi**:
+
+| Tipo | Porta | Protocollo | RouterOS | Compatibilità |
+|------|-------|------------|----------|---------------|
+| **Binary API** | 8728 | Proprietario RouterOS | Tutte | ❌ Non HTTP (libreria `routeros-api`) |
+| **REST API** | 80/443 | HTTP/HTTPS standard | **>= 7.1** | ✅ HTTP con `httpx` |
+
+**IDS usa REST API** (httpx + HTTP), quindi:
+- ✅ **Porta 80** (HTTP) - **CONSIGLIATA**
+- ✅ **Porta 443** (HTTPS) - Se necessario SSL
+- ❌ **Porta 8728** - API Binary, NON REST (timeout)
+- ❌ **Porta 8729** - API Binary SSL, NON REST (timeout)
+
+## ✅ SOLUZIONE
+
+### 1️⃣ Verifica RouterOS Versione
+
+```bash
+# Sul router MikroTik (via Winbox/SSH)
+/system resource print
+```
+
+**Se RouterOS >= 7.1** → Usa **REST API** (porta 80/443)  
+**Se RouterOS < 7.1** → REST API non esiste, usa API Binary
+
+### 2️⃣ Configurazione Porta Corretta
+
+**Per RouterOS 7.14.2 (Alfabit):**
+
+```sql
+-- Database: Usa porta 80 (REST API HTTP)
+UPDATE routers SET api_port = 80 WHERE name = 'Alfabit';
+```
+
+**Porte disponibili**:
+- **80** → REST API HTTP (✅ CONSIGLIATA)
+- **443** → REST API HTTPS (se SSL richiesto)
+- ~~8728~~ → API Binary (non compatibile)
+- ~~8729~~ → API Binary SSL (non compatibile)
+
+### 3️⃣ Test Manuale
+
+```bash
+# Test connessione porta 80
+curl http://185.203.24.2:80/rest/system/identity \
+  -u admin:password \
+  --max-time 5
+
+# Output atteso:
+# {"name":"AlfaBit"}
+```
+
+---
+
+## 📋 VERIFICA CONFIGURAZIONE ROUTER
+
+### 1️⃣ Controlla Database
+
+```sql
+-- Su AlmaLinux
+psql $DATABASE_URL -c "SELECT name, ip_address, api_port, username, enabled FROM routers WHERE enabled = true;"
+```
+
+**Output Atteso**:
+```
+name          | ip_address    | api_port | username | enabled
+--------------+---------------+----------+----------+---------
+Alfabit       | 185.203.24.2  | 80       | admin    | t
+```
+
+**Verifica**:
+- ✅ `api_port` = **80** (REST API HTTP)
+- ✅ `enabled` = **true**
+- ✅ `username` e `password` corretti
+
+**Se porta errata**:
+```sql
+-- Cambia porta da 8728 a 80
+UPDATE routers SET api_port = 80 WHERE ip_address = '185.203.24.2';
+```
+
+### 2️⃣ Testa Connessione Python
+
+```bash
+# Su AlmaLinux
+cd /opt/ids/python_ml
+source venv/bin/activate
+
+# Test connessione automatico (usa dati dal database)
+python3 test_mikrotik_connection.py
+```
+
+**Output atteso**:
+```
+✅ Connessione OK!
+✅ Trovati X IP in lista 'ddos_blocked'
+✅ IP bloccato con successo!
+✅ IP sbloccato con successo!
+```
+
+---
+
+## 🚀 DEPLOYMENT SU ALMALINUX
+
+### Workflow Completo
+
+#### 1️⃣ **Su Replit** (GIÀ FATTO ✅)
+- File `python_ml/mikrotik_manager.py` modificato
+- Fix già committato su Replit
+
+#### 2️⃣ **Locale - Push GitLab**
+```bash
+# Dalla tua macchina locale (NON su Replit - è bloccato)
+./push-gitlab.sh
+```
+
+Input richiesti:
+```
+Commit message: Fix MikroTik API - porta non usata in base_url
+```
+
+#### 3️⃣ **Su AlmaLinux - Pull & Deploy**
+```bash
+# SSH su ids.alfacom.it
+ssh root@ids.alfacom.it
+
+# Pull ultimi cambiamenti
+cd /opt/ids
+./update_from_git.sh
+
+# Riavvia ML Backend per applicare fix
+sudo systemctl restart ids-ml-backend
+
+# Verifica servizio attivo
+systemctl status ids-ml-backend
+
+# Verifica API risponde
+curl http://localhost:8000/health
+```
+
+#### 4️⃣ **Test Blocco IP**
+```bash
+# Dalla dashboard web: https://ids.alfacom.it/routers
+# 1. Verifica router configurati
+# 2. Clicca "Test Connessione" su router 185.203.24.2
+# 3. Dovrebbe mostrare ✅ "Connessione OK"
+
+# Dalla dashboard detections:
+# 1. Seleziona detection con score >= 80
+# 2. Clicca "Blocca IP"
+# 3. Verifica blocco su router
+```
+
+---
+
+## 🔧 TROUBLESHOOTING
+
+### Connessione Ancora Fallisce?
+
+#### A. Verifica Servizio WWW su Router
+
+**REST API usa servizio `www` (porta 80) o `www-ssl` (porta 443)**:
+
+```bash
+# Sul router MikroTik (via Winbox/SSH)
+/ip service print
+
+# Verifica che www sia enabled:
+# 0  www         80   *       ← REST API HTTP
+# 1  www-ssl    443   *       ← REST API HTTPS
+```
+
+**Fix su MikroTik**:
+```bash
+# Abilita servizio www per REST API
+/ip service enable www
+/ip service set www port=80 address=0.0.0.0/0
+
+# O con SSL (porta 443)
+/ip service enable www-ssl
+/ip service set www-ssl port=443
+```
+
+**NOTA**: `api` (porta 8728) è **API Binary**, NON REST!
+
+#### B. Verifica Firewall AlmaLinux
+```bash
+# Su AlmaLinux - consenti traffico verso router
+sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination address="185.203.24.2" port protocol="tcp" port="8728" accept'
+sudo firewall-cmd --reload
+```
+
+#### C. Test Connessione Raw
+```bash
+# Test TCP connessione porta 80
+telnet 185.203.24.2 80
+
+# Test REST API con curl
+curl -v http://185.203.24.2:80/rest/system/identity \
+  -u admin:password \
+  --max-time 5
+
+# Output atteso:
+# {"name":"AlfaBit"}
+```
+
+**Se timeout**: Servizio `www` non abilitato sul router
+
+#### D. Credenziali Errate?
+```sql
+-- Verifica credenziali nel database
+psql $DATABASE_URL -c "SELECT name, ip_address, username FROM routers WHERE ip_address = '185.203.24.2';"
+
+-- Se password errata, aggiorna:
+-- UPDATE routers SET password = 'nuova_password' WHERE ip_address = '185.203.24.2';
+```
+
+---
+
+## ✅ VERIFICA FINALE
+
+Dopo il deployment, verifica che:
+
+1. **ML Backend attivo**:
+   ```bash
+   systemctl status ids-ml-backend  # must be "active (running)"
+   ```
+
+2. **API risponde**:
+   ```bash
+   curl http://localhost:8000/health
+   # {"status":"healthy","database":"connected",...}
+   ```
+
+3. **Auto-blocking funziona**:
+   ```bash
+   # Controlla log auto-blocking
+   journalctl -u ids-auto-block.timer -n 50
+   ```
+
+4. **IP bloccati su router**:
+   - Dashboard: https://ids.alfacom.it/detections
+   - Filtra: "Bloccati"
+   - Verifica badge verde "Bloccato" visibile
+
+---
+
+## 📊 CONFIGURAZIONE CORRETTA
+
+| Parametro | Valore (RouterOS >= 7.1) | Note |
+|-----------|--------------------------|------|
+| **api_port** | **80** (HTTP) o **443** (HTTPS) | ✅ REST API |
+| **Servizio Router** | `www` (HTTP) o `www-ssl` (HTTPS) | Abilita su MikroTik |
+| **Endpoint** | `/rest/system/identity` | Test connessione |
+| **Endpoint** | `/rest/ip/firewall/address-list` | Gestione blocchi |
+| **Auth** | Basic (username:password base64) | Header Authorization |
+| **Verify SSL** | False | Self-signed certs OK |
+
+---
+
+## 🎯 RIEPILOGO
+
+### ❌ ERRATO (API Binary - Timeout)
+```bash
+# Porta 8728 usa protocollo BINARIO, non HTTP REST
+curl http://185.203.24.2:8728/rest/...
+# Timeout: protocollo incompatibile
+```
+
+### ✅ CORRETTO (API REST - Funziona)
+```bash
+# Porta 80 usa protocollo HTTP REST standard
+curl http://185.203.24.2:80/rest/system/identity \
+  -u admin:password
+
+# Output: {"name":"AlfaBit"}
+```
+
+**Database configurato**:
+```sql
+-- Router Alfabit configurato con porta 80
+SELECT name, ip_address, api_port FROM routers;
+-- Alfabit | 185.203.24.2 | 80
+```
+
+---
+
+## 📝 CHANGELOG
+
+**25 Novembre 2024**:
+1. ✅ Identificato problema: porta 8728 = API Binary (non HTTP)
+2. ✅ Verificato RouterOS 7.14.2 supporta REST API
+3. ✅ Configurato router con porta 80 (REST API HTTP)
+4. ✅ Test curl manuale: `{"name":"AlfaBit"}` ✅
+5. ✅ Router inserito in database con porta 80
+
+**Test richiesto**: `python3 test_mikrotik_connection.py`
+
+**Versione**: IDS 2.0.0 (Hybrid Detector)  
+**RouterOS**: 7.14.2 (stable)  
+**API Type**: REST (HTTP porta 80)

attached_assets/Pasted--AGGIORNAMENTO-COMPLETATO--1763997526366_1763997526366.txt

@@ -0,0 +1,55 @@
+
+╔═══════════════════════════════════════════════╗
+║   ✅ AGGIORNAMENTO COMPLETATO                 ║
+╚═══════════════════════════════════════════════╝
+
+📋 VERIFICA SISTEMA:
+   • Log backend:  tail -f /var/log/ids/backend.log
+   • Log frontend: tail -f /var/log/ids/frontend.log
+   • API backend:  curl http://localhost:8000/health
+   • Frontend:     curl http://localhost:5000
+
+📊 STATO SERVIZI:
+root       20860  0.0  0.0  18344  6400 pts/3    S+   Nov22   0:00 sudo tail -f /var/log/ids/syslog_parser.log
+root       20862  0.0  0.0   3088  1536 pts/3    S+   Nov22   0:02 tail -f /var/log/ids/syslog_parser.log
+ids        64096  4.0  1.8 1394944 291304 ?      Ssl  12:12   9:44 /opt/ids/python_ml/venv/bin/python3 main.py
+ids        64102 16.0  0.1  52084 19456 ?        Ss   12:12  38:36 /opt/ids/python_ml/venv/bin/python3 syslog_parser.py
+root       69074  0.0  0.2 731152 33612 pts/0    Rl+  16:13   0:00 /usr/bin/node /usr/bin/npm run dev
+
+[root@ids ids]# sudo /opt/ids/deployment/setup_analytics_timer.sh
+╔═══════════════════════════════════════════════╗
+║   IDS Analytics Timer Setup                  ║
+╚═══════════════════════════════════════════════╝
+
+📋 Copia file systemd...
+🔄 Reload systemd daemon...
+⚙  Enable e start timer...
+
+📊 Stato timer:
+● ids-analytics-aggregator.timer - IDS Analytics Aggregation Timer - Runs every hour
+     Loaded: loaded (/etc/systemd/system/ids-analytics-aggregator.timer; enabled; preset: disabled)
+     Active: active (waiting) since Mon 2025-11-24 12:13:35 CET; 4h 3min ago
+      Until: Mon 2025-11-24 12:13:35 CET; 4h 3min ago
+    Trigger: Mon 2025-11-24 17:05:00 CET; 47min left
+   Triggers: ● ids-analytics-aggregator.service
+
+Nov 24 12:13:35 ids.alfacom.it systemd[1]: Stopped IDS Analytics Aggregation Timer - Runs every hour.
+Nov 24 12:13:35 ids.alfacom.it systemd[1]: Stopping IDS Analytics Aggregation Timer - Runs every hour...
+Nov 24 12:13:35 ids.alfacom.it systemd[1]: Started IDS Analytics Aggregation Timer - Runs every hour.
+
+📅 Prossime esecuzioni:
+NEXT                        LEFT       LAST                        PASSED    UNIT                           ACTIVATES
+Mon 2025-11-24 17:05:00 CET 47min left Mon 2025-11-24 16:05:01 CET 12min ago ids-analytics-aggregator.timer ids-analytics-aggregator.service
+
+1 timers listed.
+Pass --all to see loaded but inactive timers, too.
+
+╔═══════════════════════════════════════════════╗
+║   ✅ ANALYTICS TIMER CONFIGURATO              ║
+╚═══════════════════════════════════════════════╝
+
+📝 Comandi utili:
+   Stato timer:        sudo systemctl status ids-analytics-aggregator.timer
+   Prossime run:       sudo systemctl list-timers
+   Log aggregazione:   sudo journalctl -u ids-analytics-aggregator -f
+   Test manuale:       sudo systemctl start ids-analytics-aggregator

attached_assets/Pasted--Aggiornamento-dipendenze-Python-Defaulting-to-user-installation-because-normal-site-packages--1764002209926_1764002209926.txt

@@ -0,0 +1,43 @@
+
+📦 Aggiornamento dipendenze Python...
+Defaulting to user installation because normal site-packages is not writeable
+Requirement already satisfied: fastapi==0.104.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 1)) (0.104.1)
+Requirement already satisfied: uvicorn==0.24.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 2)) (0.24.0)
+Requirement already satisfied: pandas==2.1.3 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 3)) (2.1.3)
+Requirement already satisfied: numpy==1.26.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 4)) (1.26.2)
+Requirement already satisfied: scikit-learn==1.3.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 5)) (1.3.2)
+Requirement already satisfied: psycopg2-binary==2.9.9 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 6)) (2.9.9)
+Requirement already satisfied: python-dotenv==1.0.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 7)) (1.0.0)
+Requirement already satisfied: pydantic==2.5.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 8)) (2.5.0)
+Requirement already satisfied: httpx==0.25.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 9)) (0.25.1)
+Collecting Cython==3.0.5
+  Downloading Cython-3.0.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.6 MB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.6/3.6 MB 8.9 MB/s eta 0:00:00
+Collecting xgboost==2.0.3
+  Using cached xgboost-2.0.3-py3-none-manylinux2014_x86_64.whl (297.1 MB)
+Collecting joblib==1.3.2
+  Using cached joblib-1.3.2-py3-none-any.whl (302 kB)
+Collecting eif==2.0.2
+  Using cached eif-2.0.2.tar.gz (1.6 MB)
+  Preparing metadata (setup.py) ... error
+  error: subprocess-exited-with-error
+
+  × python setup.py egg_info did not run successfully.
+  │ exit code: 1
+  ╰─> [6 lines of output]
+      Traceback (most recent call last):
+        File "<string>", line 2, in <module>
+        File "<pip-setuptools-caller>", line 34, in <module>
+        File "/tmp/pip-install-843eies2/eif_72b54a0861444b02867269ed1670c0ce/setup.py", line 4, in <module>
+          from Cython.Distutils import build_ext
+      ModuleNotFoundError: No module named 'Cython'
+      [end of output]
+
+  note: This error originates from a subprocess, and is likely not a problem with pip.
+error: metadata-generation-failed
+
+× Encountered error while generating package metadata.
+╰─> See above for output.
+
+note: This is an issue with the package mentioned above, not pip.
+hint: See above for details.

attached_assets/Pasted--Found-existing-installation-joblib-1-5-2-Uninstalling-joblib-1-5-2-Successfully-unin-1763805718013_1763805718013.txt

@@ -0,0 +1,179 @@
+    Found existing installation: joblib 1.5.2
+    Uninstalling joblib-1.5.2:
+      Successfully uninstalled joblib-1.5.2
+Successfully installed joblib-1.3.2
+✅ Dipendenze Python installate
+ Impostazione permessi...
+
+ Verifica installazione:
+✅ FastAPI: 0.104.1
+✅ Uvicorn: 0.24.0
+✅ Scikit-learn: 1.3.2
+✅ Pandas: 2.1.3
+✅ HTTPX: 0.25.1
+✅ Joblib: 1.3.2
+
+╔═══════════════════════════════════════════════╗
+║   ✅ DIPENDENZE PYTHON INSTALLATE             ║
+╚═══════════════════════════════════════════════╝
+
+ NOTA:
+   Il virtual environment è in: /opt/ids/python_ml/venv
+   I systemd services useranno automaticamente questo venv
+
+[root@ids ids]# sudo systemctl restart ids-ml-backend
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 11:00:28 CET; 5s ago
+    Process: 16204 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 16204 (code=exited, status=1/FAILURE)
+        CPU: 3.933s
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 11:00:28 CET; 7s ago
+    Process: 16204 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 16204 (code=exited, status=1/FAILURE)
+        CPU: 3.933s
+[root@ids ids]# tail -30 /var/log/ids/ml_backend.log
+    from fastapi import FastAPI, HTTPException, BackgroundTasks, Security, Header
+ModuleNotFoundError: No module named 'fastapi'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 12, in <module>
+    import pandas as pd
+ModuleNotFoundError: No module named 'pandas'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 20, in <module>
+    from ml_analyzer import MLAnalyzer
+  File "/opt/ids/python_ml/ml_analyzer.py", line 8, in <module>
+    from sklearn.ensemble import IsolationForest
+ModuleNotFoundError: No module named 'sklearn'
+INFO:     Started server process [16144]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16204]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 11:01:03 CET; 1s ago
+   Main PID: 16291 (python3)
+      Tasks: 15 (limit: 100409)
+     Memory: 100.2M (max: 2.0G available: 1.9G)
+        CPU: 3.101s
+     CGroup: /system.slice/ids-ml-backend.service
+             └─16291 /opt/ids/python_ml/venv/bin/python3 main.py
+
+Nov 22 11:01:03 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 11:01:05 CET; 9s ago
+    Process: 16291 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 16291 (code=exited, status=1/FAILURE)
+        CPU: 3.804s
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 11:01:17 CET; 251ms ago
+    Process: 16321 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 16321 (code=exited, status=1/FAILURE)
+        CPU: 3.840s
+[root@ids ids]# tail -30 /var/log/ids/ml_backend.log
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16257]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16291]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16321]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 11:01:27 CET; 2s ago
+   Main PID: 16348 (python3)
+      Tasks: 19 (limit: 100409)
+     Memory: 118.4M (max: 2.0G available: 1.8G)
+        CPU: 3.872s
+     CGroup: /system.slice/ids-ml-backend.service
+             └─16348 /opt/ids/python_ml/venv/bin/python3 main.py
+
+Nov 22 11:01:27 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+[root@ids ids]# sudo systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 11:01:30 CET; 4s ago
+    Process: 16348 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 16348 (code=exited, status=1/FAILURE)
+        CPU: 3.911s
+
+Nov 22 11:01:30 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 22 11:01:30 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.911s CPU time.
+[root@ids ids]# tail -30 /var/log/ids/ml_backend.log
+[LOAD] Modello caricato da models
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16291]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16321]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [16348]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[LOAD] Modello caricato da models
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs

attached_assets/Pasted--Status-Servizi-ids-ml-backend-service-IDS-ML-Backend-FastAPI-Loaded-loaded-etc-sys-1763805400723_1763805400723.txt

@@ -0,0 +1,124 @@
+
+ Status Servizi:
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 10:55:17 CET; 348ms ago
+    Process: 15380 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 15380 (code=exited, status=1/FAILURE)
+        CPU: 3.435s
+
+● ids-syslog-parser.service - IDS Syslog Parser (Network Logs Processor)
+     Loaded: loaded (/etc/systemd/system/ids-syslog-parser.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 10:55:15 CET; 2s ago
+   Main PID: 15405 (python3)
+      Tasks: 1 (limit: 100409)
+     Memory: 10.7M (max: 1.0G available: 1013.2M)
+        CPU: 324ms
+     CGroup: /system.slice/ids-syslog-parser.service
+             └─15405 /opt/ids/python_ml/venv/bin/python3 syslog_parser.py
+
+
+╔═══════════════════════════════════════════════╗
+║   ✅ SYSTEMD SERVICES CONFIGURATI              ║
+╚═══════════════════════════════════════════════╝
+
+ COMANDI UTILI:
+   systemctl status ids-ml-backend       - Status ML Backend
+   systemctl status ids-syslog-parser    - Status Syslog Parser
+   systemctl restart ids-ml-backend      - Restart ML Backend
+   systemctl restart ids-syslog-parser   - Restart Syslog Parser
+   journalctl -u ids-ml-backend -f       - Log ML Backend
+   journalctl -u ids-syslog-parser -f    - Log Syslog Parser
+
+[root@ids ids]# # Verifica status servizi
+systemctl status ids-ml-backend
+systemctl status ids-syslog-parser
+
+# Entrambi dovrebbero mostrare "Active: active (running)"
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 10:55:17 CET; 4s ago
+    Process: 15380 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 15380 (code=exited, status=1/FAILURE)
+        CPU: 3.435s
+● ids-syslog-parser.service - IDS Syslog Parser (Network Logs Processor)
+     Loaded: loaded (/etc/systemd/system/ids-syslog-parser.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 10:55:15 CET; 5s ago
+   Main PID: 15405 (python3)
+      Tasks: 1 (limit: 100409)
+     Memory: 10.7M (max: 1.0G available: 1013.2M)
+        CPU: 627ms
+     CGroup: /system.slice/ids-syslog-parser.service
+             └─15405 /opt/ids/python_ml/venv/bin/python3 syslog_parser.py
+
+Nov 22 10:55:15 ids.alfacom.it systemd[1]: Started IDS Syslog Parser (Network Logs Processor).
+[root@ids ids]# systemctl status ids-syslog-parser
+● ids-syslog-parser.service - IDS Syslog Parser (Network Logs Processor)
+     Loaded: loaded (/etc/systemd/system/ids-syslog-parser.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 10:55:15 CET; 14s ago
+   Main PID: 15405 (python3)
+      Tasks: 1 (limit: 100409)
+     Memory: 10.8M (max: 1.0G available: 1013.1M)
+        CPU: 1.268s
+     CGroup: /system.slice/ids-syslog-parser.service
+             └─15405 /opt/ids/python_ml/venv/bin/python3 syslog_parser.py
+
+Nov 22 10:55:15 ids.alfacom.it systemd[1]: Started IDS Syslog Parser (Network Logs Processor).
+[root@ids ids]# systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 10:55:29 CET; 7s ago
+    Process: 15441 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 15441 (code=exited, status=1/FAILURE)
+        CPU: 3.642s
+[root@ids ids]# systemctl restart ids-ml-backend
+[root@ids ids]# systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: active (running) since Sat 2025-11-22 10:55:48 CET; 1s ago
+   Main PID: 15482 (python3)
+      Tasks: 15 (limit: 100409)
+     Memory: 110.1M (max: 2.0G available: 1.8G)
+        CPU: 3.357s
+     CGroup: /system.slice/ids-ml-backend.service
+             └─15482 /opt/ids/python_ml/venv/bin/python3 main.py
+
+Nov 22 10:55:48 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+[root@ids ids]# systemctl status ids-ml-backend
+● ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: activating (auto-restart) (Result: exit-code) since Sat 2025-11-22 10:55:50 CET; 3s ago
+    Process: 15482 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 15482 (code=exited, status=1/FAILURE)
+        CPU: 3.607s
+[root@ids ids]# tail -30 /var/log/ids/ml_backend.log
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 21, in <module>
+    from mikrotik_manager import MikroTikManager
+  File "/opt/ids/python_ml/mikrotik_manager.py", line 6, in <module>
+    import httpx
+ModuleNotFoundError: No module named 'httpx'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 21, in <module>
+    from mikrotik_manager import MikroTikManager
+  File "/opt/ids/python_ml/mikrotik_manager.py", line 6, in <module>
+    import httpx
+ModuleNotFoundError: No module named 'httpx'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 21, in <module>
+    from mikrotik_manager import MikroTikManager
+  File "/opt/ids/python_ml/mikrotik_manager.py", line 6, in <module>
+    import httpx
+ModuleNotFoundError: No module named 'httpx'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 21, in <module>
+    from mikrotik_manager import MikroTikManager
+  File "/opt/ids/python_ml/mikrotik_manager.py", line 6, in <module>
+    import httpx
+ModuleNotFoundError: No module named 'httpx'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 21, in <module>
+    from mikrotik_manager import MikroTikManager
+  File "/opt/ids/python_ml/mikrotik_manager.py", line 6, in <module>
+    import httpx
+ModuleNotFoundError: No module named 'httpx'

attached_assets/Pasted--deployment-install-ml-deps-sh-INSTALLAZIONE--1764003947190_1764003947190.txt

@@ -0,0 +1,60 @@
+./deployment/install_ml_deps.sh
+╔═══════════════════════════════════════════════╗
+║   INSTALLAZIONE DIPENDENZE ML HYBRID        ║
+╚═══════════════════════════════════════════════╝
+
+ Directory corrente: /opt/ids/python_ml
+
+ Attivazione virtual environment...
+ Python in uso: /opt/ids/python_ml/venv/bin/python
+
+📦 Step 1/3: Installazione build dependencies (Cython + numpy)...
+Collecting Cython==3.0.5
+  Downloading Cython-3.0.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.2 kB)
+Downloading Cython-3.0.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.6 MB)
+   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.6/3.6 MB 59.8 MB/s  0:00:00
+Installing collected packages: Cython
+Successfully installed Cython-3.0.5
+✅ Cython installato con successo
+
+📦 Step 2/3: Verifica numpy disponibile...
+✅ numpy 1.26.2 già installato
+
+📦 Step 3/3: Installazione dipendenze ML (xgboost, joblib, eif)...
+Collecting xgboost==2.0.3
+  Downloading xgboost-2.0.3-py3-none-manylinux2014_x86_64.whl.metadata (2.0 kB)
+Requirement already satisfied: joblib==1.3.2 in ./venv/lib64/python3.11/site-packages (1.3.2)
+Collecting eif==2.0.2
+  Downloading eif-2.0.2.tar.gz (1.6 MB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 6.7 MB/s  0:00:00
+  Installing build dependencies ... done
+  Getting requirements to build wheel ... error
+  error: subprocess-exited-with-error
+
+  × Getting requirements to build wheel did not run successfully.
+  │ exit code: 1
+  ╰─> [20 lines of output]
+      Traceback (most recent call last):
+        File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 389, in <module>
+          main()
+        File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 373, in main
+          json_out["return_val"] = hook(**hook_input["kwargs"])
+                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel
+          return hook(config_settings)
+                 ^^^^^^^^^^^^^^^^^^^^^
+        File "/tmp/pip-build-env-9buits4u/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel
+          return self._get_build_requires(config_settings, requirements=[])
+                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+        File "/tmp/pip-build-env-9buits4u/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires
+          self.run_setup()
+        File "/tmp/pip-build-env-9buits4u/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 512, in run_setup
+          super().run_setup(setup_script=setup_script)
+        File "/tmp/pip-build-env-9buits4u/overlay/lib/python3.11/site-packages/setuptools/build_meta.py", line 317, in run_setup
+          exec(code, locals())
+        File "<string>", line 3, in <module>
+      ModuleNotFoundError: No module named 'numpy'
+      [end of output]
+
+  note: This error originates from a subprocess, and is likely not a problem with pip.
+ERROR: Failed to build 'eif' when getting requirements to build wheel

attached_assets/Pasted--deployment-install-ml-deps-sh-INSTALLAZIONE-1764003628537_1764003628537.txt

@@ -0,0 +1,40 @@
+ ./deployment/install_ml_deps.sh
+╔═══════════════════════════════════════════════╗
+║   INSTALLAZIONE DIPENDENZE ML HYBRID        ║
+╚═══════════════════════════════════════════════╝
+
+📍 Directory corrente: /opt/ids/python_ml
+
+📦 Step 1/2: Installazione Cython (richiesto per compilare eif)...
+Collecting Cython==3.0.5
+  Downloading Cython-3.0.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.6 MB)
+     |████████████████████████████████| 3.6 MB 6.2 MB/s
+Installing collected packages: Cython
+Successfully installed Cython-3.0.5
+WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
+✅ Cython installato con successo
+
+📦 Step 2/2: Installazione dipendenze ML (xgboost, joblib, eif)...
+Collecting xgboost==2.0.3
+  Downloading xgboost-2.0.3-py3-none-manylinux2014_x86_64.whl (297.1 MB)
+     |████████████████████████████████| 297.1 MB 13 kB/s
+Collecting joblib==1.3.2
+  Downloading joblib-1.3.2-py3-none-any.whl (302 kB)
+     |████████████████████████████████| 302 kB 41.7 MB/s
+Collecting eif==2.0.2
+  Downloading eif-2.0.2.tar.gz (1.6 MB)
+     |████████████████████████████████| 1.6 MB 59.4 MB/s
+  Preparing metadata (setup.py) ... error
+  ERROR: Command errored out with exit status 1:
+   command: /usr/bin/python3 -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-xpd6jc3z/eif_1c539132fe1d4772ada0979407304392/setup.py'"'"'; __file__='"'"'/tmp/pip-install-xpd6jc3z/eif_1c539132fe1d4772ada0979407304392/setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-lg0m0ish
+       cwd: /tmp/pip-install-xpd6jc3z/eif_1c539132fe1d4772ada0979407304392/
+  Complete output (5 lines):
+  Traceback (most recent call last):
+    File "<string>", line 1, in <module>
+    File "/tmp/pip-install-xpd6jc3z/eif_1c539132fe1d4772ada0979407304392/setup.py", line 3, in <module>
+      import numpy
+  ModuleNotFoundError: No module named 'numpy'
+  ----------------------------------------
+WARNING: Discarding https://files.pythonhosted.org/packages/83/b2/d87d869deeb192ab599c899b91a9ad1d3775d04f5b7adcaf7ff6daa54c24/eif-2.0.2.tar.gz#sha256=86e2c98caf530ae73d8bc7153c1bf6b9684c905c9dfc7bdab280846ada1e45ab (from https://pypi.org/simple/eif/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
+ERROR: Could not find a version that satisfies the requirement eif==2.0.2 (from versions: 1.0.0, 1.0.1, 1.0.2, 2.0.2)
+ERROR: No matching distribution found for eif==2.0.2

attached_assets/Pasted--deployment-run-analytics-sh-hourly-Esecuzione-aggregazione-hourly-ANALYTICS-Aggregazione-or-1763978174308_1763978174308.txt

@@ -0,0 +1,254 @@
+./deployment/run_analytics.sh hourly
+ Esecuzione aggregazione hourly...
+[ANALYTICS] Aggregazione oraria: 2025-11-24 09:00
+[ANALYTICS] ✅ Aggregazione completata:
+  - Totale: 7182065 pacchetti, 27409 IP unici
+  - Normale: 6922072 pacchetti (96%)
+  - Attacchi: 259993 pacchetti (3%), 15 IP
+✅ Aggregazione hourly completata!
+[root@ids ids]# ./deployment/restart_frontend.sh
+ Restart Frontend Node.js...
+⏸  Stopping existing processes...
+ Starting frontend...
+❌ Errore: Frontend non avviato!
+ Controlla log: tail -f /var/log/ids/frontend.log
+[root@ids ids]# curl -s http://localhost:5000/api/analytics/recent?days=7&hourly=true | jq '. | length'
+[1] 59354
+[root@ids ids]# echo "=== DIAGNOSTICA IDS ANALYTICS ===" > /tmp/ids_diagnostic.txtxt
+echo "" >> /tmp/ids_diagnostic.txt
+[1]+  Done                    curl -s http://localhost:5000/api/analytics/recent?days=7
+[root@ids ids]# tail -f /var/log/ids/frontend.log
+[Mon Nov 24 10:15:13 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:15:15 CET 2025] Frontend riavviato con PID: 59307
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+10:15:17 AM [express] serving on port 5000
+✅ Database connection successful
+10:15:34 AM [express] GET /api/analytics/recent 200 in 32ms :: []
+[Mon Nov 24 10:20:01 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:20:03 CET 2025] Frontend riavviato con PID: 59406
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:25:02 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:25:04 CET 2025] Frontend riavviato con PID: 59511
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:30:01 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:30:03 CET 2025] Frontend riavviato con PID: 59618
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:35:01 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:35:03 CET 2025] Frontend riavviato con PID: 59725
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:40:02 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:40:04 CET 2025] Frontend riavviato con PID: 59831
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:45:02 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:45:04 CET 2025] Frontend riavviato con PID: 59935
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:50:01 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:50:03 CET 2025] Frontend riavviato con PID: 60044
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+ Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+[Mon Nov 24 10:55:01 CET 2025] Frontend Node NON attivo, riavvio...
+[Mon Nov 24 10:55:03 CET 2025] Frontend riavviato con PID: 60151
+
+> rest-express@1.0.0 dev
+> NODE_ENV=development tsx server/index.ts
+
+
+A PostCSS plugin did not pass the `from` option to `postcss.parse`. This may cause imported assets to be incorrectly transformed. If you've recently added a PostCSS plugin that raised this warning, please contact the package author to fix the issue.
+🐘 Using standard PostgreSQL database
+node:events:502
+      throw er; // Unhandled 'error' event
+      ^
+
+Error: listen EADDRINUSE: address already in use 0.0.0.0:5000
+    at Server.setupListenHandle [as _listen2] (node:net:1908:16)
+    at listenInCluster (node:net:1965:12)
+    at doListen (node:net:2139:7)
+    at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
+Emitted 'error' event on Server instance at:
+    at emitErrorNT (node:net:1944:8)
+    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
+  code: 'EADDRINUSE',
+  errno: -98,
+  syscall: 'listen',
+  address: '0.0.0.0',
+  port: 5000
+}
+
+Node.js v20.19.5
+10:55:06 AM [express] GET /api/logs/[object%20Object] 200 in 10ms
+10:55:06 AM [express] GET /api/detections 200 in 34ms :: [{"id":"5659c0b5-11df-4ebe-b73f-f53c64932953…
+10:55:08 AM [express] GET /api/analytics/recent/[object%20Object] 200 in 7ms
+10:55:11 AM [express] GET /api/analytics/recent/[object%20Object] 200 in 5ms
+10:55:12 AM [express] GET /api/analytics/recent/[object%20Object] 200 in 5ms
+                                                                                 

attached_assets/Pasted--deployment-train-hybrid-production-sh--1764007807845_1764007807845.txt

@@ -0,0 +1,54 @@
+ ./deployment/train_hybrid_production.sh
+=======================================================================
+  TRAINING HYBRID ML DETECTOR - DATI REALI
+=======================================================================
+
+📂 Caricamento credenziali database da .env...
+✅ Credenziali caricate:
+   Host: localhost
+   Port: 5432
+   Database: ids_database
+   User: ids_user
+   Password: ****** (nascosta)
+
+🎯 Parametri training:
+   Periodo: ultimi 7 giorni
+   Max records: 1000000
+
+🐍 Python: /opt/ids/python_ml/venv/bin/python
+
+📊 Verifica dati disponibili nel database...
+      primo_log      |     ultimo_log      | periodo_totale | totale_records
+---------------------+---------------------+----------------+----------------
+ 2025-11-22 10:03:21 | 2025-11-24 17:58:17 | 2 giorni       | 234,316,667
+(1 row)
+
+
+🚀 Avvio training...
+
+=======================================================================
+[WARNING] Extended Isolation Forest not available, using standard IF
+
+======================================================================
+  IDS HYBRID ML TRAINING - UNSUPERVISED MODE
+======================================================================
+[TRAIN] Loading last 7 days of real traffic from database...
+
+❌ Error: column "dest_ip" does not exist
+LINE 5:             dest_ip,
+                    ^
+
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/train_hybrid.py", line 365, in main
+    train_unsupervised(args)
+  File "/opt/ids/python_ml/train_hybrid.py", line 91, in train_unsupervised
+    logs_df = train_on_real_traffic(db_config, days=args.days)
+              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/train_hybrid.py", line 50, in train_on_real_traffic
+    cursor.execute(query, (days,))
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/psycopg2/extras.py", line 236, in execute
+    return super().execute(query, vars)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+psycopg2.errors.UndefinedColumn: column "dest_ip" does not exist
+LINE 5:             dest_ip,
+                    ^

attached_assets/Pasted--deployment-update-from-git-sh-db-AGGIO-1764002061583_1764002061583.txt

@@ -0,0 +1,101 @@
+ ./deployment/update_from_git.sh --db
+
+╔═══════════════════════════════════════════════╗
+║    AGGIORNAMENTO SISTEMA IDS DA GIT         ║
+╚═══════════════════════════════════════════════╝
+
+ Verifica configurazione git...
+
+ Backup configurazione locale...
+✅ .env salvato in .env.backup
+
+ Verifica modifiche locali...
+⚠  Ci sono modifiche locali non committate
+   Esegui 'git status' per vedere i dettagli
+Vuoi procedere comunque? (y/n) y
+   Salvo modifiche locali temporaneamente...
+No local changes to save
+
+ Download aggiornamenti da git.alfacom.it...
+remote: Enumerating objects: 21, done.
+remote: Counting objects: 100% (21/21), done.
+remote: Compressing objects: 100% (13/13), done.
+remote: Total 13 (delta 9), reused 0 (delta 0), pack-reused 0 (from 0)
+Unpacking objects: 100% (13/13), 3.37 KiB | 492.00 KiB/s, done.
+From https://git.alfacom.it/marco/ids.alfacom.it
+   3a945ec..152e226  main       -> origin/main
+ * [new tag]         v1.0.56    -> v1.0.56
+From https://git.alfacom.it/marco/ids.alfacom.it
+ * branch            main       -> FETCH_HEAD
+Updating 3a945ec..152e226
+Fast-forward
+ attached_assets/Pasted--deployment-update-from-git-sh-db-AGGIOR-1764001889941_1764001889941.txt | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ database-schema/schema.sql                                                                      |  4 ++--
+ python_ml/requirements.txt                                                                      |  2 +-
+ replit.md                                                                                       |  5 +++--
+ version.json                                                                                    | 16 ++++++++--------
+ 5 files changed, 104 insertions(+), 13 deletions(-)
+ create mode 100644 attached_assets/Pasted--deployment-update-from-git-sh-db-AGGIOR-1764001889941_1764001889941.txt
+✅ Aggiornamenti scaricati con successo
+
+ Ripristino configurazione locale...
+✅ .env ripristinato
+
+ Aggiornamento dipendenze Node.js...
+
+up to date, audited 492 packages in 2s
+
+65 packages are looking for funding
+  run `npm fund` for details
+
+9 vulnerabilities (3 low, 5 moderate, 1 high)
+
+To address issues that do not require attention, run:
+  npm audit fix
+
+To address all issues (including breaking changes), run:
+  npm audit fix --force
+
+Run `npm audit` for details.
+✅ Dipendenze Node.js aggiornate
+
+📦 Aggiornamento dipendenze Python...
+Defaulting to user installation because normal site-packages is not writeable
+Requirement already satisfied: fastapi==0.104.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 1)) (0.104.1)
+Requirement already satisfied: uvicorn==0.24.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 2)) (0.24.0)
+Requirement already satisfied: pandas==2.1.3 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 3)) (2.1.3)
+Requirement already satisfied: numpy==1.26.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 4)) (1.26.2)
+Requirement already satisfied: scikit-learn==1.3.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 5)) (1.3.2)
+Requirement already satisfied: psycopg2-binary==2.9.9 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 6)) (2.9.9)
+Requirement already satisfied: python-dotenv==1.0.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 7)) (1.0.0)
+Requirement already satisfied: pydantic==2.5.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 8)) (2.5.0)
+Requirement already satisfied: httpx==0.25.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 9)) (0.25.1)
+Collecting xgboost==2.0.3
+  Using cached xgboost-2.0.3-py3-none-manylinux2014_x86_64.whl (297.1 MB)
+Collecting joblib==1.3.2
+  Using cached joblib-1.3.2-py3-none-any.whl (302 kB)
+Collecting eif==2.0.2
+  Downloading eif-2.0.2.tar.gz (1.6 MB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 2.8 MB/s eta 0:00:00
+  Preparing metadata (setup.py) ... error
+  error: subprocess-exited-with-error
+
+  × python setup.py egg_info did not run successfully.
+  │ exit code: 1
+  ╰─> [6 lines of output]
+      Traceback (most recent call last):
+        File "<string>", line 2, in <module>
+        File "<pip-setuptools-caller>", line 34, in <module>
+        File "/tmp/pip-install-7w_zhzdf/eif_d01f9f1e418b4512a5d7b4cf0e1128e2/setup.py", line 4, in <module>
+          from Cython.Distutils import build_ext
+      ModuleNotFoundError: No module named 'Cython'
+      [end of output]
+
+  note: This error originates from a subprocess, and is likely not a problem with pip.
+error: metadata-generation-failed
+
+× Encountered error while generating package metadata.
+╰─> See above for output.
+
+note: This is an issue with the package mentioned above, not pip.
+hint: See above for details.

attached_assets/Pasted--deployment-update-from-git-sh-db-AGGIOR-1764001889941_1764001889941.txt

@@ -0,0 +1,90 @@
+./deployment/update_from_git.sh --db
+
+╔═══════════════════════════════════════════════╗
+║    AGGIORNAMENTO SISTEMA IDS DA GIT         ║
+╚═══════════════════════════════════════════════╝
+
+ Verifica configurazione git...
+
+ Backup configurazione locale...
+✅ .env salvato in .env.backup
+
+ Verifica modifiche locali...
+⚠  Ci sono modifiche locali non committate
+   Esegui 'git status' per vedere i dettagli
+Vuoi procedere comunque? (y/n) y
+   Salvo modifiche locali temporaneamente...
+No local changes to save
+
+ Download aggiornamenti da git.alfacom.it...
+remote: Enumerating objects: 51, done.
+remote: Counting objects: 100% (51/51), done.
+remote: Compressing objects: 100% (41/41), done.
+remote: Total 41 (delta 32), reused 0 (delta 0), pack-reused 0 (from 0)
+Unpacking objects: 100% (41/41), 31.17 KiB | 1.35 MiB/s, done.
+From https://git.alfacom.it/marco/ids.alfacom.it
+   0fa2f11..3a945ec  main       -> origin/main
+ * [new tag]         v1.0.55    -> v1.0.55
+From https://git.alfacom.it/marco/ids.alfacom.it
+ * branch            main       -> FETCH_HEAD
+Updating 0fa2f11..3a945ec
+Fast-forward
+ database-schema/schema.sql        |   4 +-
+ deployment/CHECKLIST_ML_HYBRID.md | 536 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ python_ml/dataset_loader.py       | 384 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ python_ml/main.py                 | 120 ++++++++++++++++++++++++++++------
+ python_ml/ml_hybrid_detector.py   | 705 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ python_ml/requirements.txt        |   3 +
+ python_ml/train_hybrid.py         | 378 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ python_ml/validation_metrics.py   | 324 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ replit.md                         |  19 +++++-
+ version.json                      |  16 ++---
+ 10 files changed, 2459 insertions(+), 30 deletions(-)
+ create mode 100644 deployment/CHECKLIST_ML_HYBRID.md
+ create mode 100644 python_ml/dataset_loader.py
+ create mode 100644 python_ml/ml_hybrid_detector.py
+ create mode 100644 python_ml/train_hybrid.py
+ create mode 100644 python_ml/validation_metrics.py
+✅ Aggiornamenti scaricati con successo
+
+🔄 Ripristino configurazione locale...
+✅ .env ripristinato
+
+📦 Aggiornamento dipendenze Node.js...
+
+up to date, audited 492 packages in 3s
+
+65 packages are looking for funding
+  run `npm fund` for details
+
+9 vulnerabilities (3 low, 5 moderate, 1 high)
+
+To address issues that do not require attention, run:
+  npm audit fix
+
+To address all issues (including breaking changes), run:
+  npm audit fix --force
+
+Run `npm audit` for details.
+✅ Dipendenze Node.js aggiornate
+
+📦 Aggiornamento dipendenze Python...
+Defaulting to user installation because normal site-packages is not writeable
+Requirement already satisfied: fastapi==0.104.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 1)) (0.104.1)
+Requirement already satisfied: uvicorn==0.24.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 2)) (0.24.0)
+Requirement already satisfied: pandas==2.1.3 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 3)) (2.1.3)
+Requirement already satisfied: numpy==1.26.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 4)) (1.26.2)
+Requirement already satisfied: scikit-learn==1.3.2 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 5)) (1.3.2)
+Requirement already satisfied: psycopg2-binary==2.9.9 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 6)) (2.9.9)
+Requirement already satisfied: python-dotenv==1.0.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 7)) (1.0.0)
+Requirement already satisfied: pydantic==2.5.0 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 8)) (2.5.0)
+Requirement already satisfied: httpx==0.25.1 in /home/ids/.local/lib/python3.11/site-packages (from -r requirements.txt (line 9)) (0.25.1)
+Collecting xgboost==2.0.3
+  Downloading xgboost-2.0.3-py3-none-manylinux2014_x86_64.whl (297.1 MB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 297.1/297.1 MB 8.4 MB/s eta 0:00:00
+Collecting joblib==1.3.2
+  Downloading joblib-1.3.2-py3-none-any.whl (302 kB)
+     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 302.2/302.2 kB 62.7 MB/s eta 0:00:00
+ERROR: Ignored the following versions that require a different python version: 1.21.2 Requires-Python >=3.7,<3.11; 1.21.3 Requires-Python >=3.7,<3.11; 1.21.4 Requires-Python >=3.7,<3.11; 1.21.5 Requires-Python >=3.7,<3.11; 1.21.6 Requires-Python >=3.7,<3.11
+ERROR: Could not find a version that satisfies the requirement eif==2.0.0 (from versions: 1.0.0, 1.0.1, 1.0.2, 2.0.2)
+ERROR: No matching distribution found for eif==2.0.0

attached_assets/Pasted--journalctl-u-ids-list-fetcher-n-50-no-pager-Jan-02-15-_1767364928312.txt

@@ -0,0 +1,51 @@
+ journalctl -u ids-list-fetcher -n 50 --no-pager
+Jan 02 15:30:01 ids.alfacom.it ids-list-fetcher[9296]:   Skipped (whitelisted):       0
+Jan 02 15:30:01 ids.alfacom.it ids-list-fetcher[9296]: ============================================================
+Jan 02 15:30:01 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 15:30:01 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.
+Jan 02 15:40:00 ids.alfacom.it systemd[1]: Starting IDS Public Lists Fetcher Service...
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: [2026-01-02 15:40:00] PUBLIC LISTS SYNC
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: Found 2 enabled lists
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: [15:40:00] Downloading Spamhaus from https://www.spamhaus.org/drop/drop_v4.json...
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: [15:40:00] Downloading AWS from https://ip-ranges.amazonaws.com/ip-ranges.json...
+Jan 02 15:40:00 ids.alfacom.it ids-list-fetcher[9493]: [15:40:00] Parsing AWS...
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: [15:40:01] Found 9548 IPs, syncing to database...
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: [15:40:01] ✓ AWS: +0 -0 ~9511
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: [15:40:01] Parsing Spamhaus...
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: [15:40:01] Found 1468 IPs, syncing to database...
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: [15:40:01] ✓ Spamhaus: +0 -0 ~1464
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: SYNC SUMMARY
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Success: 2/2
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Errors:  0/2
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Total IPs Added:   0
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Total IPs Removed: 0
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: RUNNING MERGE LOGIC
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ERROR:merge_logic:Failed to cleanup detections: operator does not exist: inet = text
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: LINE 9:                             d.source_ip::inet = wl.ip_inet
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:                                                       ^
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ERROR:merge_logic:Failed to sync detections: operator does not exist: inet = text
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: LINE 29:                             bl.ip_inet = wl.ip_inet
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:                                                 ^
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Traceback (most recent call last):
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:   File "/opt/ids/python_ml/merge_logic.py", line 264, in sync_public_blacklist_detections
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:     cur.execute("""
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: psycopg2.errors.UndefinedFunction: operator does not exist: inet = text
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: LINE 29:                             bl.ip_inet = wl.ip_inet
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:                                                 ^
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: Merge Logic Stats:
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:   Created detections:          0
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:   Cleaned invalid detections:  0
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]:   Skipped (whitelisted):       0
+Jan 02 15:40:01 ids.alfacom.it ids-list-fetcher[9493]: ============================================================
+Jan 02 15:40:01 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 15:40:01 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.

attached_assets/Pasted--journalctl-u-ids-list-fetcher-n-50-no-pager-Jan-02-17-_1767370468601.txt

@@ -0,0 +1,51 @@
+ journalctl -u ids-list-fetcher -n 50 --no-pager
+Jan 02 17:10:02 ids.alfacom.it ids-list-fetcher[2139]: ============================================================
+Jan 02 17:10:02 ids.alfacom.it ids-list-fetcher[2139]: ============================================================
+Jan 02 17:10:02 ids.alfacom.it ids-list-fetcher[2139]: RUNNING MERGE LOGIC
+Jan 02 17:10:02 ids.alfacom.it ids-list-fetcher[2139]: ============================================================
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]: INFO:merge_logic:Bulk sync complete: {'created': 0, 'cleaned': 0, 'skipped_whitelisted': 0}
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]: Merge Logic Stats:
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]:   Created detections:          0
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]:   Cleaned invalid detections:  0
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]:   Skipped (whitelisted):       0
+Jan 02 17:10:12 ids.alfacom.it ids-list-fetcher[2139]: ============================================================
+Jan 02 17:10:12 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 17:10:12 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.
+Jan 02 17:12:35 ids.alfacom.it systemd[1]: Starting IDS Public Lists Fetcher Service...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [2026-01-02 17:12:35] PUBLIC LISTS SYNC
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: Found 4 enabled lists
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Downloading Spamhaus from https://www.spamhaus.org/drop/drop_v4.json...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Downloading AWS from https://ip-ranges.amazonaws.com/ip-ranges.json...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Downloading Google Cloud from https://www.gstatic.com/ipranges/cloud.json...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Downloading Google globali from https://www.gstatic.com/ipranges/goog.json...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Parsing AWS...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Found 9548 IPs, syncing to database...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] ✓ AWS: +0 -0 ~9548
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Parsing Google globali...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] ✗ Google globali: No valid IPs found in list
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Parsing Google Cloud...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] ✗ Google Cloud: No valid IPs found in list
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Parsing Spamhaus...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] Found 1468 IPs, syncing to database...
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: [17:12:35] ✓ Spamhaus: +0 -0 ~1468
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: SYNC SUMMARY
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: Success: 2/4
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: Errors:  2/4
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: Total IPs Added:   0
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: Total IPs Removed: 0
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: RUNNING MERGE LOGIC
+Jan 02 17:12:35 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]: INFO:merge_logic:Bulk sync complete: {'created': 0, 'cleaned': 0, 'skipped_whitelisted': 0}
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]: Merge Logic Stats:
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]:   Created detections:          0
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]:   Cleaned invalid detections:  0
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]:   Skipped (whitelisted):       0
+Jan 02 17:12:45 ids.alfacom.it ids-list-fetcher[2279]: ============================================================
+Jan 02 17:12:45 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 17:12:45 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.

attached_assets/Pasted--python-compare-models-py-WARNING-Extended-Isolation-Forest-not-available-using-standard-IF--1764060191039_1764060191039.txt

@@ -0,0 +1,55 @@
+ python compare_models.py
+[WARNING] Extended Isolation Forest not available, using standard IF
+
+================================================================================
+  IDS MODEL COMPARISON - DB Current vs Hybrid Detector v2.0.0
+================================================================================
+
+[1] Caricamento detection esistenti dal database...
+   Trovate 50 detection nel database
+
+[2] Caricamento nuovo Hybrid Detector (v2.0.0)...
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+   ✅ Hybrid Detector caricato (18 feature selezionate)
+
+[3] Rianalisi di 50 IP con nuovo modello Hybrid...
+   (Questo può richiedere alcuni minuti...)
+
+   [1/50] Analisi IP: 185.203.25.138
+      Current: score=100.0, type=ddos, blocked=False
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/indexes/base.py", line 3790, in get_loc
+    return self._engine.get_loc(casted_key)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "index.pyx", line 152, in pandas._libs.index.IndexEngine.get_loc
+  File "index.pyx", line 181, in pandas._libs.index.IndexEngine.get_loc
+  File "pandas/_libs/hashtable_class_helper.pxi", line 7080, in pandas._libs.hashtable.PyObjectHashTable.get_item
+  File "pandas/_libs/hashtable_class_helper.pxi", line 7088, in pandas._libs.hashtable.PyObjectHashTable.get_item
+KeyError: 'timestamp'
+
+The above exception was the direct cause of the following exception:
+
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/compare_models.py", line 265, in <module>
+    main()
+  File "/opt/ids/python_ml/compare_models.py", line 184, in main
+    comparison = reanalyze_with_hybrid(detector, ip, old_det)
+                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/compare_models.py", line 118, in reanalyze_with_hybrid
+    result = detector.detect(ip_features)
+             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 507, in detect
+    features_df = self.extract_features(logs_df)
+                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 98, in extract_features
+    logs_df['timestamp'] = pd.to_datetime(logs_df['timestamp'])
+                                          ~~~~~~~^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/frame.py", line 3893, in __getitem__
+    indexer = self.columns.get_loc(key)
+              ^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/indexes/base.py", line 3797, in get_loc
+    raise KeyError(key) from err
+KeyError: 'timestamp'

attached_assets/Pasted--python-train-hybrid-py-test-WARNING-Extended-Isolation-Forest-not-available-using-standard-IF--1764006995649_1764006995649.txt

@@ -0,0 +1,75 @@
+ python train_hybrid.py --test
+[WARNING] Extended Isolation Forest not available, using standard IF
+
+======================================================================
+  IDS HYBRID ML TEST - SYNTHETIC DATA
+======================================================================
+INFO:dataset_loader:Creating sample dataset (10000 samples)...
+INFO:dataset_loader:Sample dataset created: 10000 rows
+INFO:dataset_loader:Attack distribution:
+attack_type
+normal         8981
+brute_force     273
+suspicious      258
+ddos            257
+port_scan       231
+Name: count, dtype: int64
+
+[TEST] Created synthetic dataset: 10000 samples
+  Normal:  8,981 (89.8%)
+  Attacks: 1,019 (10.2%)
+
+[TEST] Training on 6,281 normal samples...
+[HYBRID] Training hybrid model on 6281 logs...
+[HYBRID] Extracted features for 100 unique IPs
+[HYBRID] Pre-training Isolation Forest for feature selection...
+[HYBRID] Generated 3 pseudo-anomalies from pre-training IF
+[HYBRID] Feature selection: 25 → 18 features
+[HYBRID] Selected features: total_packets, conn_count, time_span_seconds, conn_per_second, hour_of_day... (+13 more)
+[HYBRID] Normalizing features...
+[HYBRID] Training Extended Isolation Forest (contamination=0.03)...
+/opt/ids/python_ml/venv/lib64/python3.11/site-packages/sklearn/ensemble/_iforest.py:307: UserWarning: max_samples (256) is greater than the total number of samples (100). max_samples will be set to n_samples for estimation.
+  warn(
+[HYBRID] Generating pseudo-labels from Isolation Forest...
+[HYBRID] ⚠  IF found only 3 anomalies (need 10)
+[HYBRID] Applying ADAPTIVE percentile fallback...
+[HYBRID]   Trying 5% percentile → 5 anomalies
+[HYBRID]   Trying 10% percentile → 10 anomalies
+[HYBRID] ✅ Success with 10% percentile
+[HYBRID] Pseudo-labels: 10 anomalies, 90 normal
+[HYBRID] Training ensemble classifier (DT + RF + XGBoost)...
+[HYBRID] Class distribution OK: [0 1] (counts: [90 10])
+[HYBRID] Ensemble .fit() completed successfully
+[HYBRID] ✅ Ensemble verified: produces 2 class probabilities
+[HYBRID] Ensemble training completed and verified!
+[HYBRID] Models saved to models
+[HYBRID] Ensemble classifier included
+[HYBRID] ✅ Training completed successfully! 10/100 IPs flagged as anomalies
+[HYBRID] ✅ Ensemble classifier verified and ready for production
+[DETECT] Ensemble classifier available - computing hybrid score...
+[DETECT] IF scores: min=0.0, max=100.0, mean=57.6
+[DETECT] Ensemble scores: min=86.9, max=97.2, mean=92.1
+[DETECT] Combined scores: min=54.3, max=93.1, mean=78.3
+[DETECT] ✅ Hybrid scoring active: 40% IF + 60% Ensemble
+
+[TEST] Detection results:
+  Total detections: 100
+  High confidence:   0
+  Medium confidence: 85
+  Low confidence:    15
+
+[TEST] Top 5 detections:
+  1. 192.168.0.24: risk=93.1, type=suspicious, confidence=medium
+  2. 192.168.0.27: risk=92.7, type=suspicious, confidence=medium
+  3. 192.168.0.88: risk=92.5, type=suspicious, confidence=medium
+  4. 192.168.0.70: risk=92.3, type=suspicious, confidence=medium
+  5. 192.168.0.4: risk=91.4, type=suspicious, confidence=medium
+
+❌ Error: index 7000 is out of bounds for axis 0 with size 3000
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/train_hybrid.py", line 361, in main
+    test_on_synthetic(args)
+  File "/opt/ids/python_ml/train_hybrid.py", line 283, in test_on_synthetic
+    y_pred[i] = 1
+    ~~~~~~^^^
+IndexError: index 7000 is out of bounds for axis 0 with size 3000

attached_assets/Pasted--tail-f-var-log-ids-ml-backend-log-HYBRID-Mode-Hybrid-IF-Ensemble-ML-Hybrid-detector-mo-1764092371597_1764092371597.txt

@@ -0,0 +1,66 @@
+ tail -f /var/log/ids/ml_backend.log
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     127.0.0.1:45342 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:49754 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:50634 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:39232 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:35736 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:37462 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:59676 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:34256 - "GET /health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:34256 - "GET /services/status HTTP/1.1" 200 OK
+INFO:     127.0.0.1:34256 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:34264 - "POST /train HTTP/1.1" 200 OK
+[TRAIN] Inizio training...
+INFO:     127.0.0.1:34264 - "GET /stats HTTP/1.1" 200 OK
+[TRAIN] Trovati 100000 log per training
+[TRAIN] Addestramento modello...
+[TRAIN] Using Hybrid ML Detector
+[HYBRID] Training hybrid model on 100000 logs...
+INFO:     127.0.0.1:41612 - "GET /stats HTTP/1.1" 200 OK
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 201, in do_training
+    result = ml_detector.train_unsupervised(df)
+             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 467, in train_unsupervised
+    self.save_models()
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 658, in save_models
+    joblib.dump(self.ensemble_classifier, self.model_dir / "ensemble_classifier_latest.pkl")
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/joblib/numpy_pickle.py", line 552, in dump
+    with open(filename, 'wb') as f:
+         ^^^^^^^^^^^^^^^^^^^^
+PermissionError: [Errno 13] Permission denied: 'models/ensemble_classifier_latest.pkl'
+[HYBRID] Extracted features for 1430 unique IPs
+[HYBRID] Pre-training Isolation Forest for feature selection...
+[HYBRID] Generated 43 pseudo-anomalies from pre-training IF
+[HYBRID] Feature selection: 25 → 18 features
+[HYBRID] Selected features: total_packets, total_bytes, conn_count, avg_packet_size, bytes_per_second... (+13 more)
+[HYBRID] Normalizing features...
+[HYBRID] Training Extended Isolation Forest (contamination=0.03)...
+[HYBRID] Generating pseudo-labels from Isolation Forest...
+[HYBRID] Pseudo-labels: 43 anomalies, 1387 normal
+[HYBRID] Training ensemble classifier (DT + RF + XGBoost)...
+[HYBRID] Class distribution OK: [0 1] (counts: [1387   43])
+[HYBRID] Ensemble .fit() completed successfully
+[HYBRID] ✅ Ensemble verified: produces 2 class probabilities
+[HYBRID] Ensemble training completed and verified!
+[TRAIN ERROR] ❌ Errore durante training: [Errno 13] Permission denied: 'models/ensemble_classifier_latest.pkl'
+INFO:     127.0.0.1:45694 - "GET /stats HTTP/1.1" 200 OK
+^C
+(venv) [root@ids python_ml]# ls models/
+ensemble_classifier_20251124_185541.pkl  feature_names.json                       feature_selector_latest.pkl              isolation_forest_20251125_183830.pkl     scaler_20251124_192122.pkl
+ensemble_classifier_20251124_185920.pkl  feature_selector_20251124_185541.pkl     isolation_forest.joblib                  isolation_forest_latest.pkl              scaler_20251125_090356.pkl
+ensemble_classifier_20251124_192109.pkl  feature_selector_20251124_185920.pkl     isolation_forest_20251124_185541.pkl     metadata_20251124_185541.json            scaler_20251125_092703.pkl
+ensemble_classifier_20251124_192122.pkl  feature_selector_20251124_192109.pkl     isolation_forest_20251124_185920.pkl     metadata_20251124_185920.json            scaler_20251125_120016.pkl
+ensemble_classifier_20251125_090356.pkl  feature_selector_20251124_192122.pkl     isolation_forest_20251124_192109.pkl     metadata_20251124_192109.json            scaler_20251125_181945.pkl
+ensemble_classifier_20251125_092703.pkl  feature_selector_20251125_090356.pkl     isolation_forest_20251124_192122.pkl     metadata_20251124_192122.json            scaler_20251125_182742.pkl
+ensemble_classifier_20251125_120016.pkl  feature_selector_20251125_092703.pkl     isolation_forest_20251125_090356.pkl     metadata_20251125_092703.json            scaler_20251125_183049.pkl
+ensemble_classifier_20251125_181945.pkl  feature_selector_20251125_120016.pkl     isolation_forest_20251125_092703.pkl     metadata_latest.json                     scaler_20251125_183830.pkl
+ensemble_classifier_20251125_182742.pkl  feature_selector_20251125_181945.pkl     isolation_forest_20251125_120016.pkl     scaler.joblib                            scaler_latest.pkl
+ensemble_classifier_20251125_183049.pkl  feature_selector_20251125_182742.pkl     isolation_forest_20251125_181945.pkl     scaler_20251124_185541.pkl
+ensemble_classifier_20251125_183830.pkl  feature_selector_20251125_183049.pkl     isolation_forest_20251125_182742.pkl     scaler_20251124_185920.pkl
+ensemble_classifier_latest.pkl           feature_selector_20251125_183830.pkl     isolation_forest_20251125_183049.pkl     scaler_20251124_192109.pkl
+(venv) [root@ids python_ml]#                                                                                                                                 

attached_assets/Pasted-INFO-Shutting-down-INFO-Waiting-for-application-shutdown-INFO-Application-shutdown-c-1763807174788_1763807174788.txt

@@ -0,0 +1,40 @@
+INFO:     Shutting down
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+INFO:     Finished server process [16990]
+INFO:     Started server process [18451]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+INFO:     Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
+[LOAD] Modello caricato da models
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     127.0.0.1:53190 - "POST /detect HTTP/1.1" 200 OK
+INFO:     127.0.0.1:50930 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:50942 - "POST /train HTTP/1.1" 200 OK
+[TRAIN] Inizio training...
+INFO:     127.0.0.1:50930 - "GET /stats HTTP/1.1" 200 OK
+[TRAIN] Trovati 100000 log per training
+[TRAIN] Addestramento modello...
+[TRAINING] Estrazione feature da 100000 log...
+INFO:     127.0.0.1:35464 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:33782 - "GET /stats HTTP/1.1" 200 OK
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/main.py", line 161, in do_training
+    result = ml_analyzer.train(df, contamination=request.contamination)
+             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/ml_analyzer.py", line 191, in train
+    self.save_model()
+  File "/opt/ids/python_ml/ml_analyzer.py", line 311, in save_model
+    joblib.dump(self.model, model_path)
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/joblib/numpy_pickle.py", line 552, in dump
+    with open(filename, 'wb') as f:
+         ^^^^^^^^^^^^^^^^^^^^
+PermissionError: [Errno 13] Permission denied: 'models/isolation_forest.joblib'
+[TRAINING] Feature estratte per 4467 IP unici
+[TRAINING] Normalizzazione features...
+[TRAINING] Addestramento Isolation Forest (contamination=0.01)...
+[TRAIN ERROR] ❌ Errore durante training: [Errno 13] Permission denied: 'models/isolation_forest.joblib'
+INFO:     127.0.0.1:39856 - "GET /stats HTTP/1.1" 200 OK
+INFO:     127.0.0.1:48214 - "GET /stats HTTP/1.1" 200 OK
+                                                               

attached_assets/Pasted-Marco-questo-output-chiude-definitivamente-ogni-dubbio-EIF-non-installabile-su-Python-3-11--1764005916405_1764005916405.txt

@@ -0,0 +1,104 @@
+Marco, questo output chiude definitivamente ogni dubbio: **EIF non è installabile su Python 3.11**, indipendentemente da qualsiasi combinazione di flag.
+
+Il nuovo errore:
+
+```
+ModuleNotFoundError: No module named 'numpy'
+```
+
+non è un vero errore tuo:
+è un sintomo della nuova API **PEP 518 / build isolation** che crea un ambiente temporaneo (build-env) dove EIF cerca Numpy, ma EIF è così vecchio che non sa gestire correttamente Python ≥ 3.11, né il nuovo meccanismo di build.
+
+E infatti lo avevamo già visto dai log precedenti:
+
+### ❗ EIF usa codice C++ che *non può* essere compilato con Python 3.11
+
+---
+
+# 🛑 Conclusione tecnica definitiva
+
+✔ **EIF funziona solo fino a Python 3.10.**
+❌ **EIF NON funziona con Python 3.11.**
+❌ Nemmeno con:
+
+* `PIP_NO_BUILD_ISOLATION=1`
+* `Cython` aggiornato
+* `wheel`, `setuptools`, `build`
+* disabilitando cache
+* aggiungendo Numpy a mano
+
+💡 Perché?
+Il sorgente `eif` richiede:
+
+* distutils (rimosso in 3.11)
+* API Cython vecchie e rimosse
+* costrutti C++ non più supportati
+* build system che non funziona con Python moderno
+
+---
+
+# ✅ Le UNICHE soluzioni funzionanti
+
+## **SOLUZIONE A — Consigliata**
+
+Sostituire EIF con **PyOD** usando il modello equivalmente identico:
+
+### Installazione
+
+```bash
+pip install pyod
+```
+
+### Uso
+
+```python
+from pyod.models.eif import EIF
+
+model = EIF(ntrees=100)
+model.fit(data)
+scores = model.decision_function(data)
+```
+
+Hai lo stesso algoritmo, stessa logica, stesso output, zero problemi.
+
+---
+
+## **SOLUZIONE B — Usare Python 3.9 o 3.10 SOLO per EIF**
+
+Se per qualche ragione vuoi usare per forza *quel pacchetto*, devi fare così:
+
+### 1. Installa Python 3.10 su AlmaLinux
+
+```bash
+sudo dnf install python3.10 python3.10-devel gcc gcc-c++
+```
+
+### 2. Crea un venv dedicato
+
+```bash
+python3.10 -m venv venv_eif
+source venv_eif/bin/activate
+```
+
+### 3. Installa EIF *nel venv Python 3.10*
+
+```bash
+pip install --upgrade pip setuptools wheel cython numpy
+pip install eif==2.0.2
+```
+
+**Funzionerà al 100%.**
+
+---
+
+# 🔥 Marco, vuoi evitare Python 3.10?
+
+Ti riscrivo ENTRO 5 MINUTI il tuo IDS basato su EIF, sostituendolo con PyOD, garantendo:
+
+* stesso comportamento
+* stessa accuracy o migliore
+* supporto completo Python 3.11
+* zero compilazioni
+* codice più pulito e moderno
+
+Vuoi che procedo?

attached_assets/Pasted-Nov-25-08-47-55-ids-alfacom-it-systemd-1-Stopped-IDS-ML-Backend-FastAPI-Nov-25-08-47-55-ids-alf-1764056991460_1764056991460.txt

@@ -0,0 +1,39 @@
+Nov 25 08:47:55 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:47:55 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 6min 21.039s CPU time.
+Nov 25 08:47:55 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+Nov 25 08:47:58 ids.alfacom.it systemd[1]: ids-ml-backend.service: Main process exited, code=exited, status=1/FAILURE
+Nov 25 08:47:58 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:47:58 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.156s CPU time.
+Nov 25 08:48:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Scheduled restart job, restart counter is at 1.
+Nov 25 08:48:08 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:48:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.156s CPU time.
+Nov 25 08:48:08 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+Nov 25 08:48:11 ids.alfacom.it systemd[1]: ids-ml-backend.service: Main process exited, code=exited, status=1/FAILURE
+Nov 25 08:48:11 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:48:11 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.059s CPU time.
+Nov 25 08:48:16 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:48:16 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.059s CPU time.
+Nov 25 08:48:16 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+Nov 25 08:48:18 ids.alfacom.it systemd[1]: ids-ml-backend.service: Main process exited, code=exited, status=1/FAILURE
+Nov 25 08:48:18 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:48:18 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.908s CPU time.
+Nov 25 08:48:28 ids.alfacom.it systemd[1]: ids-ml-backend.service: Scheduled restart job, restart counter is at 2.
+Nov 25 08:48:28 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:48:28 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.908s CPU time.
+Nov 25 08:48:28 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+Nov 25 08:48:31 ids.alfacom.it systemd[1]: ids-ml-backend.service: Main process exited, code=exited, status=1/FAILURE
+Nov 25 08:48:31 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:48:31 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.952s CPU time.
+Nov 25 08:48:41 ids.alfacom.it systemd[1]: ids-ml-backend.service: Scheduled restart job, restart counter is at 3.
+Nov 25 08:48:41 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:48:41 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.952s CPU time.
+Nov 25 08:48:41 ids.alfacom.it systemd[1]: Started IDS ML Backend (FastAPI).
+Nov 25 08:48:43 ids.alfacom.it systemd[1]: ids-ml-backend.service: Main process exited, code=exited, status=1/FAILURE
+Nov 25 08:48:43 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:48:43 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.019s CPU time.
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: ids-ml-backend.service: Scheduled restart job, restart counter is at 4.
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 4.019s CPU time.
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: ids-ml-backend.service: Start request repeated too quickly.
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 08:48:53 ids.alfacom.it systemd[1]: Failed to start IDS ML Backend (FastAPI).

attached_assets/Pasted-cd-opt-ids-python-ml-source-venv-bin-activate-python3-main-py-WARNING-Extended-Isolation-Fo-1764092004725_1764092004725.txt

@@ -0,0 +1,125 @@
+cd /opt/ids/python_ml && source venv/bin/activate && python3 main.py
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+ Starting IDS API on http://0.0.0.0:8000
+ Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108626]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+(venv) [root@ids python_ml]# ls -la /opt/ids/python_ml/models/
+total 22896
+drwxr-xr-x. 2 ids  ids     4096 Nov 25 18:30 .
+drwxr-xr-x. 6 ids  ids     4096 Nov 25 12:53 ..
+-rw-r--r--. 1 root root  235398 Nov 24 18:55 ensemble_classifier_20251124_185541.pkl
+-rw-r--r--. 1 root root  231504 Nov 24 18:59 ensemble_classifier_20251124_185920.pkl
+-rw-r--r--. 1 root root 1008222 Nov 24 19:21 ensemble_classifier_20251124_192109.pkl
+-rw-r--r--. 1 root root  925566 Nov 24 19:21 ensemble_classifier_20251124_192122.pkl
+-rw-r--r--. 1 ids  ids   200159 Nov 25 09:03 ensemble_classifier_20251125_090356.pkl
+-rw-r--r--. 1 root root  806006 Nov 25 09:27 ensemble_classifier_20251125_092703.pkl
+-rw-r--r--. 1 ids  ids   286079 Nov 25 12:00 ensemble_classifier_20251125_120016.pkl
+-rw-r--r--. 1 ids  ids   398464 Nov 25 18:19 ensemble_classifier_20251125_181945.pkl
+-rw-r--r--. 1 ids  ids   426790 Nov 25 18:27 ensemble_classifier_20251125_182742.pkl
+-rw-r--r--. 1 ids  ids   423651 Nov 25 18:30 ensemble_classifier_20251125_183049.pkl
+-rw-r--r--. 1 root root  806006 Nov 25 09:27 ensemble_classifier_latest.pkl
+-rw-r--r--. 1 ids  ids      461 Nov 25 00:00 feature_names.json
+-rw-r--r--. 1 root root    1695 Nov 24 18:55 feature_selector_20251124_185541.pkl
+-rw-r--r--. 1 root root    1695 Nov 24 18:59 feature_selector_20251124_185920.pkl
+-rw-r--r--. 1 root root    1695 Nov 24 19:21 feature_selector_20251124_192109.pkl
+-rw-r--r--. 1 root root    1695 Nov 24 19:21 feature_selector_20251124_192122.pkl
+-rw-r--r--. 1 ids  ids     1695 Nov 25 09:03 feature_selector_20251125_090356.pkl
+-rw-r--r--. 1 root root    1695 Nov 25 09:27 feature_selector_20251125_092703.pkl
+-rw-r--r--. 1 ids  ids     1695 Nov 25 12:00 feature_selector_20251125_120016.pkl
+-rw-r--r--. 1 ids  ids     1695 Nov 25 18:19 feature_selector_20251125_181945.pkl
+-rw-r--r--. 1 ids  ids     1695 Nov 25 18:27 feature_selector_20251125_182742.pkl
+-rw-r--r--. 1 ids  ids     1695 Nov 25 18:30 feature_selector_20251125_183049.pkl
+-rw-r--r--. 1 root root    1695 Nov 25 09:27 feature_selector_latest.pkl
+-rw-r--r--. 1 ids  ids   813592 Nov 25 00:00 isolation_forest.joblib
+-rw-r--r--. 1 root root 1674808 Nov 24 18:55 isolation_forest_20251124_185541.pkl
+-rw-r--r--. 1 root root 1642600 Nov 24 18:59 isolation_forest_20251124_185920.pkl
+-rw-r--r--. 1 root root 1482984 Nov 24 19:21 isolation_forest_20251124_192109.pkl
+-rw-r--r--. 1 root root 1465736 Nov 24 19:21 isolation_forest_20251124_192122.pkl
+-rw-r--r--. 1 ids  ids  1139256 Nov 25 09:03 isolation_forest_20251125_090356.pkl
+-rw-r--r--. 1 root root 1428424 Nov 25 09:27 isolation_forest_20251125_092703.pkl
+-rw-r--r--. 1 ids  ids  1855240 Nov 25 12:00 isolation_forest_20251125_120016.pkl
+-rw-r--r--. 1 ids  ids  1519784 Nov 25 18:19 isolation_forest_20251125_181945.pkl
+-rw-r--r--. 1 ids  ids  1511688 Nov 25 18:27 isolation_forest_20251125_182742.pkl
+-rw-r--r--. 1 ids  ids  1559208 Nov 25 18:30 isolation_forest_20251125_183049.pkl
+-rw-r--r--. 1 root root 1428424 Nov 25 09:27 isolation_forest_latest.pkl
+-rw-r--r--. 1 root root    1661 Nov 24 18:55 metadata_20251124_185541.json
+-rw-r--r--. 1 root root    1661 Nov 24 18:59 metadata_20251124_185920.json
+-rw-r--r--. 1 root root    1675 Nov 24 19:21 metadata_20251124_192109.json
+-rw-r--r--. 1 root root    1675 Nov 24 19:21 metadata_20251124_192122.json
+-rw-r--r--. 1 root root    1675 Nov 25 09:27 metadata_20251125_092703.json
+-rw-r--r--. 1 root root    1675 Nov 25 09:27 metadata_latest.json
+-rw-r--r--. 1 ids  ids     2015 Nov 25 00:00 scaler.joblib
+-rw-r--r--. 1 root root    1047 Nov 24 18:55 scaler_20251124_185541.pkl
+-rw-r--r--. 1 root root    1047 Nov 24 18:59 scaler_20251124_185920.pkl
+-rw-r--r--. 1 root root    1047 Nov 24 19:21 scaler_20251124_192109.pkl
+-rw-r--r--. 1 root root    1047 Nov 24 19:21 scaler_20251124_192122.pkl
+-rw-r--r--. 1 ids  ids     1047 Nov 25 09:03 scaler_20251125_090356.pkl
+-rw-r--r--. 1 root root    1047 Nov 25 09:27 scaler_20251125_092703.pkl
+-rw-r--r--. 1 ids  ids     1047 Nov 25 12:00 scaler_20251125_120016.pkl
+-rw-r--r--. 1 ids  ids     1047 Nov 25 18:19 scaler_20251125_181945.pkl
+-rw-r--r--. 1 ids  ids     1047 Nov 25 18:27 scaler_20251125_182742.pkl
+-rw-r--r--. 1 ids  ids     1047 Nov 25 18:30 scaler_20251125_183049.pkl
+-rw-r--r--. 1 root root    1047 Nov 25 09:27 scaler_latest.pkl
+(venv) [root@ids python_ml]# tail -n 50 /var/log/ids/ml_backend.log
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108413]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108452]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108530]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+(venv) [root@ids python_ml]#                      

attached_assets/Pasted-curl-X-POST-http-localhost-8000-detect-H-Content-Type-a_1767368587291.txt

@@ -0,0 +1,4 @@
+curl -X POST http://localhost:8000/detect \
+  -H "Content-Type: application/json" \
+  -d '{"max_records": 5000, "hours_back": 1, "risk_threshold": 80, "auto_block": true}'
+{"detections":[{"source_ip":"108.139.210.107","risk_score":98.55466848373413,"confidence_level":"high","action_recommendation":"auto_block","anomaly_type":"ddos","reason":"High connection rate: 403.7 conn/s","log_count":1211,"total_packets":1211,"total_bytes":2101702,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":95.0},{"source_ip":"216.58.209.54","risk_score":95.52801848493884,"confidence_level":"high","action_recommendation":"auto_block","anomaly_type":"brute_force","reason":"High connection rate: 184.7 conn/s","log_count":554,"total_packets":554,"total_bytes":782397,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":95.0},{"source_ip":"95.127.69.202","risk_score":93.58280514393482,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 93.7 conn/s","log_count":281,"total_packets":281,"total_bytes":369875,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"95.127.72.207","risk_score":92.50694363471318,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 76.3 conn/s","log_count":229,"total_packets":229,"total_bytes":293439,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"95.110.183.67","risk_score":86.42278405656512,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 153.0 conn/s","log_count":459,"total_packets":459,"total_bytes":20822,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"54.75.71.86","risk_score":83.42037059381207,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 58.0 conn/s","log_count":174,"total_packets":174,"total_bytes":25857,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"79.10.127.217","risk_score":82.32814469102843,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 70.0 conn/s","log_count":210,"total_packets":210,"total_bytes":18963,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"142.251.140.100","risk_score":76.61422108557721,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":16,"total_packets":16,"total_bytes":20056,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:53","confidence":75.0},{"source_ip":"142.250.181.161","risk_score":76.3802033958719,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":15,"total_packets":15,"total_bytes":5214,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:51","confidence":75.0},{"source_ip":"142.250.180.131","risk_score":72.7723405111559,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"suspicious","reason":"Anomalous pattern detected (suspicious)","log_count":8,"total_packets":8,"total_bytes":5320,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:53","confidence":75.0},{"source_ip":"157.240.231.60","risk_score":72.26853648050493,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":16,"total_packets":16,"total_bytes":4624,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0}],"total":11,"blocked":0,"message":"Trovate 11 anomalie"}[root@ids python_ml]# 

attached_assets/Pasted-journalctl-u-ids-list-fetcher-n-50-no-pager-Jan-02-12-5_1767354943964.txt

@@ -0,0 +1,51 @@
+journalctl -u ids-list-fetcher -n 50 --no-pager
+Jan 02 12:50:02 ids.alfacom.it ids-list-fetcher[5900]: ============================================================
+Jan 02 12:50:02 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 12:50:02 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.
+Jan 02 12:54:56 ids.alfacom.it systemd[1]: Starting IDS Public Lists Fetcher Service...
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: [2026-01-02 12:54:56] PUBLIC LISTS SYNC
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: Found 2 enabled lists
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: [12:54:56] Downloading Spamhaus from https://www.spamhaus.org/drop/drop_v4.json...
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: [12:54:56] Downloading AWS from https://ip-ranges.amazonaws.com/ip-ranges.json...
+Jan 02 12:54:56 ids.alfacom.it ids-list-fetcher[6290]: [12:54:56] Parsing AWS...
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: [12:54:57] Found 9548 IPs, syncing to database...
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: [12:54:57] ✓ AWS: +0 -0 ~9511
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: [12:54:57] Parsing Spamhaus...
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: [12:54:57] Found 1468 IPs, syncing to database...
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: [12:54:57] ✗ Spamhaus: ON CONFLICT DO UPDATE command cannot affect row a second time
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: HINT:  Ensure that no rows proposed for insertion within the same command have duplicate constrained values.
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: SYNC SUMMARY
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Success: 1/2
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Errors:  1/2
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Total IPs Added:   0
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Total IPs Removed: 0
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: RUNNING MERGE LOGIC
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ERROR:merge_logic:Failed to cleanup detections: operator does not exist: inet = text
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: LINE 9:                             d.source_ip::inet = wl.ip_inet
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:                                                       ^
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ERROR:merge_logic:Failed to sync detections: operator does not exist: text <<= text
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: LINE 30:                             OR bl.ip_inet <<= wl.ip_inet
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:                                                    ^
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Traceback (most recent call last):
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:   File "/opt/ids/python_ml/merge_logic.py", line 264, in sync_public_blacklist_detections
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:     cur.execute("""
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: psycopg2.errors.UndefinedFunction: operator does not exist: text <<= text
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: LINE 30:                             OR bl.ip_inet <<= wl.ip_inet
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:                                                    ^
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: Merge Logic Stats:
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:   Created detections:          0
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:   Cleaned invalid detections:  0
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]:   Skipped (whitelisted):       0
+Jan 02 12:54:57 ids.alfacom.it ids-list-fetcher[6290]: ============================================================
+Jan 02 12:54:57 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 12:54:57 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.

attached_assets/Pasted-journalctl-u-ids-list-fetcher-n-50-no-pager-Jan-02-16-1_1767366961971.txt

@@ -0,0 +1,51 @@
+journalctl -u ids-list-fetcher -n 50 --no-pager
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]: Merge Logic Stats:
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]:   Created detections:          0
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]:   Cleaned invalid detections:  0
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]:   Skipped (whitelisted):       0
+Jan 02 16:11:31 ids.alfacom.it ids-list-fetcher[10401]: ============================================================
+Jan 02 16:11:31 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 16:11:31 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.
+Jan 02 16:15:04 ids.alfacom.it systemd[1]: Starting IDS Public Lists Fetcher Service...
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [2026-01-02 16:15:04] PUBLIC LISTS SYNC
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: Found 2 enabled lists
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] Downloading Spamhaus from https://www.spamhaus.org/drop/drop_v4.json...
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] Downloading AWS from https://ip-ranges.amazonaws.com/ip-ranges.json...
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] Parsing Spamhaus...
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] Found 1468 IPs, syncing to database...
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] ✓ Spamhaus: +0 -0 ~1468
+Jan 02 16:15:04 ids.alfacom.it ids-list-fetcher[10801]: [16:15:04] Parsing AWS...
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: [16:15:05] Found 9548 IPs, syncing to database...
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: [16:15:05] ✓ AWS: +9548 -0 ~0
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: SYNC SUMMARY
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Success: 2/2
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Errors:  0/2
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Total IPs Added:   9548
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Total IPs Removed: 0
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: RUNNING MERGE LOGIC
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ERROR:merge_logic:Failed to sync detections: column "risk_score" is of type numeric but expression is of type text
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: LINE 13:                         '75',
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:                                  ^
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: HINT:  You will need to rewrite or cast the expression.
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Traceback (most recent call last):
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:   File "/opt/ids/python_ml/merge_logic.py", line 264, in sync_public_blacklist_detections
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:     cur.execute("""
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: psycopg2.errors.DatatypeMismatch: column "risk_score" is of type numeric but expression is of type text
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: LINE 13:                         '75',
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:                                  ^
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: HINT:  You will need to rewrite or cast the expression.
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: Merge Logic Stats:
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:   Created detections:          0
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:   Cleaned invalid detections:  0
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]:   Skipped (whitelisted):       0
+Jan 02 16:15:05 ids.alfacom.it ids-list-fetcher[10801]: ============================================================
+Jan 02 16:15:05 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 16:15:05 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.

attached_assets/Pasted-netstat-tlnp-grep-8000-tcp-0-0-0-0-0-0-8000-0-0-0-0-LISTEN-1764092119907_1764092119907.txt

@@ -0,0 +1,82 @@
+netstat -tlnp | grep 8000
+tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      106309/python3.11
+(venv) [root@ids python_ml]# lsof -i :8000
+COMMAND      PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+python3.1 106309  ids    7u  IPv4 805799      0t0  TCP *:irdmi (LISTEN)
+(venv) [root@ids python_ml]# kill -9 106309
+(venv) [root@ids python_ml]# lsof -i :8000
+(venv) [root@ids python_ml]# pkill -9 -f "python.*8000"
+(venv) [root@ids python_ml]# pkill -9 -f "python.*main.py"
+(venv) [root@ids python_ml]# sudo systemctl restart ids-ml-backend
+Job for ids-ml-backend.service failed because the control process exited with error code.
+See "systemctl status ids-ml-backend.service" and "journalctl -xeu ids-ml-backend.service" for details.
+(venv) [root@ids python_ml]# sudo systemctl status ids-ml-backend
+× ids-ml-backend.service - IDS ML Backend (FastAPI)
+     Loaded: loaded (/etc/systemd/system/ids-ml-backend.service; enabled; preset: disabled)
+     Active: failed (Result: exit-code) since Tue 2025-11-25 18:31:08 CET; 3min 37s ago
+   Duration: 2.490s
+    Process: 108530 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py (code=exited, status=1/FAILURE)
+   Main PID: 108530 (code=exited, status=1/FAILURE)
+        CPU: 3.987s
+
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Scheduled restart job, restart counter is at 5.
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: Stopped IDS ML Backend (FastAPI).
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Consumed 3.987s CPU time.
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Start request repeated too quickly.
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 18:31:08 ids.alfacom.it systemd[1]: Failed to start IDS ML Backend (FastAPI).
+Nov 25 18:34:35 ids.alfacom.it systemd[1]: ids-ml-backend.service: Start request repeated too quickly.
+Nov 25 18:34:35 ids.alfacom.it systemd[1]: ids-ml-backend.service: Failed with result 'exit-code'.
+Nov 25 18:34:35 ids.alfacom.it systemd[1]: Failed to start IDS ML Backend (FastAPI).
+(venv) [root@ids python_ml]# tail -n 50 /var/log/ids/ml_backend.log
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108413]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108452]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+INFO:     Started server process [108530]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+ERROR:    [Errno 98] error while attempting to bind on address ('0.0.0.0', 8000): address already in use
+INFO:     Waiting for application shutdown.
+INFO:     Application shutdown complete.
+[WARNING] Extended Isolation Forest not available, using standard IF
+[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)
+[HYBRID] Ensemble classifier loaded
+[HYBRID] Models loaded (version: latest)
+[HYBRID] Selected features: 18/25
+[HYBRID] Mode: Hybrid (IF + Ensemble)
+[ML] ✓ Hybrid detector models loaded and ready
+🚀 Starting IDS API on http://0.0.0.0:8000
+📚 Docs available at http://0.0.0.0:8000/docs
+(venv) [root@ids python_ml]#                                       

attached_assets/Pasted-ournalctl-u-ids-list-fetcher-n-50-no-pager-Jan-02-12-30_1767354386554.txt

@@ -0,0 +1,51 @@
+ournalctl -u ids-list-fetcher -n 50 --no-pager
+Jan 02 12:30:01 ids.alfacom.it ids-list-fetcher[5571]:   Cleaned invalid detections:  0
+Jan 02 12:30:01 ids.alfacom.it ids-list-fetcher[5571]:   Skipped (whitelisted):       0
+Jan 02 12:30:01 ids.alfacom.it ids-list-fetcher[5571]: ============================================================
+Jan 02 12:30:01 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 12:30:01 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.
+Jan 02 12:40:01 ids.alfacom.it systemd[1]: Starting IDS Public Lists Fetcher Service...
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: [2026-01-02 12:40:01] PUBLIC LISTS SYNC
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: Found 2 enabled lists
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: [12:40:01] Downloading Spamhaus from https://www.spamhaus.org/drop/drop_v4.json...
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: [12:40:01] Downloading AWS from https://ip-ranges.amazonaws.com/ip-ranges.json...
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: [12:40:01] Parsing AWS...
+Jan 02 12:40:01 ids.alfacom.it ids-list-fetcher[5730]: [12:40:01] Found 9548 IPs, syncing to database...
+Jan 02 12:40:02 ids.alfacom.it ids-list-fetcher[5730]: [12:40:02] ✓ AWS: +9511 -0 ~0
+Jan 02 12:40:02 ids.alfacom.it ids-list-fetcher[5730]: [12:40:02] Parsing Spamhaus...
+Jan 02 12:40:02 ids.alfacom.it ids-list-fetcher[5730]: [12:40:02] ✗ Spamhaus: No valid IPs found in list
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: SYNC SUMMARY
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Success: 1/2
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Errors:  1/2
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Total IPs Added:   9511
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Total IPs Removed: 0
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: RUNNING MERGE LOGIC
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ERROR:merge_logic:Failed to cleanup detections: operator does not exist: inet = text
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: LINE 9:                             d.source_ip::inet = wl.ip_inet
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:                                                       ^
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ERROR:merge_logic:Failed to sync detections: operator does not exist: text <<= text
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: LINE 30:                             OR bl.ip_inet <<= wl.ip_inet
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:                                                    ^
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Traceback (most recent call last):
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:   File "/opt/ids/python_ml/merge_logic.py", line 264, in sync_public_blacklist_detections
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:     cur.execute("""
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: psycopg2.errors.UndefinedFunction: operator does not exist: text <<= text
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: LINE 30:                             OR bl.ip_inet <<= wl.ip_inet
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:                                                    ^
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: HINT:  No operator matches the given name and argument types. You might need to add explicit type casts.
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: Merge Logic Stats:
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:   Created detections:          0
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:   Cleaned invalid detections:  0
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]:   Skipped (whitelisted):       0
+Jan 02 12:40:03 ids.alfacom.it ids-list-fetcher[5730]: ============================================================
+Jan 02 12:40:03 ids.alfacom.it systemd[1]: ids-list-fetcher.service: Deactivated successfully.
+Jan 02 12:40:03 ids.alfacom.it systemd[1]: Finished IDS Public Lists Fetcher Service.

attached_assets/Pasted-python-train-hybrid-py-test-WARNING-Extended-Isolation-Forest-not-available-using-standard-IF--1764006677142_1764006677142.txt

@@ -0,0 +1,54 @@
+python train_hybrid.py --test
+[WARNING] Extended Isolation Forest not available, using standard IF
+
+======================================================================
+  IDS HYBRID ML TEST - SYNTHETIC DATA
+======================================================================
+INFO:dataset_loader:Creating sample dataset (10000 samples)...
+INFO:dataset_loader:Sample dataset created: 10000 rows
+INFO:dataset_loader:Attack distribution:
+attack_type
+normal         8981
+brute_force     273
+suspicious      258
+ddos            257
+port_scan       231
+Name: count, dtype: int64
+
+[TEST] Created synthetic dataset: 10000 samples
+  Normal:  8,981 (89.8%)
+  Attacks: 1,019 (10.2%)
+
+[TEST] Training on 6,281 normal samples...
+[HYBRID] Training hybrid model on 6281 logs...
+
+❌ Error: 'timestamp'
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/indexes/base.py", line 3790, in get_loc
+    return self._engine.get_loc(casted_key)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "index.pyx", line 152, in pandas._libs.index.IndexEngine.get_loc
+  File "index.pyx", line 181, in pandas._libs.index.IndexEngine.get_loc
+  File "pandas/_libs/hashtable_class_helper.pxi", line 7080, in pandas._libs.hashtable.PyObjectHashTable.get_item
+  File "pandas/_libs/hashtable_class_helper.pxi", line 7088, in pandas._libs.hashtable.PyObjectHashTable.get_item
+KeyError: 'timestamp'
+
+The above exception was the direct cause of the following exception:
+
+Traceback (most recent call last):
+  File "/opt/ids/python_ml/train_hybrid.py", line 361, in main
+    test_on_synthetic(args)
+  File "/opt/ids/python_ml/train_hybrid.py", line 249, in test_on_synthetic
+    detector.train_unsupervised(normal_train)
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 204, in train_unsupervised
+    features_df = self.extract_features(logs_df)
+                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/ml_hybrid_detector.py", line 98, in extract_features
+    logs_df['timestamp'] = pd.to_datetime(logs_df['timestamp'])
+                                          ~~~~~~~^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/frame.py", line 3893, in __getitem__
+    indexer = self.columns.get_loc(key)
+              ^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/opt/ids/python_ml/venv/lib64/python3.11/site-packages/pandas/core/indexes/base.py", line 3797, in get_loc
+    raise KeyError(key) from err
+KeyError: 'timestamp'

attached_assets/content-1763806072472.md

@@ -0,0 +1 @@
+No markdown content returned

attached_assets/content-1763806125175.md

@@ -0,0 +1 @@
+No markdown content returned

attached_assets/content-1763806129536.md

@@ -0,0 +1 @@
+No markdown content returned

client/src/App.tsx

@@ -4,11 +4,14 @@ import { QueryClientProvider } from "@tanstack/react-query";
 import { Toaster } from "@/components/ui/toaster";
 import { TooltipProvider } from "@/components/ui/tooltip";
 import { SidebarProvider, Sidebar, SidebarContent, SidebarGroup, SidebarGroupContent, SidebarGroupLabel, SidebarMenu, SidebarMenuButton, SidebarMenuItem, SidebarTrigger } from "@/components/ui/sidebar";
-import { LayoutDashboard, AlertTriangle, Server, Shield, Brain, Menu, Activity } from "lucide-react";
+import { LayoutDashboard, AlertTriangle, Server, Shield, Brain, Menu, Activity, BarChart3, TrendingUp, List } from "lucide-react";
 import Dashboard from "@/pages/Dashboard";
 import Detections from "@/pages/Detections";
+import DashboardLive from "@/pages/DashboardLive";
+import AnalyticsHistory from "@/pages/AnalyticsHistory";
 import Routers from "@/pages/Routers";
 import Whitelist from "@/pages/Whitelist";
+import PublicLists from "@/pages/PublicLists";
 import Training from "@/pages/Training";
 import Services from "@/pages/Services";
 import NotFound from "@/pages/not-found";
@@ -16,10 +19,13 @@ import NotFound from "@/pages/not-found";
 const menuItems = [
   { title: "Dashboard", url: "/", icon: LayoutDashboard },
   { title: "Rilevamenti", url: "/detections", icon: AlertTriangle },
+  { title: "Dashboard Live", url: "/dashboard-live", icon: Activity },
+  { title: "Analytics Storici", url: "/analytics", icon: BarChart3 },
   { title: "Training ML", url: "/training", icon: Brain },
   { title: "Router", url: "/routers", icon: Server },
   { title: "Whitelist", url: "/whitelist", icon: Shield },
-  { title: "Servizi", url: "/services", icon: Activity },
+  { title: "Liste Pubbliche", url: "/public-lists", icon: List },
+  { title: "Servizi", url: "/services", icon: TrendingUp },
 ];
 
 function AppSidebar() {
@@ -53,9 +59,12 @@ function Router() {
     <Switch>
       <Route path="/" component={Dashboard} />
       <Route path="/detections" component={Detections} />
+      <Route path="/dashboard-live" component={DashboardLive} />
+      <Route path="/analytics" component={AnalyticsHistory} />
       <Route path="/training" component={Training} />
       <Route path="/routers" component={Routers} />
       <Route path="/whitelist" component={Whitelist} />
+      <Route path="/public-lists" component={PublicLists} />
       <Route path="/services" component={Services} />
       <Route component={NotFound} />
     </Switch>

client/src/lib/country-flags.ts

@@ -0,0 +1,62 @@
+/**
+ * Country Flags Utilities
+ * Converte country code in flag emoji
+ */
+
+/**
+ * Converte country code ISO 3166-1 alpha-2 in flag emoji
+ * Es: "IT" => "🇮🇹", "US" => "🇺🇸"
+ */
+export function getFlagEmoji(countryCode: string | null | undefined): string {
+  if (!countryCode || countryCode.length !== 2) {
+    return '🏳️'; // Flag bianca per unknown
+  }
+  
+  const codePoints = countryCode
+    .toUpperCase()
+    .split('')
+    .map(char => 127397 + char.charCodeAt(0));
+  
+  return String.fromCodePoint(...codePoints);
+}
+
+/**
+ * Mappa nomi paesi comuni (fallback se API non ritorna country code)
+ */
+export const COUNTRY_CODE_MAP: Record<string, string> = {
+  'Italy': 'IT',
+  'United States': 'US',
+  'Russia': 'RU',
+  'China': 'CN',
+  'Germany': 'DE',
+  'France': 'FR',
+  'United Kingdom': 'GB',
+  'Spain': 'ES',
+  'Brazil': 'BR',
+  'Japan': 'JP',
+  'India': 'IN',
+  'Canada': 'CA',
+  'Australia': 'AU',
+  'Netherlands': 'NL',
+  'Switzerland': 'CH',
+  'Sweden': 'SE',
+  'Poland': 'PL',
+  'Ukraine': 'UA',
+  'Romania': 'RO',
+  'Belgium': 'BE',
+};
+
+/**
+ * Ottieni flag da nome paese o country code
+ */
+export function getFlag(country: string | null | undefined, countryCode?: string | null): string {
+  if (countryCode) {
+    return getFlagEmoji(countryCode);
+  }
+  
+  if (country && COUNTRY_CODE_MAP[country]) {
+    return getFlagEmoji(COUNTRY_CODE_MAP[country]);
+  }
+  
+  return '🏳️';
+}

client/src/pages/AnalyticsHistory.tsx

@@ -0,0 +1,320 @@
+import { useQuery } from "@tanstack/react-query";
+import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {  
+  LineChart, Line, BarChart, Bar, AreaChart, Area,
+  XAxis, YAxis, CartesianGrid, Tooltip, Legend, ResponsiveContainer
+} from "recharts";
+import { Calendar, TrendingUp, BarChart3, Globe, Download } from "lucide-react";
+import type { NetworkAnalytics } from "@shared/schema";
+import { format, parseISO } from "date-fns";
+import { useState } from "react";
+
+export default function AnalyticsHistory() {
+  const [days, setDays] = useState(30);
+  
+  // Fetch historical analytics (hourly aggregations)
+  const { data: analytics = [], isLoading } = useQuery<NetworkAnalytics[]>({
+    queryKey: [`/api/analytics/recent?days=${days}&hourly=true`],
+    refetchInterval: 60000, // Aggiorna ogni minuto
+  });
+
+  // Prepara dati per grafici
+  const trendData = analytics
+    .map(a => {
+      // Parse JSON fields safely
+      let attacksByCountry = {};
+      let attacksByType = {};
+      
+      try {
+        attacksByCountry = a.attacksByCountry ? JSON.parse(a.attacksByCountry) : {};
+      } catch {}
+      
+      try {
+        attacksByType = a.attacksByType ? JSON.parse(a.attacksByType) : {};
+      } catch {}
+      
+      return {
+        date: format(new Date(a.date), "dd/MM HH:mm"),
+        fullDate: a.date,
+        totalPackets: a.totalPackets || 0,
+        normalPackets: a.normalPackets || 0,
+        attackPackets: a.attackPackets || 0,
+        attackPercentage: a.totalPackets > 0 
+          ? ((a.attackPackets || 0) / a.totalPackets * 100).toFixed(1) 
+          : "0",
+        uniqueIps: a.uniqueIps || 0,
+        attackUniqueIps: a.attackUniqueIps || 0,
+      };
+    })
+    .sort((a, b) => new Date(a.fullDate).getTime() - new Date(b.fullDate).getTime());
+
+  // Aggrega dati per paese (da tutti i giorni)
+  const countryAggregation: Record<string, number> = {};
+  analytics.forEach(a => {
+    if (a.attacksByCountry) {
+      try {
+        const countries = JSON.parse(a.attacksByCountry);
+        if (countries && typeof countries === 'object') {
+          Object.entries(countries).forEach(([country, count]) => {
+            if (typeof count === 'number') {
+              countryAggregation[country] = (countryAggregation[country] || 0) + count;
+            }
+          });
+        }
+      } catch (e) {
+        console.warn('Failed to parse attacksByCountry:', e);
+      }
+    }
+  });
+
+  const topCountries = Object.entries(countryAggregation)
+    .map(([name, attacks]) => ({ name, attacks }))
+    .sort((a, b) => b.attacks - a.attacks)
+    .slice(0, 10);
+
+  // Calcola metriche totali
+  const totalTraffic = analytics.reduce((sum, a) => sum + (a.totalPackets || 0), 0);
+  const totalAttacks = analytics.reduce((sum, a) => sum + (a.attackPackets || 0), 0);
+  const totalNormal = analytics.reduce((sum, a) => sum + (a.normalPackets || 0), 0);
+  const avgAttackRate = totalTraffic > 0 ? ((totalAttacks / totalTraffic) * 100).toFixed(2) : "0";
+
+  return (
+    <div className="flex flex-col gap-6 p-6" data-testid="page-analytics-history">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div>
+          <h1 className="text-3xl font-semibold flex items-center gap-2" data-testid="text-page-title">
+            <BarChart3 className="h-8 w-8" />
+            Analytics Storici
+          </h1>
+          <p className="text-muted-foreground" data-testid="text-page-subtitle">
+            Statistiche permanenti per analisi long-term
+          </p>
+        </div>
+        
+        {/* Time Range Selector */}
+        <div className="flex items-center gap-2">
+          <Button
+            variant={days === 7 ? "default" : "outline"}
+            size="sm"
+            onClick={() => setDays(7)}
+            data-testid="button-7days"
+          >
+            7 Giorni
+          </Button>
+          <Button
+            variant={days === 30 ? "default" : "outline"}
+            size="sm"
+            onClick={() => setDays(30)}
+            data-testid="button-30days"
+          >
+            30 Giorni
+          </Button>
+          <Button
+            variant={days === 90 ? "default" : "outline"}
+            size="sm"
+            onClick={() => setDays(90)}
+            data-testid="button-90days"
+          >
+            90 Giorni
+          </Button>
+        </div>
+      </div>
+
+      {isLoading && (
+        <div className="text-center py-8" data-testid="text-loading">
+          Caricamento dati storici...
+        </div>
+      )}
+
+      {!isLoading && analytics.length === 0 && (
+        <Card>
+          <CardContent className="py-12 text-center text-muted-foreground">
+            <Calendar className="h-12 w-12 mx-auto mb-4 opacity-50" />
+            <p>Nessun dato storico disponibile</p>
+            <p className="text-sm mt-2">
+              I dati verranno aggregati automaticamente ogni ora dal sistema
+            </p>
+          </CardContent>
+        </Card>
+      )}
+
+      {!isLoading && analytics.length > 0 && (
+        <>
+          {/* Summary KPIs */}
+          <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+            <Card data-testid="card-total-summary">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Traffico Totale ({days}g)
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-2xl font-bold" data-testid="text-total-summary">
+                  {totalTraffic.toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">pacchetti</p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-normal-summary">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Traffico Normale
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-2xl font-bold text-green-600" data-testid="text-normal-summary">
+                  {totalNormal.toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">
+                  {(100 - parseFloat(avgAttackRate)).toFixed(1)}% del totale
+                </p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-attacks-summary">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Attacchi Totali
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-2xl font-bold text-red-600" data-testid="text-attacks-summary">
+                  {totalAttacks.toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">
+                  {avgAttackRate}% del traffico
+                </p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-avg-daily">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Media Giornaliera
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-2xl font-bold" data-testid="text-avg-daily">
+                  {Math.round(totalTraffic / analytics.length).toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">pacchetti/giorno</p>
+              </CardContent>
+            </Card>
+          </div>
+
+          {/* Trend Line Chart */}
+          <Card data-testid="card-trend">
+            <CardHeader>
+              <CardTitle className="flex items-center gap-2">
+                <TrendingUp className="h-5 w-5" />
+                Trend Traffico (Normale + Attacchi)
+              </CardTitle>
+            </CardHeader>
+            <CardContent>
+              <ResponsiveContainer width="100%" height={400}>
+                <AreaChart data={trendData}>
+                  <CartesianGrid strokeDasharray="3 3" />
+                  <XAxis dataKey="date" />
+                  <YAxis />
+                  <Tooltip />
+                  <Legend />
+                  <Area
+                    type="monotone"
+                    dataKey="normalPackets"
+                    stackId="1"
+                    stroke="#22c55e"
+                    fill="#22c55e"
+                    name="Normale"
+                  />
+                  <Area
+                    type="monotone"
+                    dataKey="attackPackets"
+                    stackId="1"
+                    stroke="#ef4444"
+                    fill="#ef4444"
+                    name="Attacchi"
+                  />
+                </AreaChart>
+              </ResponsiveContainer>
+            </CardContent>
+          </Card>
+
+          {/* Attack Rate Trend */}
+          <Card data-testid="card-attack-rate">
+            <CardHeader>
+              <CardTitle>Percentuale Attacchi nel Tempo</CardTitle>
+            </CardHeader>
+            <CardContent>
+              <ResponsiveContainer width="100%" height={300}>
+                <LineChart data={trendData}>
+                  <CartesianGrid strokeDasharray="3 3" />
+                  <XAxis dataKey="date" />
+                  <YAxis />
+                  <Tooltip />
+                  <Legend />
+                  <Line
+                    type="monotone"
+                    dataKey="attackPercentage"
+                    stroke="#ef4444"
+                    name="% Attacchi"
+                    strokeWidth={2}
+                  />
+                </LineChart>
+              </ResponsiveContainer>
+            </CardContent>
+          </Card>
+
+          {/* Top Countries (Historical) */}
+          <Card data-testid="card-top-countries">
+            <CardHeader>
+              <CardTitle className="flex items-center gap-2">
+                <Globe className="h-5 w-5" />
+                Top 10 Paesi Attaccanti (Storico)
+              </CardTitle>
+            </CardHeader>
+            <CardContent>
+              {topCountries.length > 0 ? (
+                <ResponsiveContainer width="100%" height={400}>
+                  <BarChart data={topCountries} layout="vertical">
+                    <CartesianGrid strokeDasharray="3 3" />
+                    <XAxis type="number" />
+                    <YAxis dataKey="name" type="category" width={100} />
+                    <Tooltip />
+                    <Legend />
+                    <Bar dataKey="attacks" fill="#ef4444" name="Attacchi Totali" />
+                  </BarChart>
+                </ResponsiveContainer>
+              ) : (
+                <div className="text-center py-20 text-muted-foreground">
+                  Nessun dato disponibile
+                </div>
+              )}
+            </CardContent>
+          </Card>
+
+          {/* Export Button (Placeholder) */}
+          <Card data-testid="card-export">
+            <CardContent className="pt-6">
+              <div className="flex items-center justify-between">
+                <div>
+                  <h3 className="font-semibold">Export Report</h3>
+                  <p className="text-sm text-muted-foreground">
+                    Esporta i dati in formato CSV per analisi esterne
+                  </p>
+                </div>
+                <Button variant="outline" data-testid="button-export">
+                  <Download className="h-4 w-4 mr-2" />
+                  Esporta CSV
+                </Button>
+              </div>
+            </CardContent>
+          </Card>
+        </>
+      )}
+    </div>
+  );
+}

client/src/pages/Dashboard.tsx

@@ -27,6 +27,7 @@ interface ServicesStatusResponse {
     mlBackend: ServiceStatus;
     database: ServiceStatus;
     syslogParser: ServiceStatus;
+    analyticsAggregator: ServiceStatus;
   };
 }
 
@@ -37,7 +38,7 @@ export default function Dashboard() {
   });
 
   const { data: recentDetections } = useQuery<Detection[]>({
-    queryKey: ["/api/detections"],
+    queryKey: ["/api/detections?limit=100"],
     refetchInterval: 5000, // Refresh every 5s
   });
 

client/src/pages/DashboardLive.tsx

@@ -0,0 +1,296 @@
+import { useQuery } from "@tanstack/react-query";
+import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
+import { Badge } from "@/components/ui/badge";
+import { Activity, Globe, Shield, TrendingUp, AlertTriangle } from "lucide-react";
+import { AreaChart, Area, BarChart, Bar, PieChart, Pie, Cell, XAxis, YAxis, CartesianGrid, Tooltip, Legend, ResponsiveContainer } from "recharts";
+import type { Detection, NetworkLog } from "@shared/schema";
+import { getFlag } from "@/lib/country-flags";
+import { format } from "date-fns";
+
+interface DashboardStats {
+  totalPackets: number;
+  attackPackets: number;
+  normalPackets: number;
+  uniqueIps: number;
+  attackUniqueIps: number;
+  attacksByCountry: Record<string, number>;
+  attacksByType: Record<string, number>;
+  recentDetections: Detection[];
+}
+
+export default function DashboardLive() {
+  // Fetch aggregated stats from analytics (ultimi 72h = 3 giorni)
+  const { data: stats, isLoading } = useQuery<DashboardStats>({
+    queryKey: ["/api/dashboard/live?hours=72"],
+    refetchInterval: 10000, // Aggiorna ogni 10s
+  });
+
+  // Usa dati aggregati precisi
+  const totalTraffic = stats?.totalPackets || 0;
+  const totalAttacks = stats?.attackPackets || 0;
+  const normalTraffic = stats?.normalPackets || 0;
+  const attackPercentage = totalTraffic > 0 ? ((totalAttacks / totalTraffic) * 100).toFixed(2) : "0";
+  
+  const detections = stats?.recentDetections || [];
+  const blockedAttacks = detections.filter(d => d.blocked).length;
+
+  // Usa dati aggregati già calcolati dal backend
+  const attacksByCountry = stats?.attacksByCountry || {};
+  const attacksByType = stats?.attacksByType || {};
+
+  const countryChartData = Object.entries(attacksByCountry)
+    .map(([name, attacks]) => ({
+      name: `${getFlag(name, name.substring(0, 2))} ${name}`,
+      attacks,
+      normal: 0,
+    }))
+    .sort((a, b) => b.attacks - a.attacks)
+    .slice(0, 10);
+
+  const typeChartData = Object.entries(attacksByType).map(([name, value]) => ({
+    name: name.replace('_', ' ').toUpperCase(),
+    value,
+  }));
+
+  // Traffico normale vs attacchi (gauge data)
+  const trafficDistribution = [
+    { name: 'Normal', value: normalTraffic, color: '#22c55e' },
+    { name: 'Attacks', value: totalAttacks, color: '#ef4444' },
+  ];
+
+  // Ultimi eventi (stream)
+  const recentEvents = [...detections]
+    .sort((a, b) => new Date(b.detectedAt).getTime() - new Date(a.detectedAt).getTime())
+    .slice(0, 20);
+
+  const COLORS = ['#ef4444', '#f97316', '#f59e0b', '#eab308', '#84cc16'];
+
+  return (
+    <div className="flex flex-col gap-6 p-6" data-testid="page-dashboard-live">
+      {/* Header */}
+      <div>
+        <h1 className="text-3xl font-semibold flex items-center gap-2" data-testid="text-page-title">
+          <Activity className="h-8 w-8" />
+          Dashboard Live
+        </h1>
+        <p className="text-muted-foreground" data-testid="text-page-subtitle">
+          Monitoraggio real-time (ultimi 3 giorni)
+        </p>
+      </div>
+
+      {isLoading && (
+        <div className="text-center py-8" data-testid="text-loading">
+          Caricamento dati...
+        </div>
+      )}
+
+      {!isLoading && (
+        <>
+          {/* KPI Cards */}
+          <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+            <Card data-testid="card-total-traffic">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Traffico Totale
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-3xl font-bold" data-testid="text-total-traffic">
+                  {totalTraffic.toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">pacchetti</p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-normal-traffic">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Traffico Normale
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-3xl font-bold text-green-600" data-testid="text-normal-traffic">
+                  {normalTraffic.toLocaleString()}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">
+                  {(100 - parseFloat(attackPercentage)).toFixed(1)}% del totale
+                </p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-attacks">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  Attacchi Rilevati
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-3xl font-bold text-red-600" data-testid="text-attacks">
+                  {totalAttacks}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">
+                  {attackPercentage}% del traffico
+                </p>
+              </CardContent>
+            </Card>
+
+            <Card data-testid="card-blocked">
+              <CardHeader className="pb-2">
+                <CardTitle className="text-sm font-medium text-muted-foreground">
+                  IP Bloccati
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <div className="text-3xl font-bold text-orange-600" data-testid="text-blocked">
+                  {blockedAttacks}
+                </div>
+                <p className="text-xs text-muted-foreground mt-1">
+                  {totalAttacks > 0 ? ((blockedAttacks / totalAttacks) * 100).toFixed(1) : 0}% degli attacchi
+                </p>
+              </CardContent>
+            </Card>
+          </div>
+
+          {/* Charts Row 1 */}
+          <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
+            {/* Traffic Distribution (Pie) */}
+            <Card data-testid="card-distribution">
+              <CardHeader>
+                <CardTitle className="flex items-center gap-2">
+                  <TrendingUp className="h-5 w-5" />
+                  Distribuzione Traffico
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                <ResponsiveContainer width="100%" height={300}>
+                  <PieChart>
+                    <Pie
+                      data={trafficDistribution}
+                      cx="50%"
+                      cy="50%"
+                      labelLine={false}
+                      label={(entry) => `${entry.name}: ${entry.value}`}
+                      outerRadius={100}
+                      fill="#8884d8"
+                      dataKey="value"
+                    >
+                      {trafficDistribution.map((entry, index) => (
+                        <Cell key={`cell-${index}`} fill={entry.color} />
+                      ))}
+                    </Pie>
+                    <Tooltip />
+                    <Legend />
+                  </PieChart>
+                </ResponsiveContainer>
+              </CardContent>
+            </Card>
+
+            {/* Attacks by Type (Pie) */}
+            <Card data-testid="card-attack-types">
+              <CardHeader>
+                <CardTitle className="flex items-center gap-2">
+                  <AlertTriangle className="h-5 w-5" />
+                  Tipi di Attacco
+                </CardTitle>
+              </CardHeader>
+              <CardContent>
+                {typeChartData.length > 0 ? (
+                  <ResponsiveContainer width="100%" height={300}>
+                    <PieChart>
+                      <Pie
+                        data={typeChartData}
+                        cx="50%"
+                        cy="50%"
+                        labelLine={false}
+                        label={(entry) => `${entry.name}: ${entry.value}`}
+                        outerRadius={100}
+                        fill="#8884d8"
+                        dataKey="value"
+                      >
+                        {typeChartData.map((entry, index) => (
+                          <Cell key={`cell-${index}`} fill={COLORS[index % COLORS.length]} />
+                        ))}
+                      </Pie>
+                      <Tooltip />
+                      <Legend />
+                    </PieChart>
+                  </ResponsiveContainer>
+                ) : (
+                  <div className="text-center py-20 text-muted-foreground">
+                    Nessun attacco rilevato
+                  </div>
+                )}
+              </CardContent>
+            </Card>
+          </div>
+
+          {/* Top Countries (Bar Chart) */}
+          <Card data-testid="card-countries">
+            <CardHeader>
+              <CardTitle className="flex items-center gap-2">
+                <Globe className="h-5 w-5" />
+                Top 10 Paesi Attaccanti
+              </CardTitle>
+            </CardHeader>
+            <CardContent>
+              {countryChartData.length > 0 ? (
+                <ResponsiveContainer width="100%" height={400}>
+                  <BarChart data={countryChartData}>
+                    <CartesianGrid strokeDasharray="3 3" />
+                    <XAxis dataKey="name" />
+                    <YAxis />
+                    <Tooltip />
+                    <Legend />
+                    <Bar dataKey="attacks" fill="#ef4444" name="Attacchi" />
+                  </BarChart>
+                </ResponsiveContainer>
+              ) : (
+                <div className="text-center py-20 text-muted-foreground">
+                  Nessun dato disponibile
+                </div>
+              )}
+            </CardContent>
+          </Card>
+
+          {/* Real-time Event Stream */}
+          <Card data-testid="card-event-stream">
+            <CardHeader>
+              <CardTitle className="flex items-center gap-2">
+                <Shield className="h-5 w-5" />
+                Stream Eventi Recenti
+              </CardTitle>
+            </CardHeader>
+            <CardContent>
+              <div className="space-y-2 max-h-96 overflow-y-auto">
+                {recentEvents.map(event => (
+                  <div
+                    key={event.id}
+                    className="flex items-center justify-between p-3 rounded-lg border hover-elevate"
+                    data-testid={`event-${event.id}`}
+                  >
+                    <div className="flex items-center gap-3">
+                      {event.countryCode && (
+                        <span className="text-xl">
+                          {getFlag(event.country, event.countryCode)}
+                        </span>
+                      )}
+                      <div>
+                        <code className="font-mono font-semibold">{event.sourceIp}</code>
+                        <p className="text-xs text-muted-foreground">
+                          {event.anomalyType.replace('_', ' ')} • {format(new Date(event.detectedAt), "HH:mm:ss")}
+                        </p>
+                      </div>
+                    </div>
+                    <Badge variant={event.blocked ? "destructive" : "secondary"}>
+                      {event.blocked ? "Bloccato" : "Attivo"}
+                    </Badge>
+                  </div>
+                ))}
+              </div>
+            </CardContent>
+          </Card>
+        </>
+      )}
+    </div>
+  );
+}

client/src/pages/Detections.tsx

@@ -1,24 +1,133 @@
-import { useQuery } from "@tanstack/react-query";
+import { useQuery, useMutation } from "@tanstack/react-query";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
-import { AlertTriangle, Search, Shield, Eye } from "lucide-react";
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
+import { Slider } from "@/components/ui/slider";
+import { AlertTriangle, Search, Shield, Globe, MapPin, Building2, ShieldPlus, ShieldCheck, Unlock, ChevronLeft, ChevronRight } from "lucide-react";
 import { format } from "date-fns";
-import { useState } from "react";
+import { useState, useEffect, useMemo } from "react";
-import type { Detection } from "@shared/schema";
+import type { Detection, Whitelist } from "@shared/schema";
+import { getFlag } from "@/lib/country-flags";
+import { apiRequest, queryClient } from "@/lib/queryClient";
+import { useToast } from "@/hooks/use-toast";
+
+const ITEMS_PER_PAGE = 50;
+
+interface DetectionsResponse {
+  detections: Detection[];
+  total: number;
+}
 
 export default function Detections() {
-  const [searchQuery, setSearchQuery] = useState("");
+  const [searchInput, setSearchInput] = useState("");
-  const { data: detections, isLoading } = useQuery<Detection[]>({
+  const [debouncedSearch, setDebouncedSearch] = useState("");
-    queryKey: ["/api/detections"],
+  const [anomalyTypeFilter, setAnomalyTypeFilter] = useState<string>("all");
-    refetchInterval: 5000,
+  const [minScore, setMinScore] = useState(0);
+  const [maxScore, setMaxScore] = useState(100);
+  const [currentPage, setCurrentPage] = useState(1);
+  const { toast } = useToast();
+
+  // Debounce search input
+  useEffect(() => {
+    const timer = setTimeout(() => {
+      setDebouncedSearch(searchInput);
+      setCurrentPage(1); // Reset to first page on search
+    }, 300);
+    return () => clearTimeout(timer);
+  }, [searchInput]);
+
+  // Reset page on filter change
+  useEffect(() => {
+    setCurrentPage(1);
+  }, [anomalyTypeFilter, minScore, maxScore]);
+
+  // Build query params with pagination and search
+  const queryParams = useMemo(() => {
+    const params = new URLSearchParams();
+    params.set("limit", ITEMS_PER_PAGE.toString());
+    params.set("offset", ((currentPage - 1) * ITEMS_PER_PAGE).toString());
+    if (anomalyTypeFilter !== "all") {
+      params.set("anomalyType", anomalyTypeFilter);
+    }
+    if (minScore > 0) {
+      params.set("minScore", minScore.toString());
+    }
+    if (maxScore < 100) {
+      params.set("maxScore", maxScore.toString());
+    }
+    if (debouncedSearch.trim()) {
+      params.set("search", debouncedSearch.trim());
+    }
+    return params.toString();
+  }, [currentPage, anomalyTypeFilter, minScore, maxScore, debouncedSearch]);
+
+  const { data, isLoading } = useQuery<DetectionsResponse>({
+    queryKey: ["/api/detections", currentPage, anomalyTypeFilter, minScore, maxScore, debouncedSearch],
+    queryFn: () => fetch(`/api/detections?${queryParams}`).then(r => r.json()),
+    refetchInterval: 10000,
   });
 
-  const filteredDetections = detections?.filter((d) =>
+  const detections = data?.detections || [];
-    d.sourceIp.toLowerCase().includes(searchQuery.toLowerCase()) ||
+  const totalCount = data?.total || 0;
-    d.anomalyType.toLowerCase().includes(searchQuery.toLowerCase())
+  const totalPages = Math.ceil(totalCount / ITEMS_PER_PAGE);
-  );
+
+  // Fetch whitelist to check if IP is already whitelisted
+  const { data: whitelistData } = useQuery<Whitelist[]>({
+    queryKey: ["/api/whitelist"],
+  });
+
+  // Create a Set of whitelisted IPs for fast lookup
+  const whitelistedIps = new Set(whitelistData?.map(w => w.ipAddress) || []);
+
+  // Mutation per aggiungere a whitelist
+  const addToWhitelistMutation = useMutation({
+    mutationFn: async (detection: Detection) => {
+      return await apiRequest("POST", "/api/whitelist", {
+        ipAddress: detection.sourceIp,
+        reason: `Auto-added from detection: ${detection.anomalyType} (Risk: ${parseFloat(detection.riskScore).toFixed(1)})`
+      });
+    },
+    onSuccess: (_, detection) => {
+      toast({
+        title: "IP aggiunto alla whitelist",
+        description: `${detection.sourceIp} è stato aggiunto alla whitelist e sbloccato dai router.`,
+      });
+      queryClient.invalidateQueries({ queryKey: ["/api/whitelist"] });
+      queryClient.invalidateQueries({ queryKey: ["/api/detections"] });
+    },
+    onError: (error: any, detection) => {
+      toast({
+        title: "Errore",
+        description: error.message || `Impossibile aggiungere ${detection.sourceIp} alla whitelist.`,
+        variant: "destructive",
+      });
+    }
+  });
+
+  // Mutation per sbloccare IP dai router
+  const unblockMutation = useMutation({
+    mutationFn: async (detection: Detection) => {
+      return await apiRequest("POST", "/api/unblock-ip", {
+        ipAddress: detection.sourceIp
+      });
+    },
+    onSuccess: (data: any, detection) => {
+      toast({
+        title: "IP sbloccato",
+        description: `${detection.sourceIp} è stato rimosso dalla blocklist di ${data.unblocked_from || 0} router.`,
+      });
+      queryClient.invalidateQueries({ queryKey: ["/api/detections"] });
+    },
+    onError: (error: any, detection) => {
+      toast({
+        title: "Errore sblocco",
+        description: error.message || `Impossibile sbloccare ${detection.sourceIp} dai router.`,
+        variant: "destructive",
+      });
+    }
+  });
 
   const getRiskBadge = (riskScore: string) => {
     const score = parseFloat(riskScore);
@@ -52,20 +161,58 @@ export default function Detections() {
       {/* Search and Filters */}
       <Card data-testid="card-filters">
         <CardContent className="pt-6">
-          <div className="flex items-center gap-4">
+          <div className="flex flex-col gap-4">
-            <div className="relative flex-1">
+            <div className="flex items-center gap-4 flex-wrap">
-              <Search className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-muted-foreground" />
+              <div className="relative flex-1 min-w-[200px]">
-              <Input
+                <Search className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-muted-foreground" />
-                placeholder="Cerca per IP o tipo anomalia..."
+                <Input
-                value={searchQuery}
+                  placeholder="Cerca per IP, paese, organizzazione..."
-                onChange={(e) => setSearchQuery(e.target.value)}
+                  value={searchInput}
-                className="pl-9"
+                  onChange={(e) => setSearchInput(e.target.value)}
-                data-testid="input-search"
+                  className="pl-9"
-              />
+                  data-testid="input-search"
+                />
+              </div>
+
+              <Select value={anomalyTypeFilter} onValueChange={setAnomalyTypeFilter}>
+                <SelectTrigger className="w-[200px]" data-testid="select-anomaly-type">
+                  <SelectValue placeholder="Tipo attacco" />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="all">Tutti i tipi</SelectItem>
+                  <SelectItem value="ddos">DDoS Attack</SelectItem>
+                  <SelectItem value="port_scan">Port Scanning</SelectItem>
+                  <SelectItem value="brute_force">Brute Force</SelectItem>
+                  <SelectItem value="botnet">Botnet Activity</SelectItem>
+                  <SelectItem value="suspicious">Suspicious Activity</SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+
+            <div className="space-y-2">
+              <div className="flex items-center justify-between text-sm">
+                <span className="text-muted-foreground">Risk Score:</span>
+                <span className="font-medium" data-testid="text-score-range">
+                  {minScore} - {maxScore}
+                </span>
+              </div>
+              <div className="flex items-center gap-4">
+                <span className="text-xs text-muted-foreground w-8">0</span>
+                <Slider
+                  min={0}
+                  max={100}
+                  step={5}
+                  value={[minScore, maxScore]}
+                  onValueChange={([min, max]) => {
+                    setMinScore(min);
+                    setMaxScore(max);
+                  }}
+                  className="flex-1"
+                  data-testid="slider-risk-score"
+                />
+                <span className="text-xs text-muted-foreground w-8">100</span>
+              </div>
             </div>
-            <Button variant="outline" data-testid="button-refresh">
-              Aggiorna
-            </Button>
           </div>
         </CardContent>
       </Card>
@@ -73,9 +220,36 @@ export default function Detections() {
       {/* Detections List */}
       <Card data-testid="card-detections-list">
         <CardHeader>
-          <CardTitle className="flex items-center gap-2">
+          <CardTitle className="flex items-center justify-between gap-2 flex-wrap">
-            <AlertTriangle className="h-5 w-5" />
+            <div className="flex items-center gap-2">
-            Rilevamenti ({filteredDetections?.length || 0})
+              <AlertTriangle className="h-5 w-5" />
+              Rilevamenti ({totalCount})
+            </div>
+            {totalPages > 1 && (
+              <div className="flex items-center gap-2 text-sm font-normal">
+                <Button 
+                  variant="outline" 
+                  size="icon"
+                  onClick={() => setCurrentPage(p => Math.max(1, p - 1))}
+                  disabled={currentPage === 1}
+                  data-testid="button-prev-page"
+                >
+                  <ChevronLeft className="h-4 w-4" />
+                </Button>
+                <span data-testid="text-pagination">
+                  Pagina {currentPage} di {totalPages}
+                </span>
+                <Button 
+                  variant="outline" 
+                  size="icon"
+                  onClick={() => setCurrentPage(p => Math.min(totalPages, p + 1))}
+                  disabled={currentPage === totalPages}
+                  data-testid="button-next-page"
+                >
+                  <ChevronRight className="h-4 w-4" />
+                </Button>
+              </div>
+            )}
           </CardTitle>
         </CardHeader>
         <CardContent>
@@ -83,9 +257,9 @@ export default function Detections() {
             <div className="text-center py-8 text-muted-foreground" data-testid="text-loading">
               Caricamento...
             </div>
-          ) : filteredDetections && filteredDetections.length > 0 ? (
+          ) : detections.length > 0 ? (
             <div className="space-y-3">
-              {filteredDetections.map((detection) => (
+              {detections.map((detection) => (
                 <div
                   key={detection.id}
                   className="p-4 rounded-lg border hover-elevate"
@@ -93,7 +267,14 @@ export default function Detections() {
                 >
                   <div className="flex items-start justify-between gap-4">
                     <div className="flex-1 min-w-0">
-                      <div className="flex items-center gap-2 mb-2 flex-wrap">
+                      <div className="flex items-center gap-3 mb-2 flex-wrap">
+                        {/* Flag Emoji */}
+                        {detection.countryCode && (
+                          <span className="text-2xl" title={detection.country || detection.countryCode} data-testid={`flag-${detection.id}`}>
+                            {getFlag(detection.country, detection.countryCode)}
+                          </span>
+                        )}
+                        
                         <code className="font-mono font-semibold text-lg" data-testid={`text-ip-${detection.id}`}>
                           {detection.sourceIp}
                         </code>
@@ -107,6 +288,34 @@ export default function Detections() {
                         {detection.reason}
                       </p>
 
+                      {/* Geolocation Info */}
+                      {(detection.country || detection.organization || detection.asNumber) && (
+                        <div className="flex flex-wrap gap-3 mb-3 text-sm" data-testid={`geo-info-${detection.id}`}>
+                          {detection.country && (
+                            <div className="flex items-center gap-1.5 text-muted-foreground">
+                              <Globe className="h-3.5 w-3.5" />
+                              <span data-testid={`text-country-${detection.id}`}>
+                                {detection.city ? `${detection.city}, ${detection.country}` : detection.country}
+                              </span>
+                            </div>
+                          )}
+                          {detection.organization && (
+                            <div className="flex items-center gap-1.5 text-muted-foreground">
+                              <Building2 className="h-3.5 w-3.5" />
+                              <span data-testid={`text-org-${detection.id}`}>{detection.organization}</span>
+                            </div>
+                          )}
+                          {detection.asNumber && (
+                            <div className="flex items-center gap-1.5 text-muted-foreground">
+                              <MapPin className="h-3.5 w-3.5" />
+                              <span data-testid={`text-as-${detection.id}`}>
+                                {detection.asNumber} {detection.asName && `- ${detection.asName}`}
+                              </span>
+                            </div>
+                          )}
+                        </div>
+                      )}
+
                       <div className="grid grid-cols-2 md:grid-cols-4 gap-4 text-sm">
                         <div>
                           <p className="text-muted-foreground text-xs">Risk Score</p>
@@ -156,12 +365,44 @@ export default function Detections() {
                         </Badge>
                       )}
 
-                      <Button variant="outline" size="sm" asChild data-testid={`button-details-${detection.id}`}>
+                      {whitelistedIps.has(detection.sourceIp) ? (
-                        <a href={`/logs?ip=${detection.sourceIp}`}>
+                        <Button 
-                          <Eye className="h-3 w-3 mr-1" />
+                          variant="outline" 
-                          Dettagli
+                          size="sm" 
-                        </a>
+                          disabled
-                      </Button>
+                          className="w-full bg-green-500/10 border-green-500 text-green-600 dark:text-green-400"
+                          data-testid={`button-whitelist-${detection.id}`}
+                        >
+                          <ShieldCheck className="h-3 w-3 mr-1" />
+                          In Whitelist
+                        </Button>
+                      ) : (
+                        <Button 
+                          variant="outline" 
+                          size="sm" 
+                          onClick={() => addToWhitelistMutation.mutate(detection)}
+                          disabled={addToWhitelistMutation.isPending}
+                          className="w-full"
+                          data-testid={`button-whitelist-${detection.id}`}
+                        >
+                          <ShieldPlus className="h-3 w-3 mr-1" />
+                          Whitelist
+                        </Button>
+                      )}
+
+                      {detection.blocked && (
+                        <Button 
+                          variant="outline" 
+                          size="sm" 
+                          onClick={() => unblockMutation.mutate(detection)}
+                          disabled={unblockMutation.isPending}
+                          className="w-full"
+                          data-testid={`button-unblock-${detection.id}`}
+                        >
+                          <Unlock className="h-3 w-3 mr-1" />
+                          Sblocca Router
+                        </Button>
+                      )}
                     </div>
                   </div>
                 </div>
@@ -171,11 +412,40 @@ export default function Detections() {
             <div className="text-center py-12 text-muted-foreground" data-testid="text-no-results">
               <AlertTriangle className="h-12 w-12 mx-auto mb-2 opacity-50" />
               <p>Nessun rilevamento trovato</p>
-              {searchQuery && (
+              {debouncedSearch && (
                 <p className="text-sm">Prova con un altro termine di ricerca</p>
               )}
             </div>
           )}
+          
+          {/* Bottom pagination */}
+          {totalPages > 1 && detections.length > 0 && (
+            <div className="flex items-center justify-center gap-4 mt-6 pt-4 border-t">
+              <Button 
+                variant="outline" 
+                size="sm"
+                onClick={() => setCurrentPage(p => Math.max(1, p - 1))}
+                disabled={currentPage === 1}
+                data-testid="button-prev-page-bottom"
+              >
+                <ChevronLeft className="h-4 w-4 mr-1" />
+                Precedente
+              </Button>
+              <span className="text-sm text-muted-foreground" data-testid="text-pagination-bottom">
+                Pagina {currentPage} di {totalPages} ({totalCount} totali)
+              </span>
+              <Button 
+                variant="outline" 
+                size="sm"
+                onClick={() => setCurrentPage(p => Math.min(totalPages, p + 1))}
+                disabled={currentPage === totalPages}
+                data-testid="button-next-page-bottom"
+              >
+                Successiva
+                <ChevronRight className="h-4 w-4 ml-1" />
+              </Button>
+            </div>
+          )}
         </CardContent>
       </Card>
     </div>

client/src/pages/PublicLists.tsx

@@ -0,0 +1,372 @@
+import { useQuery, useMutation } from "@tanstack/react-query";
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
+import { Button } from "@/components/ui/button";
+import { Badge } from "@/components/ui/badge";
+import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table";
+import { Dialog, DialogContent, DialogDescription, DialogHeader, DialogTitle, DialogTrigger } from "@/components/ui/dialog";
+import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
+import { Switch } from "@/components/ui/switch";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+import { RefreshCw, Plus, Trash2, Edit, CheckCircle2, XCircle, AlertTriangle, Clock } from "lucide-react";
+import { apiRequest, queryClient } from "@/lib/queryClient";
+import { useToast } from "@/hooks/use-toast";
+import { formatDistanceToNow } from "date-fns";
+import { it } from "date-fns/locale";
+import { useState } from "react";
+
+const listFormSchema = z.object({
+  name: z.string().min(1, "Nome richiesto"),
+  type: z.enum(["blacklist", "whitelist"], {
+    required_error: "Tipo richiesto",
+  }),
+  url: z.string().url("URL non valida"),
+  enabled: z.boolean().default(true),
+  fetchIntervalMinutes: z.number().min(1).max(1440).default(10),
+});
+
+type ListFormValues = z.infer<typeof listFormSchema>;
+
+export default function PublicLists() {
+  const { toast } = useToast();
+  const [isAddDialogOpen, setIsAddDialogOpen] = useState(false);
+  const [editingList, setEditingList] = useState<any>(null);
+
+  const { data: lists, isLoading } = useQuery({
+    queryKey: ["/api/public-lists"],
+  });
+
+  const form = useForm<ListFormValues>({
+    resolver: zodResolver(listFormSchema),
+    defaultValues: {
+      name: "",
+      type: "blacklist",
+      url: "",
+      enabled: true,
+      fetchIntervalMinutes: 10,
+    },
+  });
+
+  const createMutation = useMutation({
+    mutationFn: (data: ListFormValues) =>
+      apiRequest("POST", "/api/public-lists", data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["/api/public-lists"] });
+      toast({
+        title: "Lista creata",
+        description: "La lista è stata aggiunta con successo",
+      });
+      setIsAddDialogOpen(false);
+      form.reset();
+    },
+    onError: (error: any) => {
+      toast({
+        title: "Errore",
+        description: error.message || "Impossibile creare la lista",
+        variant: "destructive",
+      });
+    },
+  });
+
+  const updateMutation = useMutation({
+    mutationFn: ({ id, data }: { id: string; data: Partial<ListFormValues> }) =>
+      apiRequest("PATCH", `/api/public-lists/${id}`, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["/api/public-lists"] });
+      toast({
+        title: "Lista aggiornata",
+        description: "Le modifiche sono state salvate",
+      });
+      setEditingList(null);
+    },
+  });
+
+  const deleteMutation = useMutation({
+    mutationFn: (id: string) =>
+      apiRequest("DELETE", `/api/public-lists/${id}`),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["/api/public-lists"] });
+      toast({
+        title: "Lista eliminata",
+        description: "La lista è stata rimossa",
+      });
+    },
+    onError: (error: any) => {
+      toast({
+        title: "Errore",
+        description: error.message || "Impossibile eliminare la lista",
+        variant: "destructive",
+      });
+    },
+  });
+
+  const syncMutation = useMutation({
+    mutationFn: (id: string) =>
+      apiRequest("POST", `/api/public-lists/${id}/sync`),
+    onSuccess: () => {
+      toast({
+        title: "Sync avviato",
+        description: "La sincronizzazione manuale è stata richiesta",
+      });
+    },
+  });
+
+  const toggleEnabled = (id: string, enabled: boolean) => {
+    updateMutation.mutate({ id, data: { enabled } });
+  };
+
+  const onSubmit = (data: ListFormValues) => {
+    createMutation.mutate(data);
+  };
+
+  const getStatusBadge = (list: any) => {
+    if (!list.enabled) {
+      return <Badge variant="outline" className="gap-1"><XCircle className="w-3 h-3" />Disabilitata</Badge>;
+    }
+
+    if (list.errorCount > 5) {
+      return <Badge variant="destructive" className="gap-1"><AlertTriangle className="w-3 h-3" />Errori</Badge>;
+    }
+
+    if (list.lastSuccess) {
+      return <Badge variant="default" className="gap-1 bg-green-600"><CheckCircle2 className="w-3 h-3" />OK</Badge>;
+    }
+
+    return <Badge variant="secondary" className="gap-1"><Clock className="w-3 h-3" />In attesa</Badge>;
+  };
+
+  const getTypeBadge = (type: string) => {
+    if (type === "blacklist") {
+      return <Badge variant="destructive">Blacklist</Badge>;
+    }
+    return <Badge variant="default" className="bg-blue-600">Whitelist</Badge>;
+  };
+
+  if (isLoading) {
+    return (
+      <div className="p-6">
+        <Card>
+          <CardHeader>
+            <CardTitle>Caricamento...</CardTitle>
+          </CardHeader>
+        </Card>
+      </div>
+    );
+  }
+
+  return (
+    <div className="p-6 space-y-6">
+      <div className="flex items-center justify-between">
+        <div>
+          <h1 className="text-3xl font-bold">Liste Pubbliche</h1>
+          <p className="text-muted-foreground mt-2">
+            Gestione sorgenti blacklist e whitelist esterne (aggiornamento ogni 10 minuti)
+          </p>
+        </div>
+        <Dialog open={isAddDialogOpen} onOpenChange={setIsAddDialogOpen}>
+          <DialogTrigger asChild>
+            <Button data-testid="button-add-list">
+              <Plus className="w-4 h-4 mr-2" />
+              Aggiungi Lista
+            </Button>
+          </DialogTrigger>
+          <DialogContent className="max-w-2xl">
+            <DialogHeader>
+              <DialogTitle>Aggiungi Lista Pubblica</DialogTitle>
+              <DialogDescription>
+                Configura una nuova sorgente blacklist o whitelist
+              </DialogDescription>
+            </DialogHeader>
+            <Form {...form}>
+              <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+                <FormField
+                  control={form.control}
+                  name="name"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Nome</FormLabel>
+                      <FormControl>
+                        <Input placeholder="es. Spamhaus DROP" {...field} data-testid="input-list-name" />
+                      </FormControl>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+                <FormField
+                  control={form.control}
+                  name="type"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Tipo</FormLabel>
+                      <Select onValueChange={field.onChange} defaultValue={field.value}>
+                        <FormControl>
+                          <SelectTrigger data-testid="select-list-type">
+                            <SelectValue placeholder="Seleziona tipo" />
+                          </SelectTrigger>
+                        </FormControl>
+                        <SelectContent>
+                          <SelectItem value="blacklist">Blacklist</SelectItem>
+                          <SelectItem value="whitelist">Whitelist</SelectItem>
+                        </SelectContent>
+                      </Select>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+                <FormField
+                  control={form.control}
+                  name="url"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>URL</FormLabel>
+                      <FormControl>
+                        <Input placeholder="https://example.com/list.txt" {...field} data-testid="input-list-url" />
+                      </FormControl>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+                <FormField
+                  control={form.control}
+                  name="fetchIntervalMinutes"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Intervallo Sync (minuti)</FormLabel>
+                      <FormControl>
+                        <Input
+                          type="number"
+                          {...field}
+                          onChange={(e) => field.onChange(parseInt(e.target.value))}
+                          data-testid="input-list-interval"
+                        />
+                      </FormControl>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+                <FormField
+                  control={form.control}
+                  name="enabled"
+                  render={({ field }) => (
+                    <FormItem className="flex items-center justify-between">
+                      <FormLabel>Abilitata</FormLabel>
+                      <FormControl>
+                        <Switch
+                          checked={field.value}
+                          onCheckedChange={field.onChange}
+                          data-testid="switch-list-enabled"
+                        />
+                      </FormControl>
+                    </FormItem>
+                  )}
+                />
+                <div className="flex justify-end gap-2 pt-4">
+                  <Button type="button" variant="outline" onClick={() => setIsAddDialogOpen(false)}>
+                    Annulla
+                  </Button>
+                  <Button type="submit" disabled={createMutation.isPending} data-testid="button-save-list">
+                    {createMutation.isPending ? "Salvataggio..." : "Salva"}
+                  </Button>
+                </div>
+              </form>
+            </Form>
+          </DialogContent>
+        </Dialog>
+      </div>
+
+      <Card>
+        <CardHeader>
+          <CardTitle>Sorgenti Configurate</CardTitle>
+          <CardDescription>
+            {lists?.length || 0} liste configurate
+          </CardDescription>
+        </CardHeader>
+        <CardContent>
+          <Table>
+            <TableHeader>
+              <TableRow>
+                <TableHead>Nome</TableHead>
+                <TableHead>Tipo</TableHead>
+                <TableHead>Stato</TableHead>
+                <TableHead>IP Totali</TableHead>
+                <TableHead>IP Attivi</TableHead>
+                <TableHead>Ultimo Sync</TableHead>
+                <TableHead className="text-right">Azioni</TableHead>
+              </TableRow>
+            </TableHeader>
+            <TableBody>
+              {lists?.map((list: any) => (
+                <TableRow key={list.id} data-testid={`row-list-${list.id}`}>
+                  <TableCell className="font-medium">
+                    <div>
+                      <div>{list.name}</div>
+                      <div className="text-xs text-muted-foreground truncate max-w-xs">
+                        {list.url}
+                      </div>
+                    </div>
+                  </TableCell>
+                  <TableCell>{getTypeBadge(list.type)}</TableCell>
+                  <TableCell>{getStatusBadge(list)}</TableCell>
+                  <TableCell data-testid={`text-total-ips-${list.id}`}>{list.totalIps?.toLocaleString() || 0}</TableCell>
+                  <TableCell data-testid={`text-active-ips-${list.id}`}>{list.activeIps?.toLocaleString() || 0}</TableCell>
+                  <TableCell>
+                    {list.lastSuccess ? (
+                      <span className="text-sm">
+                        {formatDistanceToNow(new Date(list.lastSuccess), {
+                          addSuffix: true,
+                          locale: it,
+                        })}
+                      </span>
+                    ) : (
+                      <span className="text-sm text-muted-foreground">Mai</span>
+                    )}
+                  </TableCell>
+                  <TableCell className="text-right">
+                    <div className="flex items-center justify-end gap-2">
+                      <Switch
+                        checked={list.enabled}
+                        onCheckedChange={(checked) => toggleEnabled(list.id, checked)}
+                        data-testid={`switch-enable-${list.id}`}
+                      />
+                      <Button
+                        variant="outline"
+                        size="icon"
+                        onClick={() => syncMutation.mutate(list.id)}
+                        disabled={syncMutation.isPending}
+                        data-testid={`button-sync-${list.id}`}
+                      >
+                        <RefreshCw className="w-4 h-4" />
+                      </Button>
+                      <Button
+                        variant="destructive"
+                        size="icon"
+                        onClick={() => {
+                          if (confirm(`Eliminare la lista "${list.name}"?`)) {
+                            deleteMutation.mutate(list.id);
+                          }
+                        }}
+                        data-testid={`button-delete-${list.id}`}
+                      >
+                        <Trash2 className="w-4 h-4" />
+                      </Button>
+                    </div>
+                  </TableCell>
+                </TableRow>
+              ))}
+              {(!lists || lists.length === 0) && (
+                <TableRow>
+                  <TableCell colSpan={7} className="text-center text-muted-foreground py-8">
+                    Nessuna lista configurata. Aggiungi la prima lista.
+                  </TableCell>
+                </TableRow>
+              )}
+            </TableBody>
+          </Table>
+        </CardContent>
+      </Card>
+    </div>
+  );
+}

client/src/pages/Routers.tsx

@@ -1,19 +1,108 @@
+import { useState } from "react";
 import { useQuery, useMutation } from "@tanstack/react-query";
 import { queryClient, apiRequest } from "@/lib/queryClient";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
-import { Server, Plus, Trash2 } from "lucide-react";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+  DialogTrigger,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import {
+  Form,
+  FormControl,
+  FormDescription,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { Switch } from "@/components/ui/switch";
+import { Server, Plus, Trash2, Edit } from "lucide-react";
 import { format } from "date-fns";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { insertRouterSchema, type InsertRouter } from "@shared/schema";
 import type { Router } from "@shared/schema";
 import { useToast } from "@/hooks/use-toast";
 
 export default function Routers() {
   const { toast } = useToast();
+  const [addDialogOpen, setAddDialogOpen] = useState(false);
+  const [editDialogOpen, setEditDialogOpen] = useState(false);
+  const [editingRouter, setEditingRouter] = useState<Router | null>(null);
+
   const { data: routers, isLoading } = useQuery<Router[]>({
     queryKey: ["/api/routers"],
   });
 
+  const addForm = useForm<InsertRouter>({
+    resolver: zodResolver(insertRouterSchema),
+    defaultValues: {
+      name: "",
+      ipAddress: "",
+      apiPort: 8729,
+      username: "",
+      password: "",
+      enabled: true,
+    },
+  });
+
+  const editForm = useForm<InsertRouter>({
+    resolver: zodResolver(insertRouterSchema),
+  });
+
+  const addMutation = useMutation({
+    mutationFn: async (data: InsertRouter) => {
+      return await apiRequest("POST", "/api/routers", data);
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["/api/routers"] });
+      toast({
+        title: "Router aggiunto",
+        description: "Il router è stato configurato con successo",
+      });
+      setAddDialogOpen(false);
+      addForm.reset();
+    },
+    onError: (error: any) => {
+      toast({
+        title: "Errore",
+        description: error.message || "Impossibile aggiungere il router",
+        variant: "destructive",
+      });
+    },
+  });
+
+  const updateMutation = useMutation({
+    mutationFn: async ({ id, data }: { id: string; data: InsertRouter }) => {
+      return await apiRequest("PUT", `/api/routers/${id}`, data);
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["/api/routers"] });
+      toast({
+        title: "Router aggiornato",
+        description: "Le modifiche sono state salvate con successo",
+      });
+      setEditDialogOpen(false);
+      setEditingRouter(null);
+      editForm.reset();
+    },
+    onError: (error: any) => {
+      toast({
+        title: "Errore",
+        description: error.message || "Impossibile aggiornare il router",
+        variant: "destructive",
+      });
+    },
+  });
+
   const deleteMutation = useMutation({
     mutationFn: async (id: string) => {
       await apiRequest("DELETE", `/api/routers/${id}`);
@@ -34,6 +123,29 @@ export default function Routers() {
     },
   });
 
+  const handleAddSubmit = (data: InsertRouter) => {
+    addMutation.mutate(data);
+  };
+
+  const handleEditSubmit = (data: InsertRouter) => {
+    if (editingRouter) {
+      updateMutation.mutate({ id: editingRouter.id, data });
+    }
+  };
+
+  const handleEdit = (router: Router) => {
+    setEditingRouter(router);
+    editForm.reset({
+      name: router.name,
+      ipAddress: router.ipAddress,
+      apiPort: router.apiPort,
+      username: router.username,
+      password: router.password,
+      enabled: router.enabled,
+    });
+    setEditDialogOpen(true);
+  };
+
   return (
     <div className="flex flex-col gap-6 p-6" data-testid="page-routers">
       <div className="flex items-center justify-between">
@@ -43,10 +155,152 @@ export default function Routers() {
             Gestisci i router connessi al sistema IDS
           </p>
         </div>
-        <Button data-testid="button-add-router">
+        
-          <Plus className="h-4 w-4 mr-2" />
+        <Dialog open={addDialogOpen} onOpenChange={setAddDialogOpen}>
-          Aggiungi Router
+          <DialogTrigger asChild>
-        </Button>
+            <Button data-testid="button-add-router">
+              <Plus className="h-4 w-4 mr-2" />
+              Aggiungi Router
+            </Button>
+          </DialogTrigger>
+          <DialogContent className="sm:max-w-[500px]" data-testid="dialog-add-router">
+            <DialogHeader>
+              <DialogTitle>Aggiungi Router MikroTik</DialogTitle>
+              <DialogDescription>
+                Configura un nuovo router MikroTik per il sistema IDS. Assicurati che l'API RouterOS (porta 8729/8728) sia abilitata.
+              </DialogDescription>
+            </DialogHeader>
+            
+            <Form {...addForm}>
+              <form onSubmit={addForm.handleSubmit(handleAddSubmit)} className="space-y-4">
+                <FormField
+                  control={addForm.control}
+                  name="name"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Nome Router</FormLabel>
+                      <FormControl>
+                        <Input placeholder="es. MikroTik Ufficio" {...field} data-testid="input-name" />
+                      </FormControl>
+                      <FormDescription>
+                        Nome descrittivo per identificare il router
+                      </FormDescription>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                <FormField
+                  control={addForm.control}
+                  name="ipAddress"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Indirizzo IP</FormLabel>
+                      <FormControl>
+                        <Input placeholder="es. 192.168.1.1" {...field} data-testid="input-ip" />
+                      </FormControl>
+                      <FormDescription>
+                        Indirizzo IP o hostname del router
+                      </FormDescription>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                <FormField
+                  control={addForm.control}
+                  name="apiPort"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Porta API</FormLabel>
+                      <FormControl>
+                        <Input 
+                          type="number" 
+                          placeholder="8729" 
+                          {...field}
+                          onChange={(e) => field.onChange(parseInt(e.target.value))}
+                          data-testid="input-port"
+                        />
+                      </FormControl>
+                      <FormDescription>
+                        Porta RouterOS API MikroTik (8729 per API-SSL, 8728 per API)
+                      </FormDescription>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                <FormField
+                  control={addForm.control}
+                  name="username"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Username</FormLabel>
+                      <FormControl>
+                        <Input placeholder="admin" {...field} data-testid="input-username" />
+                      </FormControl>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                <FormField
+                  control={addForm.control}
+                  name="password"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel>Password</FormLabel>
+                      <FormControl>
+                        <Input type="password" placeholder="••••••••" {...field} data-testid="input-password" />
+                      </FormControl>
+                      <FormMessage />
+                    </FormItem>
+                  )}
+                />
+
+                <FormField
+                  control={addForm.control}
+                  name="enabled"
+                  render={({ field }) => (
+                    <FormItem className="flex flex-row items-center justify-between rounded-lg border p-3">
+                      <div className="space-y-0.5">
+                        <FormLabel>Abilitato</FormLabel>
+                        <FormDescription>
+                          Attiva il router per il blocco automatico degli IP
+                        </FormDescription>
+                      </div>
+                      <FormControl>
+                        <Switch
+                          checked={field.value}
+                          onCheckedChange={field.onChange}
+                          data-testid="switch-enabled"
+                        />
+                      </FormControl>
+                    </FormItem>
+                  )}
+                />
+
+                <DialogFooter>
+                  <Button
+                    type="button"
+                    variant="outline"
+                    onClick={() => setAddDialogOpen(false)}
+                    data-testid="button-cancel"
+                  >
+                    Annulla
+                  </Button>
+                  <Button 
+                    type="submit" 
+                    disabled={addMutation.isPending}
+                    data-testid="button-submit"
+                  >
+                    {addMutation.isPending ? "Salvataggio..." : "Salva Router"}
+                  </Button>
+                </DialogFooter>
+              </form>
+            </Form>
+          </DialogContent>
+        </Dialog>
       </div>
 
       <Card data-testid="card-routers">
@@ -114,9 +368,11 @@ export default function Routers() {
                       variant="outline"
                       size="sm"
                       className="flex-1"
-                      data-testid={`button-test-${router.id}`}
+                      onClick={() => handleEdit(router)}
+                      data-testid={`button-edit-${router.id}`}
                     >
-                      Test Connessione
+                      <Edit className="h-4 w-4 mr-2" />
+                      Modifica
                     </Button>
                     <Button
                       variant="outline"
@@ -140,6 +396,140 @@ export default function Routers() {
           )}
         </CardContent>
       </Card>
+
+      <Dialog open={editDialogOpen} onOpenChange={setEditDialogOpen}>
+        <DialogContent className="sm:max-w-[500px]" data-testid="dialog-edit-router">
+          <DialogHeader>
+            <DialogTitle>Modifica Router</DialogTitle>
+            <DialogDescription>
+              Modifica le impostazioni del router {editingRouter?.name}
+            </DialogDescription>
+          </DialogHeader>
+          
+          <Form {...editForm}>
+            <form onSubmit={editForm.handleSubmit(handleEditSubmit)} className="space-y-4">
+              <FormField
+                control={editForm.control}
+                name="name"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Nome Router</FormLabel>
+                    <FormControl>
+                      <Input placeholder="es. MikroTik Ufficio" {...field} data-testid="input-edit-name" />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+
+              <FormField
+                control={editForm.control}
+                name="ipAddress"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Indirizzo IP</FormLabel>
+                    <FormControl>
+                      <Input placeholder="es. 192.168.1.1" {...field} data-testid="input-edit-ip" />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+
+              <FormField
+                control={editForm.control}
+                name="apiPort"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Porta API</FormLabel>
+                    <FormControl>
+                      <Input 
+                        type="number" 
+                        placeholder="8729" 
+                        {...field}
+                        onChange={(e) => field.onChange(parseInt(e.target.value))}
+                        data-testid="input-edit-port"
+                      />
+                    </FormControl>
+                    <FormDescription>
+                      Porta RouterOS API MikroTik (8729 per API-SSL, 8728 per API)
+                    </FormDescription>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+
+              <FormField
+                control={editForm.control}
+                name="username"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Username</FormLabel>
+                    <FormControl>
+                      <Input placeholder="admin" {...field} data-testid="input-edit-username" />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+
+              <FormField
+                control={editForm.control}
+                name="password"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Password</FormLabel>
+                    <FormControl>
+                      <Input type="password" placeholder="••••••••" {...field} data-testid="input-edit-password" />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+
+              <FormField
+                control={editForm.control}
+                name="enabled"
+                render={({ field }) => (
+                  <FormItem className="flex flex-row items-center justify-between rounded-lg border p-3">
+                    <div className="space-y-0.5">
+                      <FormLabel>Abilitato</FormLabel>
+                      <FormDescription>
+                        Attiva il router per il blocco automatico degli IP
+                      </FormDescription>
+                    </div>
+                    <FormControl>
+                      <Switch
+                        checked={field.value}
+                        onCheckedChange={field.onChange}
+                        data-testid="switch-edit-enabled"
+                      />
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+
+              <DialogFooter>
+                <Button
+                  type="button"
+                  variant="outline"
+                  onClick={() => setEditDialogOpen(false)}
+                  data-testid="button-edit-cancel"
+                >
+                  Annulla
+                </Button>
+                <Button 
+                  type="submit" 
+                  disabled={updateMutation.isPending}
+                  data-testid="button-edit-submit"
+                >
+                  {updateMutation.isPending ? "Salvataggio..." : "Salva Modifiche"}
+                </Button>
+              </DialogFooter>
+            </form>
+          </Form>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }

client/src/pages/Services.tsx

@@ -19,6 +19,7 @@ interface ServicesStatusResponse {
     mlBackend: ServiceStatus;
     database: ServiceStatus;
     syslogParser: ServiceStatus;
+    analyticsAggregator: ServiceStatus;
   };
 }
 
@@ -321,6 +322,78 @@ export default function ServicesPage() {
             </div>
           </CardContent>
         </Card>
+
+        {/* Analytics Aggregator Service */}
+        <Card data-testid="card-analytics-aggregator-service">
+          <CardHeader>
+            <CardTitle className="flex items-center gap-2 text-lg">
+              <Activity className="h-5 w-5" />
+              Analytics Aggregator
+              {servicesStatus && getStatusIndicator(servicesStatus.services.analyticsAggregator)}
+            </CardTitle>
+          </CardHeader>
+          <CardContent className="space-y-4">
+            <div className="flex items-center justify-between">
+              <span className="text-sm text-muted-foreground">Stato:</span>
+              {servicesStatus && getStatusBadge(servicesStatus.services.analyticsAggregator)}
+            </div>
+
+            {servicesStatus?.services.analyticsAggregator.details?.lastRun && (
+              <div className="flex items-center justify-between">
+                <span className="text-sm text-muted-foreground">Ultima Aggregazione:</span>
+                <Badge variant="outline" className="text-xs">
+                  {new Date(servicesStatus.services.analyticsAggregator.details.lastRun).toLocaleString('it-IT')}
+                </Badge>
+              </div>
+            )}
+
+            {servicesStatus?.services.analyticsAggregator.details?.hoursSinceLastRun && (
+              <div className="flex items-center justify-between">
+                <span className="text-sm text-muted-foreground">Ore dall'ultimo run:</span>
+                <Badge variant={parseFloat(servicesStatus.services.analyticsAggregator.details.hoursSinceLastRun) < 2 ? "default" : "destructive"}>
+                  {servicesStatus.services.analyticsAggregator.details.hoursSinceLastRun}h
+                </Badge>
+              </div>
+            )}
+
+            {/* CRITICAL ALERT: Aggregator idle for too long */}
+            {servicesStatus?.services.analyticsAggregator.details?.hoursSinceLastRun && 
+             parseFloat(servicesStatus.services.analyticsAggregator.details.hoursSinceLastRun) > 2 && (
+              <Alert variant="destructive" className="mt-2" data-testid="alert-aggregator-idle">
+                <AlertCircle className="h-4 w-4" />
+                <AlertTitle className="text-sm font-semibold">⚠️ Timer Systemd Non Attivo</AlertTitle>
+                <AlertDescription className="text-xs mt-1">
+                  <p className="mb-2">L'aggregatore non esegue da {servicesStatus.services.analyticsAggregator.details.hoursSinceLastRun}h! Dashboard e Analytics bloccati.</p>
+                  <p className="font-semibold">Soluzione Immediata (sul server):</p>
+                  <code className="block bg-destructive-foreground/10 p-2 rounded mt-1 font-mono text-xs">
+                    sudo /opt/ids/deployment/setup_analytics_timer.sh
+                  </code>
+                </AlertDescription>
+              </Alert>
+            )}
+
+            <div className="mt-4 p-3 bg-muted rounded-lg">
+              <p className="text-xs font-medium mb-2">Verifica timer:</p>
+              <code className="text-xs bg-background p-2 rounded block font-mono" data-testid="code-status-aggregator">
+                systemctl status ids-analytics-aggregator.timer
+              </code>
+            </div>
+
+            <div className="mt-4 p-3 bg-muted rounded-lg">
+              <p className="text-xs font-medium mb-2">Avvia aggregazione manualmente:</p>
+              <code className="text-xs bg-background p-2 rounded block font-mono" data-testid="code-run-aggregator">
+                cd /opt/ids && ./deployment/run_analytics.sh
+              </code>
+            </div>
+
+            <div className="mt-4 p-3 bg-muted rounded-lg">
+              <p className="text-xs font-medium mb-2">Log:</p>
+              <code className="text-xs bg-background p-2 rounded block font-mono" data-testid="code-log-aggregator">
+                journalctl -u ids-analytics-aggregator.timer -f
+              </code>
+            </div>
+          </CardContent>
+        </Card>
       </div>
 
       {/* Additional Commands */}

client/src/pages/Training.tsx

@@ -198,14 +198,19 @@ export default function TrainingPage() {
       <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
         <Card data-testid="card-train-action">
           <CardHeader>
-            <CardTitle className="flex items-center gap-2">
+            <div className="flex items-center justify-between">
-              <Brain className="h-5 w-5" />
+              <CardTitle className="flex items-center gap-2">
-              Addestramento Modello
+                <Brain className="h-5 w-5" />
-            </CardTitle>
+                Addestramento Modello
+              </CardTitle>
+              <Badge variant="secondary" className="bg-blue-50 text-blue-700 dark:bg-blue-950 dark:text-blue-300" data-testid="badge-model-version">
+                Hybrid ML v2.0.0
+              </Badge>
+            </div>
           </CardHeader>
           <CardContent className="space-y-4">
             <p className="text-sm text-muted-foreground">
-              Addestra il modello Isolation Forest analizzando i log recenti per rilevare pattern di traffico normale.
+              Addestra il modello Hybrid ML (Isolation Forest + Ensemble Classifier) analizzando i log recenti per rilevare pattern di traffico normale.
             </p>
             <Dialog open={isTrainDialogOpen} onOpenChange={setIsTrainDialogOpen}>
               <DialogTrigger asChild>
@@ -273,14 +278,19 @@ export default function TrainingPage() {
 
         <Card data-testid="card-detect-action">
           <CardHeader>
-            <CardTitle className="flex items-center gap-2">
+            <div className="flex items-center justify-between">
-              <Search className="h-5 w-5" />
+              <CardTitle className="flex items-center gap-2">
-              Rilevamento Anomalie
+                <Search className="h-5 w-5" />
-            </CardTitle>
+                Rilevamento Anomalie
+              </CardTitle>
+              <Badge variant="secondary" className="bg-green-50 text-green-700 dark:bg-green-950 dark:text-green-300" data-testid="badge-detection-version">
+                Hybrid ML v2.0.0
+              </Badge>
+            </div>
           </CardHeader>
           <CardContent className="space-y-4">
             <p className="text-sm text-muted-foreground">
-              Analizza i log recenti per rilevare anomalie e IP sospetti. Opzionalmente blocca automaticamente gli IP critici.
+              Analizza i log recenti per rilevare anomalie e IP sospetti con il modello Hybrid ML. Blocca automaticamente gli IP critici (risk_score ≥ 80).
             </p>
             <Dialog open={isDetectDialogOpen} onOpenChange={setIsDetectDialogOpen}>
               <DialogTrigger asChild>

client/src/pages/Whitelist.tsx

@@ -2,7 +2,7 @@ import { useQuery, useMutation } from "@tanstack/react-query";
 import { queryClient, apiRequest } from "@/lib/queryClient";
 import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
 import { Button } from "@/components/ui/button";
-import { Shield, Plus, Trash2, CheckCircle2, XCircle } from "lucide-react";
+import { Shield, Plus, Trash2, CheckCircle2, XCircle, Search } from "lucide-react";
 import { format } from "date-fns";
 import { useState } from "react";
 import { useForm } from "react-hook-form";
@@ -44,6 +44,7 @@ const whitelistFormSchema = insertWhitelistSchema.extend({
 export default function WhitelistPage() {
   const { toast } = useToast();
   const [isAddDialogOpen, setIsAddDialogOpen] = useState(false);
+  const [searchQuery, setSearchQuery] = useState("");
 
   const form = useForm<z.infer<typeof whitelistFormSchema>>({
     resolver: zodResolver(whitelistFormSchema),
@@ -59,6 +60,13 @@ export default function WhitelistPage() {
     queryKey: ["/api/whitelist"],
   });
 
+  // Filter whitelist based on search query
+  const filteredWhitelist = whitelist?.filter((item) =>
+    item.ipAddress.toLowerCase().includes(searchQuery.toLowerCase()) ||
+    item.reason?.toLowerCase().includes(searchQuery.toLowerCase()) ||
+    item.comment?.toLowerCase().includes(searchQuery.toLowerCase())
+  );
+
   const addMutation = useMutation({
     mutationFn: async (data: z.infer<typeof whitelistFormSchema>) => {
       return await apiRequest("POST", "/api/whitelist", data);
@@ -189,11 +197,27 @@ export default function WhitelistPage() {
         </Dialog>
       </div>
 
+      {/* Search Bar */}
+      <Card data-testid="card-search">
+        <CardContent className="pt-6">
+          <div className="relative">
+            <Search className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-muted-foreground" />
+            <Input
+              placeholder="Cerca per IP, motivo o note..."
+              value={searchQuery}
+              onChange={(e) => setSearchQuery(e.target.value)}
+              className="pl-9"
+              data-testid="input-search-whitelist"
+            />
+          </div>
+        </CardContent>
+      </Card>
+
       <Card data-testid="card-whitelist">
         <CardHeader>
           <CardTitle className="flex items-center gap-2">
             <Shield className="h-5 w-5" />
-            IP Protetti ({whitelist?.length || 0})
+            IP Protetti ({filteredWhitelist?.length || 0}{searchQuery && whitelist ? ` di ${whitelist.length}` : ''})
           </CardTitle>
         </CardHeader>
         <CardContent>
@@ -201,9 +225,9 @@ export default function WhitelistPage() {
             <div className="text-center py-8 text-muted-foreground" data-testid="text-loading">
               Caricamento...
             </div>
-          ) : whitelist && whitelist.length > 0 ? (
+          ) : filteredWhitelist && filteredWhitelist.length > 0 ? (
             <div className="space-y-3">
-              {whitelist.map((item) => (
+              {filteredWhitelist.map((item) => (
                 <div
                   key={item.id}
                   className="p-4 rounded-lg border hover-elevate"

database-schema/apply_migrations.sh

@@ -13,6 +13,7 @@ set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 MIGRATIONS_DIR="$SCRIPT_DIR/migrations"
 IDS_DIR="$(dirname "$SCRIPT_DIR")"
+DEPLOYMENT_MIGRATIONS_DIR="$IDS_DIR/deployment/migrations"
 
 # Carica variabili ambiente ed esportale
 if [ -f "$IDS_DIR/.env" ]; then
@@ -79,9 +80,25 @@ echo -e "${CYAN}📊 Versione database corrente: ${YELLOW}${CURRENT_VERSION}${NC
 # STEP 3: Trova migrazioni da applicare
 # =============================================================================
 # Formato migrazioni: 001_description.sql, 002_another.sql, etc.
+# Cerca in ENTRAMBE le cartelle: database-schema/migrations E deployment/migrations
 MIGRATIONS_TO_APPLY=()
 
-for migration_file in $(find "$MIGRATIONS_DIR" -name "[0-9][0-9][0-9]_*.sql" | sort); do
+# Combina migrations da entrambe le cartelle e ordina per numero
+ALL_MIGRATIONS=""
+if [ -d "$MIGRATIONS_DIR" ]; then
+    ALL_MIGRATIONS+=$(find "$MIGRATIONS_DIR" -name "[0-9][0-9][0-9]_*.sql" 2>/dev/null || true)
+fi
+if [ -d "$DEPLOYMENT_MIGRATIONS_DIR" ]; then
+    if [ -n "$ALL_MIGRATIONS" ]; then
+        ALL_MIGRATIONS+=$'\n'
+    fi
+    ALL_MIGRATIONS+=$(find "$DEPLOYMENT_MIGRATIONS_DIR" -name "[0-9][0-9][0-9]_*.sql" 2>/dev/null || true)
+fi
+
+# Ordina le migrations per nome file (NNN_*.sql) estraendo il basename
+SORTED_MIGRATIONS=$(echo "$ALL_MIGRATIONS" | grep -v '^$' | while read f; do echo "$(basename "$f"):$f"; done | sort | cut -d':' -f2)
+
+for migration_file in $SORTED_MIGRATIONS; do
     MIGRATION_NAME=$(basename "$migration_file")
     
     # Estrai numero versione dal nome file (001, 002, etc.)

database-schema/cleanup_old_logs.sql

@@ -1,7 +1,8 @@
 -- =============================================================================
 -- IDS - Pulizia Automatica Log Vecchi
 -- =============================================================================
--- Mantiene solo gli ultimi 7 giorni di network_logs
+-- Mantiene solo gli ultimi 3 giorni di network_logs
+-- Con 4.7M record/ora, 3 giorni = ~340M record massimi
 -- Esegui giornalmente via cron: psql $DATABASE_URL < cleanup_old_logs.sql
 -- =============================================================================
 
@@ -12,15 +13,15 @@ DECLARE
   old_count bigint;
 BEGIN
   SELECT COUNT(*) INTO total_count FROM network_logs;
-  SELECT COUNT(*) INTO old_count FROM network_logs WHERE timestamp < NOW() - INTERVAL '7 days';
+  SELECT COUNT(*) INTO old_count FROM network_logs WHERE timestamp < NOW() - INTERVAL '3 days';
   
   RAISE NOTICE 'Log totali: %', total_count;
-  RAISE NOTICE 'Log da eliminare (>7 giorni): %', old_count;
+  RAISE NOTICE 'Log da eliminare (>3 giorni): %', old_count;
 END $$;
 
--- Elimina log più vecchi di 7 giorni
+-- Elimina log più vecchi di 3 giorni
 DELETE FROM network_logs 
-WHERE timestamp < NOW() - INTERVAL '7 days';
+WHERE timestamp < NOW() - INTERVAL '3 days';
 
 -- Vacuum per liberare spazio fisico
 VACUUM ANALYZE network_logs;

database-schema/migrations/003_fix_network_logs_columns.sql

@@ -0,0 +1,54 @@
+-- =========================================================
+-- MIGRAZIONE 003: Fix network_logs columns (dest_ip -> destination_ip)
+-- =========================================================
+-- Assicura che le colonne di network_logs usino i nomi corretti
+
+-- Rinomina dest_ip -> destination_ip se esiste
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1 FROM information_schema.columns 
+        WHERE table_name = 'network_logs' AND column_name = 'dest_ip'
+    ) THEN
+        ALTER TABLE network_logs RENAME COLUMN dest_ip TO destination_ip;
+        RAISE NOTICE 'Colonna dest_ip rinominata in destination_ip';
+    END IF;
+END $$;
+
+-- Rinomina dest_port -> destination_port se esiste  
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1 FROM information_schema.columns 
+        WHERE table_name = 'network_logs' AND column_name = 'dest_port'
+    ) THEN
+        ALTER TABLE network_logs RENAME COLUMN dest_port TO destination_port;
+        RAISE NOTICE 'Colonna dest_port rinominata in destination_port';
+    END IF;
+END $$;
+
+-- Rinomina src_ip -> source_ip se esiste
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1 FROM information_schema.columns 
+        WHERE table_name = 'network_logs' AND column_name = 'src_ip'
+    ) THEN
+        ALTER TABLE network_logs RENAME COLUMN src_ip TO source_ip;
+        RAISE NOTICE 'Colonna src_ip rinominata in source_ip';
+    END IF;
+END $$;
+
+-- Rinomina src_port -> source_port se esiste
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT 1 FROM information_schema.columns 
+        WHERE table_name = 'network_logs' AND column_name = 'src_port'
+    ) THEN
+        ALTER TABLE network_logs RENAME COLUMN src_port TO source_port;
+        RAISE NOTICE 'Colonna src_port rinominata in source_port';
+    END IF;
+END $$;
+
+SELECT 'Migrazione 003 completata!' AS status;

database-schema/migrations/004_add_geolocation_to_detections.sql

@@ -0,0 +1,23 @@
+-- Migration 004: Add geolocation and AS information to detections table
+-- Date: 2025-11-22
+-- Description: Adds country, city, organization, AS number/name, ISP fields
+
+ALTER TABLE detections 
+ADD COLUMN IF NOT EXISTS country TEXT,
+ADD COLUMN IF NOT EXISTS country_code TEXT,
+ADD COLUMN IF NOT EXISTS city TEXT,
+ADD COLUMN IF NOT EXISTS organization TEXT,
+ADD COLUMN IF NOT EXISTS as_number TEXT,
+ADD COLUMN IF NOT EXISTS as_name TEXT,
+ADD COLUMN IF NOT EXISTS isp TEXT;
+
+-- Create index on country for fast filtering
+CREATE INDEX IF NOT EXISTS country_idx ON detections(country);
+
+-- Update schema_version
+INSERT INTO schema_version (version, description) 
+VALUES (4, 'Add geolocation and AS information to detections')
+ON CONFLICT (id) DO UPDATE SET 
+  version = 4,
+  applied_at = NOW(),
+  description = 'Add geolocation and AS information to detections';

database-schema/migrations/005_create_network_analytics.sql

@@ -0,0 +1,48 @@
+-- Migration 005: Create network_analytics table for permanent traffic statistics
+-- This table stores aggregated traffic data (normal + attacks) with hourly and daily granularity
+-- Data persists beyond the 3-day log retention for long-term analytics
+
+CREATE TABLE IF NOT EXISTS network_analytics (
+    id VARCHAR PRIMARY KEY DEFAULT gen_random_uuid(),
+    date TIMESTAMP NOT NULL,
+    hour INT,  -- NULL = daily aggregation, 0-23 = hourly
+    
+    -- Total traffic metrics
+    total_packets INT NOT NULL DEFAULT 0,
+    total_bytes BIGINT NOT NULL DEFAULT 0,
+    unique_ips INT NOT NULL DEFAULT 0,
+    
+    -- Normal traffic (non-anomalous)
+    normal_packets INT NOT NULL DEFAULT 0,
+    normal_bytes BIGINT NOT NULL DEFAULT 0,
+    normal_unique_ips INT NOT NULL DEFAULT 0,
+    top_normal_ips TEXT,  -- JSON: [{ip, packets, bytes, country}]
+    
+    -- Attack/Anomaly traffic
+    attack_packets INT NOT NULL DEFAULT 0,
+    attack_bytes BIGINT NOT NULL DEFAULT 0,
+    attack_unique_ips INT NOT NULL DEFAULT 0,
+    attacks_by_country TEXT,  -- JSON: {IT: 5, RU: 30, ...}
+    attacks_by_type TEXT,  -- JSON: {ddos: 10, port_scan: 5, ...}
+    top_attackers TEXT,  -- JSON: [{ip, country, risk_score, packets}]
+    
+    -- Geographic distribution (all traffic)
+    traffic_by_country TEXT,  -- JSON: {IT: {normal: 100, attacks: 5}, ...}
+    
+    created_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    
+    -- Ensure unique aggregation per date/hour
+    UNIQUE(date, hour)
+);
+
+-- Indexes for fast queries
+CREATE INDEX IF NOT EXISTS network_analytics_date_hour_idx ON network_analytics(date, hour);
+CREATE INDEX IF NOT EXISTS network_analytics_date_idx ON network_analytics(date);
+
+-- Update schema version
+INSERT INTO schema_version (version, description)
+VALUES (5, 'Create network_analytics table for traffic statistics')
+ON CONFLICT (id) DO UPDATE SET
+    version = 5,
+    description = 'Create network_analytics table for traffic statistics',
+    applied_at = NOW();

database-schema/schema.sql

@@ -2,9 +2,9 @@
 -- PostgreSQL database dump
 --
 
-\restrict gwYwjCOZ3WZwlWpd9Ke8qeW37L7MJg0AM9xgiUAAK2ONf1Y3ubYQiK8rEVcSjpr
+\restrict Jq3ohS02Qcz3l9bNbeQprTZolEFbFh84eEwk4en2HkAqc2Xojxrd4AFqHJvBETG
 
--- Dumped from database version 16.9 (415ebe8)
+-- Dumped from database version 16.11 (74c6bb6)
 -- Dumped by pg_dump version 16.10
 
 SET statement_timeout = 0;
@@ -38,7 +38,42 @@ CREATE TABLE public.detections (
     last_seen timestamp without time zone NOT NULL,
     blocked boolean DEFAULT false NOT NULL,
     blocked_at timestamp without time zone,
-    detected_at timestamp without time zone DEFAULT now() NOT NULL
+    detected_at timestamp without time zone DEFAULT now() NOT NULL,
+    country text,
+    country_code text,
+    city text,
+    organization text,
+    as_number text,
+    as_name text,
+    isp text,
+    detection_source text DEFAULT 'ml_model'::text,
+    blacklist_id character varying
+);
+
+
+--
+-- Name: network_analytics; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.network_analytics (
+    id character varying DEFAULT gen_random_uuid() NOT NULL,
+    date timestamp without time zone NOT NULL,
+    hour integer,
+    total_packets integer DEFAULT 0 NOT NULL,
+    total_bytes bigint DEFAULT 0 NOT NULL,
+    unique_ips integer DEFAULT 0 NOT NULL,
+    normal_packets integer DEFAULT 0 NOT NULL,
+    normal_bytes bigint DEFAULT 0 NOT NULL,
+    normal_unique_ips integer DEFAULT 0 NOT NULL,
+    top_normal_ips text,
+    attack_packets integer DEFAULT 0 NOT NULL,
+    attack_bytes bigint DEFAULT 0 NOT NULL,
+    attack_unique_ips integer DEFAULT 0 NOT NULL,
+    attacks_by_country text,
+    attacks_by_type text,
+    top_attackers text,
+    traffic_by_country text,
+    created_at timestamp without time zone DEFAULT now() NOT NULL
 );
 
 
@@ -51,9 +86,9 @@ CREATE TABLE public.network_logs (
     router_id character varying NOT NULL,
     "timestamp" timestamp without time zone NOT NULL,
     source_ip text NOT NULL,
-    dest_ip text,
+    destination_ip text,
     source_port integer,
-    dest_port integer,
+    destination_port integer,
     protocol text,
     action text,
     bytes integer,
@@ -63,6 +98,44 @@ CREATE TABLE public.network_logs (
 );
 
 
+--
+-- Name: public_blacklist_ips; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.public_blacklist_ips (
+    id character varying DEFAULT (gen_random_uuid())::text NOT NULL,
+    ip_address text NOT NULL,
+    cidr_range text,
+    ip_inet text,
+    cidr_inet text,
+    list_id character varying NOT NULL,
+    first_seen timestamp without time zone DEFAULT now() NOT NULL,
+    last_seen timestamp without time zone DEFAULT now() NOT NULL,
+    is_active boolean DEFAULT true NOT NULL
+);
+
+
+--
+-- Name: public_lists; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.public_lists (
+    id character varying DEFAULT (gen_random_uuid())::text NOT NULL,
+    name text NOT NULL,
+    type text NOT NULL,
+    url text NOT NULL,
+    enabled boolean DEFAULT true NOT NULL,
+    fetch_interval_minutes integer DEFAULT 10 NOT NULL,
+    last_fetch timestamp without time zone,
+    last_success timestamp without time zone,
+    total_ips integer DEFAULT 0 NOT NULL,
+    active_ips integer DEFAULT 0 NOT NULL,
+    error_count integer DEFAULT 0 NOT NULL,
+    last_error text,
+    created_at timestamp without time zone DEFAULT now() NOT NULL
+);
+
+
 --
 -- Name: routers; Type: TABLE; Schema: public; Owner: -
 --
@@ -120,7 +193,10 @@ CREATE TABLE public.whitelist (
     reason text,
     created_by text,
     active boolean DEFAULT true NOT NULL,
-    created_at timestamp without time zone DEFAULT now() NOT NULL
+    created_at timestamp without time zone DEFAULT now() NOT NULL,
+    source text DEFAULT 'manual'::text,
+    list_id character varying,
+    ip_inet text
 );
 
 
@@ -132,6 +208,22 @@ ALTER TABLE ONLY public.detections
     ADD CONSTRAINT detections_pkey PRIMARY KEY (id);
 
 
+--
+-- Name: network_analytics network_analytics_date_hour_key; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.network_analytics
+    ADD CONSTRAINT network_analytics_date_hour_key UNIQUE (date, hour);
+
+
+--
+-- Name: network_analytics network_analytics_pkey; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.network_analytics
+    ADD CONSTRAINT network_analytics_pkey PRIMARY KEY (id);
+
+
 --
 -- Name: network_logs network_logs_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -140,6 +232,30 @@ ALTER TABLE ONLY public.network_logs
     ADD CONSTRAINT network_logs_pkey PRIMARY KEY (id);
 
 
+--
+-- Name: public_blacklist_ips public_blacklist_ips_ip_address_list_id_key; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.public_blacklist_ips
+    ADD CONSTRAINT public_blacklist_ips_ip_address_list_id_key UNIQUE (ip_address, list_id);
+
+
+--
+-- Name: public_blacklist_ips public_blacklist_ips_pkey; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.public_blacklist_ips
+    ADD CONSTRAINT public_blacklist_ips_pkey PRIMARY KEY (id);
+
+
+--
+-- Name: public_lists public_lists_pkey; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.public_lists
+    ADD CONSTRAINT public_lists_pkey PRIMARY KEY (id);
+
+
 --
 -- Name: routers routers_ip_address_unique; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -188,6 +304,13 @@ ALTER TABLE ONLY public.whitelist
     ADD CONSTRAINT whitelist_pkey PRIMARY KEY (id);
 
 
+--
+-- Name: country_idx; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX country_idx ON public.detections USING btree (country);
+
+
 --
 -- Name: detected_at_idx; Type: INDEX; Schema: public; Owner: -
 --
@@ -202,6 +325,20 @@ CREATE INDEX detected_at_idx ON public.detections USING btree (detected_at);
 CREATE INDEX detection_source_ip_idx ON public.detections USING btree (source_ip);
 
 
+--
+-- Name: network_analytics_date_hour_idx; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX network_analytics_date_hour_idx ON public.network_analytics USING btree (date, hour);
+
+
+--
+-- Name: network_analytics_date_idx; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX network_analytics_date_idx ON public.network_analytics USING btree (date);
+
+
 --
 -- Name: risk_score_idx; Type: INDEX; Schema: public; Owner: -
 --
@@ -238,9 +375,17 @@ ALTER TABLE ONLY public.network_logs
     ADD CONSTRAINT network_logs_router_id_routers_id_fk FOREIGN KEY (router_id) REFERENCES public.routers(id);
 
 
+--
+-- Name: public_blacklist_ips public_blacklist_ips_list_id_fkey; Type: FK CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.public_blacklist_ips
+    ADD CONSTRAINT public_blacklist_ips_list_id_fkey FOREIGN KEY (list_id) REFERENCES public.public_lists(id) ON DELETE CASCADE;
+
+
 --
 -- PostgreSQL database dump complete
 --
 
-\unrestrict gwYwjCOZ3WZwlWpd9Ke8qeW37L7MJg0AM9xgiUAAK2ONf1Y3ubYQiK8rEVcSjpr
+\unrestrict Jq3ohS02Qcz3l9bNbeQprTZolEFbFh84eEwk4en2HkAqc2Xojxrd4AFqHJvBETG
 

deployment/AUTO_BLOCKING_SETUP.md

@@ -0,0 +1,260 @@
+# Auto-Blocking Setup - IDS MikroTik
+
+## 📋 Panoramica
+
+Sistema di auto-blocking automatico che rileva e blocca IP con **risk_score >= 80** ogni 5 minuti.
+
+**Componenti**:
+1. `python_ml/auto_block.py` - Script Python che chiama API ML
+2. `deployment/systemd/ids-auto-block.service` - Systemd service
+3. `deployment/systemd/ids-auto-block.timer` - Timer esecuzione ogni 5 minuti
+
+---
+
+## 🚀 Installazione su AlmaLinux
+
+### 1️⃣ Prerequisiti
+
+Verifica che questi servizi siano attivi:
+```bash
+sudo systemctl status ids-ml-backend    # ML Backend FastAPI
+sudo systemctl status postgresql-16     # Database PostgreSQL
+```
+
+### 2️⃣ Copia File Systemd
+
+```bash
+# Service file
+sudo cp /opt/ids/deployment/systemd/ids-auto-block.service /etc/systemd/system/
+
+# Timer file
+sudo cp /opt/ids/deployment/systemd/ids-auto-block.timer /etc/systemd/system/
+
+# Verifica permessi
+sudo chown root:root /etc/systemd/system/ids-auto-block.*
+sudo chmod 644 /etc/systemd/system/ids-auto-block.*
+```
+
+### 3️⃣ Rendi Eseguibile Script Python
+
+```bash
+chmod +x /opt/ids/python_ml/auto_block.py
+```
+
+### 4️⃣ Installa Dipendenza Python (requests)
+
+```bash
+# Attiva virtual environment
+cd /opt/ids/python_ml
+source venv/bin/activate
+
+# Installa requests
+pip install requests
+
+# Esci da venv
+deactivate
+```
+
+### 5️⃣ Crea Directory Log
+
+```bash
+sudo mkdir -p /var/log/ids
+sudo chown ids:ids /var/log/ids
+```
+
+### 6️⃣ Ricarica Systemd e Avvia Timer
+
+```bash
+# Ricarica systemd
+sudo systemctl daemon-reload
+
+# Abilita timer (autostart al boot)
+sudo systemctl enable ids-auto-block.timer
+
+# Avvia timer
+sudo systemctl start ids-auto-block.timer
+```
+
+---
+
+## ✅ Verifica Funzionamento
+
+### Test Manuale (esegui subito)
+
+```bash
+# Esegui auto-blocking adesso (non aspettare 5 min)
+sudo systemctl start ids-auto-block.service
+
+# Controlla log output
+journalctl -u ids-auto-block -n 30
+```
+
+**Output atteso**:
+```
+[2024-11-25 12:00:00] 🔍 Starting auto-block detection...
+✓ Detection completata: 14 anomalie rilevate, 14 IP bloccati
+```
+
+### Verifica Timer Attivo
+
+```bash
+# Status timer
+systemctl status ids-auto-block.timer
+
+# Prossime esecuzioni
+systemctl list-timers ids-auto-block.timer
+
+# Ultima esecuzione
+journalctl -u ids-auto-block.service -n 1
+```
+
+### Verifica IP Bloccati
+
+**Database**:
+```sql
+SELECT COUNT(*) FROM detections WHERE blocked = true;
+```
+
+**MikroTik Router**:
+```
+/ip firewall address-list print where list=blocked_ips
+```
+
+---
+
+## 📊 Monitoring
+
+### Log in Tempo Reale
+
+```bash
+# Log auto-blocking
+tail -f /var/log/ids/auto_block.log
+
+# O via journalctl
+journalctl -u ids-auto-block -f
+```
+
+### Statistiche Blocchi
+
+```bash
+# Conta esecuzioni ultimo giorno
+journalctl -u ids-auto-block --since "1 day ago" | grep "Detection completata" | wc -l
+
+# Totale IP bloccati oggi
+journalctl -u ids-auto-block --since today | grep "IP bloccati"
+```
+
+---
+
+## ⚙️ Configurazione
+
+### Modifica Frequenza Esecuzione
+
+Edita `/etc/systemd/system/ids-auto-block.timer`:
+
+```ini
+[Timer]
+# Cambia 5min con frequenza desiderata (es: 10min, 1h, 30s)
+OnUnitActiveSec=10min  # Esegui ogni 10 minuti
+```
+
+Poi ricarica:
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart ids-auto-block.timer
+```
+
+### Modifica Threshold Risk Score
+
+Edita `python_ml/auto_block.py`:
+
+```python
+"risk_threshold": 80.0,  # Cambia soglia (80, 90, 100, etc)
+```
+
+Poi riavvia timer:
+```bash
+sudo systemctl restart ids-auto-block.timer
+```
+
+---
+
+## 🛠️ Troubleshooting
+
+### Problema: Nessun IP bloccato
+
+**Verifica ML Backend attivo**:
+```bash
+systemctl status ids-ml-backend
+curl http://localhost:8000/health
+```
+
+**Verifica router configurati**:
+```sql
+SELECT * FROM routers WHERE enabled = true;
+```
+
+Deve esserci almeno 1 router!
+
+### Problema: Errore "Connection refused"
+
+ML Backend non risponde su porta 8000:
+```bash
+# Riavvia ML backend
+sudo systemctl restart ids-ml-backend
+
+# Verifica porta listening
+netstat -tlnp | grep 8000
+```
+
+### Problema: Script non eseguito
+
+**Verifica timer attivo**:
+```bash
+systemctl status ids-auto-block.timer
+```
+
+**Forza esecuzione manuale**:
+```bash
+sudo systemctl start ids-auto-block.service
+journalctl -u ids-auto-block -n 50
+```
+
+---
+
+## 🔄 Disinstallazione
+
+```bash
+# Stop e disabilita timer
+sudo systemctl stop ids-auto-block.timer
+sudo systemctl disable ids-auto-block.timer
+
+# Rimuovi file systemd
+sudo rm /etc/systemd/system/ids-auto-block.*
+
+# Ricarica systemd
+sudo systemctl daemon-reload
+```
+
+---
+
+## 📝 Note
+
+- **Frequenza**: 5 minuti (configurabile)
+- **Risk Threshold**: 80 (solo IP critici)
+- **Timeout**: 180 secondi (3 minuti max per detection)
+- **Logs**: `/var/log/ids/auto_block.log` + journalctl
+- **Dipendenze**: ids-ml-backend.service, postgresql-16.service
+
+---
+
+## ✅ Checklist Post-Installazione
+
+- [ ] File copiati in `/etc/systemd/system/`
+- [ ] Script `auto_block.py` eseguibile
+- [ ] Dipendenza `requests` installata in venv
+- [ ] Directory log creata (`/var/log/ids`)
+- [ ] Timer abilitato e avviato
+- [ ] Test manuale eseguito con successo
+- [ ] IP bloccati su MikroTik verificati
+- [ ] Monitoring attivo (journalctl -f)

deployment/CHECKLIST_DEPLOY.md

@@ -0,0 +1,223 @@
+# ✅ Checklist Deploy IDS - AlmaLinux 9
+
+## 📋 Procedura Completa per Deploy Sicuro
+
+### 1. **Pre-Deploy: Verifiche Locali**
+
+```bash
+# Su Replit - verificare che non ci siano errori
+npm run build
+npm run db:push --force  # Sync schema database
+```
+
+### 2. **Commit e Push su GitLab**
+
+```bash
+# Su Replit
+./push-gitlab.sh
+```
+
+*Messaggio commit descrittivo consigliato con tipo di modifica*
+
+---
+
+### 3. **Pull Codice sul Server**
+
+```bash
+# Sul server AlmaLinux
+cd /opt/ids
+./deployment/update_from_git.sh
+
+# Se ci sono migrations database
+./deployment/update_from_git.sh --db
+```
+
+---
+
+### 4. **CRITICO: Setup Servizi Systemd**
+
+#### 4a. Servizi Python (ML Backend & Syslog Parser)
+```bash
+# Prima volta O dopo modifiche ai .service files
+sudo ./deployment/install_systemd_services.sh
+```
+
+#### 4b. ⚠️ **Analytics Aggregator Timer** (SPESSO DIMENTICATO!)
+```bash
+# IMPORTANTE: Deve essere fatto SEMPRE al primo deploy
+sudo ./deployment/setup_analytics_timer.sh
+
+# Verifica che sia attivo
+sudo systemctl list-timers ids-analytics-aggregator.timer
+```
+
+**Perché è critico?**
+- Dashboard Live e Analytics Storici dipendono da aggregazioni orarie
+- Se il timer non è attivo → dati fermi/vecchi!
+- Ultima run > 2 ore = problema grave
+
+---
+
+### 5. **Restart Servizi Modificati**
+
+```bash
+# Se hai modificato codice Python ML
+sudo systemctl restart ids-ml-backend
+
+# Se hai modificato syslog_parser.py
+sudo systemctl restart ids-syslog-parser
+
+# Se hai modificato frontend (Node.js)
+./deployment/restart_frontend.sh
+```
+
+---
+
+### 6. **Verifiche Post-Deploy**
+
+#### 6a. Check Status Servizi
+```bash
+# Verifica tutti i servizi
+sudo systemctl status ids-ml-backend
+sudo systemctl status ids-syslog-parser
+sudo systemctl status ids-analytics-aggregator.timer
+
+# Verifica prossima esecuzione timer
+sudo systemctl list-timers | grep ids-analytics
+```
+
+**Output atteso Analytics Timer:**
+```
+NEXT                         LEFT     LAST                         PASSED  UNIT                              ACTIVATES
+Sun 2025-11-24 17:05:00 CET  14min    Sun 2025-11-24 16:05:00 CET  35min   ids-analytics-aggregator.timer   ids-analytics-aggregator.service
+```
+
+#### 6b. Check Logs (primi 2-3 minuti)
+```bash
+# ML Backend
+tail -f /var/log/ids/backend.log
+
+# Syslog Parser  
+tail -f /var/log/ids/syslog_parser.log
+
+# Analytics Aggregator (journal)
+journalctl -u ids-analytics-aggregator -n 50
+```
+
+#### 6c. Test API Endpoints
+```bash
+# Health checks
+curl http://localhost:5000/api/stats
+curl http://localhost:8000/health
+
+# Verifica Analytics
+curl http://localhost:5000/api/analytics/recent | jq '.[] | length'
+```
+
+#### 6d. Check Database
+```bash
+# Verifica tabelle critiche
+sudo -u postgres psql ids -c "\dt"
+
+# Verifica ultime aggregazioni
+sudo -u postgres psql ids -c "SELECT COUNT(*), MAX(date), MAX(hour) FROM network_analytics;"
+
+# Verifica ultime detections
+sudo -u postgres psql ids -c "SELECT COUNT(*), MAX(detected_at) FROM detections;"
+```
+
+---
+
+### 7. **Troubleshooting Comuni**
+
+#### Problem: Analytics Aggregator non gira
+```bash
+# Soluzione
+sudo ./deployment/setup_analytics_timer.sh
+
+# Forza run immediata
+sudo systemctl start ids-analytics-aggregator
+
+# Check log
+journalctl -u ids-analytics-aggregator -n 50
+```
+
+#### Problem: ML Backend crash loop
+```bash
+# Check log per errore
+tail -100 /var/log/ids/backend.log
+
+# Spesso è problema .env o venv
+ls -la /opt/ids/.env  # Deve esistere e 600 permissions
+ls -la /opt/ids/python_ml/venv/  # Deve esistere
+```
+
+#### Problem: Syslog Parser non processa log
+```bash
+# Verifica RSyslog riceve dati
+tail -f /var/log/mikrotik/raw.log
+
+# Verifica parser in esecuzione
+ps aux | grep syslog_parser | grep -v grep
+
+# Check permessi file log
+ls -la /var/log/mikrotik/
+```
+
+---
+
+### 8. **Checklist Finale (Prima di Dichiarare Deploy OK)**
+
+- [ ] ML Backend: `systemctl status ids-ml-backend` → **active (running)**
+- [ ] Syslog Parser: `systemctl status ids-syslog-parser` → **active (running)**
+- [ ] Analytics Timer: `systemctl status ids-analytics-aggregator.timer` → **active (waiting)**
+- [ ] Next timer run: `systemctl list-timers` → mostra prossima esecuzione < 1 ora
+- [ ] Frontend: `curl http://localhost:5000/` → **200 OK**
+- [ ] ML API: `curl http://localhost:8000/health` → **{"status":"healthy"}**
+- [ ] Database: `psql $DATABASE_URL -c "SELECT 1"` → **?column? 1**
+- [ ] Analytics data: Ultima aggregazione < 2 ore fa
+- [ ] Logs: Nessun errore critico negli ultimi 5 minuti
+- [ ] Web UI: Dashboard e Analytics caricano senza errori
+
+---
+
+## 🚨 Errori Comuni da Evitare
+
+1. **Dimenticare setup_analytics_timer.sh** → Dashboard fermi!
+2. Non verificare timer systemd dopo deploy
+3. Non controllare logs dopo restart servizi
+4. Non testare API endpoints prima di dichiarare deploy OK
+5. Modificare .env senza chmod 600
+6. Fare `git pull` invece di `./update_from_git.sh`
+
+---
+
+## 📊 Monitoring Continuo
+
+```bash
+# Script debug completo
+./deployment/debug_system.sh
+
+# Verifica salute sistema ogni ora (crontab)
+0 * * * * /opt/ids/deployment/check_backend.sh
+```
+
+---
+
+## 🆘 In Caso di Emergenza
+
+```bash
+# Restart completo sistema IDS
+sudo ./deployment/restart_all.sh
+
+# Backup database PRIMA di interventi drastici
+./deployment/backup_db.sh
+
+# Restore da backup
+pg_restore -U postgres -d ids /backup/ids_backup_YYYYMMDD.dump
+```
+
+---
+
+**Ultimo aggiornamento:** 24 Novembre 2025  
+**Versione:** 1.0.0

deployment/CHECKLIST_ML_HYBRID.md

@@ -0,0 +1,549 @@
+# Deployment Checklist - Hybrid ML Detector
+
+Sistema ML avanzato per riduzione falsi positivi 80-90% con Extended Isolation Forest
+
+## 📋 Pre-requisiti
+
+- [ ] Server AlmaLinux 9 con accesso SSH
+- [ ] PostgreSQL con database IDS attivo
+- [ ] Python 3.11+ installato
+- [ ] Venv attivo: `/opt/ids/python_ml/venv`
+- [ ] Almeno 7 giorni di traffico real nel database (per training su dati reali)
+
+---
+
+## 🔧 Step 1: Installazione Dipendenze
+
+✅ **SEMPLIFICATO**: Nessuna compilazione richiesta, solo wheels pre-compilati!
+
+```bash
+# SSH al server
+ssh user@ids.alfacom.it
+
+# Esegui script installazione ML dependencies
+cd /opt/ids
+chmod +x deployment/install_ml_deps.sh
+./deployment/install_ml_deps.sh
+
+# Output atteso:
+# 🔧 Attivazione virtual environment...
+# 📍 Python in uso: /opt/ids/python_ml/venv/bin/python
+# ✅ pip/setuptools/wheel aggiornati
+# ✅ Dipendenze ML installate con successo
+# ✅ sklearn IsolationForest OK
+# ✅ XGBoost OK
+# ✅ TUTTO OK! Hybrid ML Detector pronto per l'uso
+# ℹ️  INFO: Sistema usa sklearn.IsolationForest (compatibile Python 3.11+)
+```
+
+**Dipendenze ML**:
+- `xgboost==2.0.3` - Gradient Boosting per ensemble classifier
+- `joblib==1.3.2` - Model persistence e serializzazione
+- `sklearn.IsolationForest` - Anomaly detection (già in scikit-learn==1.3.2)
+
+**Perché sklearn.IsolationForest invece di Extended IF?**
+1. **Compatibilità Python 3.11+**: Wheels pre-compilati, zero compilazione
+2. **Production-grade**: Libreria mantenuta e stabile
+3. **Metrics raggiungibili**: Target 95% precision, 88-92% recall con IF standard + ensemble
+4. **Fallback già implementato**: Codice supportava già IF standard come fallback
+
+---
+
+## 🧪 Step 2: Quick Test (Dataset Sintetico)
+
+Testa il sistema con dataset sintetico per verificare funzionamento:
+
+```bash
+cd /opt/ids/python_ml
+
+# Test rapido con 10k samples sintetici
+python train_hybrid.py --test
+
+# Cosa aspettarsi:
+# - Dataset creato: 10000 samples (90% normal, 10% attacks)
+# - Training completato su ~7000 normal samples
+# - Detection results con confidence scoring
+# - Validation metrics (Precision, Recall, F1, FPR)
+```
+
+**Output atteso**:
+```
+[TEST] Created synthetic dataset: 10,000 samples
+  Normal:  9,000 (90.0%)
+  Attacks: 1,000 (10.0%)
+
+[TEST] Training on 6,300 normal samples...
+[HYBRID] Training unsupervised model on 6,300 logs...
+[HYBRID] Extracted features for X unique IPs
+[HYBRID] Feature selection: 25 → 18 features
+[HYBRID] Training Extended Isolation Forest...
+[HYBRID] Training completed! X/Y IPs flagged as anomalies
+
+[TEST] Detection results:
+  Total detections: XX
+  High confidence:   XX
+  Medium confidence: XX
+  Low confidence:    XX
+
+╔══════════════════════════════════════════════════════════════╗
+║                    Synthetic Test Results                     ║
+╚══════════════════════════════════════════════════════════════╝
+
+🎯 Primary Metrics:
+  Precision:     XX.XX%  (of 100 flagged, how many are real attacks)
+  Recall:        XX.XX%  (of 100 attacks, how many detected)
+  F1-Score:      XX.XX%  (harmonic mean of P&R)
+  
+⚠️  False Positive Analysis:
+  FP Rate:       XX.XX%  (normal traffic flagged as attack)
+```
+
+**Criterio successo**: 
+- Precision ≥ 70% (test sintetico)
+- FPR ≤ 10%
+- Nessun crash
+
+---
+
+## 🎯 Step 3: Training su Traffico Reale
+
+Addestra il modello sui log reali (ultimi 7 giorni):
+
+```bash
+cd /opt/ids/python_ml
+
+# Training su database (ultimi 7 giorni)
+python train_hybrid.py --train --source database \
+  --db-host localhost \
+  --db-port 5432 \
+  --db-name ids \
+  --db-user postgres \
+  --db-password "YOUR_PASSWORD" \
+  --days 7
+
+# Modelli salvati in: python_ml/models/
+# - isolation_forest_latest.pkl
+# - scaler_latest.pkl
+# - feature_selector_latest.pkl
+# - metadata_latest.json
+```
+
+**Cosa succede**:
+1. Carica ultimi 7 giorni di `network_logs` (fino a 1M records)
+2. Estrae 25 features per ogni source_ip
+3. Applica Chi-Square feature selection → 18 features
+4. Addestra Extended Isolation Forest (contamination=3%)
+5. Salva modelli in `models/`
+
+**Criterio successo**:
+- Training completato senza errori
+- File modelli creati in `python_ml/models/`
+- Log mostra "✅ Training completed!"
+
+---
+
+## 📊 Step 4: (Opzionale) Validazione CICIDS2017
+
+Per validare con dataset scientifico (solo se si vuole benchmark accurato):
+
+### 4.1 Download CICIDS2017
+
+```bash
+# Crea directory dataset
+mkdir -p /opt/ids/python_ml/datasets/cicids2017
+
+# Scarica manualmente da:
+# https://www.unb.ca/cic/datasets/ids-2017.html
+# Estrai i file CSV in: /opt/ids/python_ml/datasets/cicids2017/
+
+# File richiesti (8 giorni):
+# - Monday-WorkingHours.pcap_ISCX.csv
+# - Tuesday-WorkingHours.pcap_ISCX.csv
+# - ... (tutti i file CSV)
+```
+
+### 4.2 Validazione (10% sample per test)
+
+```bash
+cd /opt/ids/python_ml
+
+# Validazione con 10% del dataset (test veloce)
+python train_hybrid.py --validate --sample 0.1
+
+# Validazione completa (LENTO - può richiedere ore!)
+# python train_hybrid.py --validate
+```
+
+**Output atteso**:
+```
+╔══════════════════════════════════════════════════════════════╗
+║              CICIDS2017 Validation Results                    ║
+╚══════════════════════════════════════════════════════════════╝
+
+🎯 Primary Metrics:
+  Precision:     ≥90.00%  ✅ TARGET
+  Recall:        ≥80.00%  ✅ TARGET
+  F1-Score:      ≥85.00%  ✅ TARGET
+  
+⚠️  False Positive Analysis:
+  FP Rate:       ≤5.00%   ✅ TARGET
+
+[VALIDATE] Checking production deployment criteria...
+✅ Model ready for production deployment!
+```
+
+**Criterio successo production**:
+- Precision ≥ 90%
+- Recall ≥ 80%
+- FPR ≤ 5%
+- F1-Score ≥ 85%
+
+---
+
+## 🚀 Step 5: Deploy in Produzione
+
+### 5.1 Configura Environment Variable
+
+```bash
+# Aggiungi al .env del ML backend
+echo "USE_HYBRID_DETECTOR=true" >> /opt/ids/python_ml/.env
+
+# Oppure export manuale
+export USE_HYBRID_DETECTOR=true
+```
+
+**Default**: `USE_HYBRID_DETECTOR=true` (nuovo detector attivo)
+
+Per rollback: `USE_HYBRID_DETECTOR=false` (usa legacy detector)
+
+### 5.2 Restart ML Backend
+
+```bash
+# Systemd service
+sudo systemctl restart ids-ml-backend
+
+# Verifica startup
+sudo systemctl status ids-ml-backend
+sudo journalctl -u ids-ml-backend -f
+
+# Cerca log:
+# "[ML] Using Hybrid ML Detector (Extended Isolation Forest + Feature Selection)"
+# "[HYBRID] Models loaded (version: latest)"
+```
+
+### 5.3 Test API
+
+```bash
+# Test health check
+curl http://localhost:8000/health
+
+# Output atteso:
+{
+  "status": "healthy",
+  "database": "connected",
+  "ml_model": "loaded",
+  "ml_model_type": "hybrid (EIF + Feature Selection)",
+  "timestamp": "2025-11-24T18:30:00"
+}
+
+# Test root endpoint
+curl http://localhost:8000/
+
+# Output atteso:
+{
+  "service": "IDS API",
+  "version": "2.0.0",
+  "status": "running",
+  "model_type": "hybrid",
+  "model_loaded": true,
+  "use_hybrid": true
+}
+```
+
+---
+
+## 📈 Step 6: Monitoring & Validation
+
+### 6.1 Primo Detection Run
+
+```bash
+# API call per detection (con API key se configurata)
+curl -X POST http://localhost:8000/detect \
+  -H "Content-Type: application/json" \
+  -H "X-API-Key: YOUR_API_KEY" \
+  -d '{
+    "max_records": 5000,
+    "hours_back": 1,
+    "risk_threshold": 60.0,
+    "auto_block": false
+  }'
+```
+
+### 6.2 Verifica Detections
+
+```bash
+# Query PostgreSQL per vedere detections
+psql -d ids -c "
+SELECT 
+  source_ip, 
+  risk_score, 
+  confidence, 
+  anomaly_type,
+  detected_at
+FROM detections 
+ORDER BY detected_at DESC 
+LIMIT 10;
+"
+```
+
+### 6.3 Monitoring Logs
+
+```bash
+# Monitora log ML backend
+sudo journalctl -u ids-ml-backend -f | grep -E "(HYBRID|DETECT|TRAIN)"
+
+# Log chiave:
+# - "[HYBRID] Models loaded" - Modello caricato OK
+# - "[DETECT] Using Hybrid ML Detector" - Detection con nuovo modello
+# - "[DETECT] Detected X unique IPs above threshold" - Risultati
+```
+
+---
+
+## 🔄 Step 7: Re-training Periodico
+
+Il modello va ri-addestrato periodicamente (es. settimanalmente) su traffico recente:
+
+### Opzione A: Manuale
+
+```bash
+# Ogni settimana
+cd /opt/ids/python_ml
+source venv/bin/activate
+
+python train_hybrid.py --train --source database \
+  --db-password "YOUR_PASSWORD" \
+  --days 7
+```
+
+### Opzione B: Cron Job
+
+```bash
+# Crea script wrapper
+cat > /opt/ids/scripts/retrain_ml.sh << 'EOF'
+#!/bin/bash
+set -e
+
+cd /opt/ids/python_ml
+source venv/bin/activate
+
+python train_hybrid.py --train --source database \
+  --db-host localhost \
+  --db-port 5432 \
+  --db-name ids \
+  --db-user postgres \
+  --db-password "$PGPASSWORD" \
+  --days 7
+
+# Restart backend per caricare nuovo modello
+sudo systemctl restart ids-ml-backend
+
+echo "[$(date)] ML model retrained successfully"
+EOF
+
+chmod +x /opt/ids/scripts/retrain_ml.sh
+
+# Aggiungi cron (ogni domenica alle 3:00 AM)
+sudo crontab -e
+
+# Aggiungi riga:
+0 3 * * 0 /opt/ids/scripts/retrain_ml.sh >> /var/log/ids/ml_retrain.log 2>&1
+```
+
+---
+
+## 📊 Step 8: Confronto Vecchio vs Nuovo
+
+Monitora metriche prima/dopo per 1-2 settimane:
+
+### Metriche da tracciare:
+
+1. **False Positive Rate** (obiettivo: -80%)
+   ```sql
+   -- Query FP rate settimanale
+   SELECT 
+     DATE(detected_at) as date,
+     COUNT(*) FILTER (WHERE is_false_positive = true) as false_positives,
+     COUNT(*) as total_detections,
+     ROUND(100.0 * COUNT(*) FILTER (WHERE is_false_positive = true) / COUNT(*), 2) as fp_rate
+   FROM detections
+   WHERE detected_at >= NOW() - INTERVAL '7 days'
+   GROUP BY DATE(detected_at)
+   ORDER BY date;
+   ```
+
+2. **Detection Count per Confidence Level**
+   ```sql
+   SELECT 
+     confidence,
+     COUNT(*) as count
+   FROM detections
+   WHERE detected_at >= NOW() - INTERVAL '24 hours'
+   GROUP BY confidence
+   ORDER BY 
+     CASE confidence
+       WHEN 'high' THEN 1
+       WHEN 'medium' THEN 2
+       WHEN 'low' THEN 3
+     END;
+   ```
+
+3. **Blocked IPs Analysis**
+   ```bash
+   # Query MikroTik per vedere IP bloccati
+   # Confronta con detections high-confidence
+   ```
+
+---
+
+## 🔧 Troubleshooting
+
+### Problema: "ModuleNotFoundError: No module named 'eif'"
+
+**Soluzione**:
+```bash
+cd /opt/ids/python_ml
+source venv/bin/activate
+pip install eif==2.0.0
+```
+
+### Problema: "Modello non addestrato. Esegui /train prima."
+
+**Soluzione**:
+```bash
+# Verifica modelli esistano
+ls -lh /opt/ids/python_ml/models/
+
+# Se vuoti, esegui training
+python train_hybrid.py --train --source database --db-password "PWD"
+```
+
+### Problema: API restituisce errore 500
+
+**Soluzione**:
+```bash
+# Check logs
+sudo journalctl -u ids-ml-backend -n 100
+
+# Verifica USE_HYBRID_DETECTOR
+grep USE_HYBRID_DETECTOR /opt/ids/python_ml/.env
+
+# Fallback a legacy
+echo "USE_HYBRID_DETECTOR=false" >> /opt/ids/python_ml/.env
+sudo systemctl restart ids-ml-backend
+```
+
+### Problema: Metrics validation non passa (Precision < 90%)
+
+**Soluzione**: Tuning hyperparameters
+```python
+# In ml_hybrid_detector.py, modifica config:
+'eif_contamination': 0.02,  # Prova valori 0.01-0.05
+'chi2_top_k': 20,           # Prova 15-25
+'confidence_high': 97.0,    # Aumenta soglia confidence
+```
+
+---
+
+## ✅ Checklist Finale
+
+- [ ] Test sintetico passato (Precision ≥70%)
+- [ ] Training su dati reali completato
+- [ ] Modelli salvati in `python_ml/models/`
+- [ ] `USE_HYBRID_DETECTOR=true` configurato
+- [ ] ML backend restartato con successo
+- [ ] API `/health` mostra `"ml_model_type": "hybrid"`
+- [ ] Primo detection run completato
+- [ ] Detections salvate in database con confidence levels
+- [ ] (Opzionale) Validazione CICIDS2017 con metrics target raggiunti
+- [ ] Re-training periodico configurato (cron o manuale)
+- [ ] Dashboard frontend mostra detections con nuovi confidence levels
+
+---
+
+## 📚 Documentazione Tecnica
+
+### Architettura
+
+```
+┌─────────────────┐
+│  Network Logs   │
+│  (PostgreSQL)   │
+└────────┬────────┘
+         │
+         v
+┌─────────────────┐
+│ Feature Extract │  25 features per IP
+│   (25 features) │  (volume, temporal, protocol, behavioral)
+└────────┬────────┘
+         │
+         v
+┌─────────────────┐
+│ Chi-Square Test │  Feature Selection
+│  (Select Top 18)│  Riduce dimensionalità
+└────────┬────────┘
+         │
+         v
+┌─────────────────┐
+│  Extended IF    │  Unsupervised Anomaly Detection
+│ (contamination  │  n_estimators=250
+│    = 0.03)      │  anomaly_score: 0-100
+└────────┬────────┘
+         │
+         v
+┌─────────────────┐
+│ Confidence Score│  3-tier system
+│  High ≥95%      │  - High: auto-block
+│  Medium ≥70%    │  - Medium: manual review
+│  Low <70%       │  - Low: monitor
+└────────┬────────┘
+         │
+         v
+┌─────────────────┐
+│   Detections    │  Salvate in DB
+│   (Database)    │  Con geo info + confidence
+└─────────────────┘
+```
+
+### Hyperparameters Tuning
+
+| Parametro | Valore Default | Range Consigliato | Effetto |
+|-----------|----------------|-------------------|---------|
+| `eif_contamination` | 0.03 | 0.01 - 0.05 | % di anomalie attese. ↑ = più rilevamenti |
+| `eif_n_estimators` | 250 | 100 - 500 | Numero alberi. ↑ = più stabile ma lento |
+| `chi2_top_k` | 18 | 15 - 25 | Numero features selezionate |
+| `confidence_high` | 95.0 | 90.0 - 98.0 | Soglia auto-block. ↑ = più conservativo |
+| `confidence_medium` | 70.0 | 60.0 - 80.0 | Soglia review manuale |
+
+---
+
+## 🎯 Target Metrics Recap
+
+| Metrica | Target Production | Test Sintetico | Note |
+|---------|-------------------|----------------|------|
+| **Precision** | ≥ 90% | ≥ 70% | Di 100 flagged, quanti sono veri attacchi |
+| **Recall** | ≥ 80% | ≥ 60% | Di 100 attacchi, quanti rilevati |
+| **F1-Score** | ≥ 85% | ≥ 65% | Media armonica Precision/Recall |
+| **FPR** | ≤ 5% | ≤ 10% | Falsi positivi su traffico normale |
+
+---
+
+## 📞 Support
+
+Per problemi o domande:
+1. Check logs: `sudo journalctl -u ids-ml-backend -f`
+2. Verifica modelli: `ls -lh /opt/ids/python_ml/models/`
+3. Test manuale: `python train_hybrid.py --test`
+4. Rollback: `USE_HYBRID_DETECTOR=false` + restart
+
+**Ultimo aggiornamento**: 24 Nov 2025 - v2.0.0

deployment/CLEANUP_DETECTIONS_GUIDE.md

@@ -0,0 +1,342 @@
+# IDS - Guida Cleanup Detections Automatico
+
+## 📋 Overview
+
+Sistema automatico di pulizia delle detections e gestione IP bloccati secondo regole temporali:
+
+1. **Cleanup Detections**: Elimina detections non bloccate più vecchie di **48 ore**
+2. **Auto-Unblock**: Sblocca IP bloccati da più di **2 ore** senza nuove anomalie
+
+## ⚙️ Componenti
+
+### 1. Script Python: `python_ml/cleanup_detections.py`
+Script principale che esegue le operazioni di cleanup:
+- Elimina detections vecchie dal database
+- Marca come "sbloccati" gli IP nel DB (NON rimuove da MikroTik firewall!)
+- Logging completo in `/var/log/ids/cleanup.log`
+
+### 2. Wrapper Bash: `deployment/run_cleanup.sh`
+Wrapper che carica le variabili d'ambiente e esegue lo script Python.
+
+### 3. Systemd Service: `ids-cleanup.service`
+Service oneshot che esegue il cleanup una volta.
+
+### 4. Systemd Timer: `ids-cleanup.timer`
+Timer che esegue il cleanup **ogni ora alle XX:10** (es. 10:10, 11:10, 12:10...).
+
+## 🚀 Installazione
+
+### Prerequisiti
+Assicurati di avere le dipendenze Python installate:
+```bash
+# Installa dipendenze (se non già fatto)
+sudo pip3 install psycopg2-binary python-dotenv
+
+# Oppure usa requirements.txt
+sudo pip3 install -r python_ml/requirements.txt
+```
+
+### Setup Automatico
+```bash
+cd /opt/ids
+
+# Esegui setup automatico (installa dipendenze + configura timer)
+sudo ./deployment/setup_cleanup_timer.sh
+
+# Output:
+# [1/7] Installazione dipendenze Python...
+# [2/7] Creazione directory log...
+# ...
+# ✅ Cleanup timer installato e avviato con successo!
+```
+
+**Nota**: Lo script installa automaticamente le dipendenze Python necessarie.
+
+## 📊 Monitoraggio
+
+### Stato Timer
+```bash
+# Verifica che il timer sia attivo
+sudo systemctl status ids-cleanup.timer
+
+# Prossima esecuzione programmata
+systemctl list-timers ids-cleanup.timer
+```
+
+### Log
+```bash
+# Real-time log
+tail -f /var/log/ids/cleanup.log
+
+# Ultime 50 righe
+tail -50 /var/log/ids/cleanup.log
+
+# Log completo
+cat /var/log/ids/cleanup.log
+```
+
+## 🔧 Uso Manuale
+
+### Esecuzione Immediata
+```bash
+# Via systemd (consigliato)
+sudo systemctl start ids-cleanup.service
+
+# Oppure direttamente
+sudo ./deployment/run_cleanup.sh
+```
+
+### Test con Output Verbose
+```bash
+cd /opt/ids
+source .env
+python3 python_ml/cleanup_detections.py
+```
+
+## 📝 Regole di Cleanup
+
+### Regola 1: Cleanup Detections (48 ore)
+**Query SQL**:
+```sql
+DELETE FROM detections 
+WHERE detected_at < NOW() - INTERVAL '48 hours'
+  AND blocked = false
+```
+
+**Logica**:
+- Se un IP è stato rilevato ma **non bloccato**
+- E non ci sono nuove detections da **48 ore**
+- → Eliminalo dal database
+
+**Esempio**:
+- IP `1.2.3.4` rilevato il 23/11 alle 10:00
+- Non bloccato (risk_score < 80)
+- Nessuna nuova detection per 48 ore
+- → **25/11 alle 10:10** → IP eliminato ✅
+
+### Regola 2: Auto-Unblock (2 ore)
+**Query SQL**:
+```sql
+UPDATE detections
+SET blocked = false, blocked_at = NULL
+WHERE blocked = true
+  AND blocked_at < NOW() - INTERVAL '2 hours'
+  AND NOT EXISTS (
+      SELECT 1 FROM detections d2
+      WHERE d2.source_ip = detections.source_ip
+        AND d2.detected_at > NOW() - INTERVAL '2 hours'
+  )
+```
+
+**Logica**:
+- Se un IP è **bloccato**
+- E bloccato da **più di 2 ore**
+- E **nessuna nuova detection** nelle ultime 2 ore
+- → Sbloccalo nel DB
+
+**⚠️ ATTENZIONE**: Questo sblocca solo nel **database**, NON rimuove l'IP dalle **firewall list MikroTik**!
+
+**Esempio**:
+- IP `5.6.7.8` bloccato il 25/11 alle 08:00
+- Nessuna nuova detection per 2 ore
+- → **25/11 alle 10:10** → `blocked=false` nel DB ✅
+- → **ANCORA nella firewall MikroTik** ❌
+
+### Come rimuovere da MikroTik
+```bash
+# Via API ML Backend
+curl -X POST http://localhost:8000/unblock-ip \
+  -H "Content-Type: application/json" \
+  -d '{"ip_address": "5.6.7.8"}'
+```
+
+## 🛠️ Configurazione
+
+### Modifica Intervalli
+
+#### Cambia soglia cleanup (es. 72 ore invece di 48)
+Modifica `python_ml/cleanup_detections.py`:
+```python
+# Linea ~47
+deleted_count = cleanup_old_detections(conn, hours=72)  # ← Cambia qui
+```
+
+#### Cambia soglia unblock (es. 4 ore invece di 2)
+Modifica `python_ml/cleanup_detections.py`:
+```python
+# Linea ~51
+unblocked_count = unblock_old_ips(conn, hours=4)  # ← Cambia qui
+```
+
+### Modifica Frequenza Esecuzione
+Modifica `deployment/systemd/ids-cleanup.timer`:
+```ini
+[Timer]
+# Ogni 6 ore invece di ogni ora
+OnCalendar=00/6:10:00
+```
+
+Dopo le modifiche:
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart ids-cleanup.timer
+```
+
+## 📊 Output Esempio
+
+```
+============================================================
+CLEANUP DETECTIONS - Avvio
+============================================================
+✅ Connesso al database
+
+[1/2] Cleanup detections vecchie...
+Trovate 45 detections da eliminare (più vecchie di 48h)
+✅ Eliminate 45 detections vecchie
+
+[2/2] Sblocco IP vecchi...
+Trovati 3 IP da sbloccare (bloccati da più di 2h)
+  - 1.2.3.4 (tipo: ddos, score: 85.2)
+  - 5.6.7.8 (tipo: port_scan, score: 82.1)
+  - 9.10.11.12 (tipo: brute_force, score: 90.5)
+✅ Sbloccati 3 IP nel database
+⚠️  ATTENZIONE: IP ancora presenti nelle firewall list MikroTik!
+💡 Per rimuoverli dai router, usa: curl -X POST http://localhost:8000/unblock-ip -d '{"ip_address": "X.X.X.X"}'
+
+============================================================
+CLEANUP COMPLETATO
+  - Detections eliminate: 45
+  - IP sbloccati (DB): 3
+============================================================
+```
+
+## 🔍 Troubleshooting
+
+### Timer non parte
+```bash
+# Verifica che il timer sia enabled
+sudo systemctl is-enabled ids-cleanup.timer
+
+# Se disabled, abilita
+sudo systemctl enable ids-cleanup.timer
+sudo systemctl start ids-cleanup.timer
+```
+
+### Errori nel log
+```bash
+# Controlla errori
+grep ERROR /var/log/ids/cleanup.log
+
+# Controlla connessione DB
+grep "Connesso al database" /var/log/ids/cleanup.log
+```
+
+### Test connessione DB
+```bash
+cd /opt/ids
+source .env
+python3 -c "
+import psycopg2
+conn = psycopg2.connect(
+    host='$PGHOST',
+    port=$PGPORT,
+    user='$PGUSER',
+    password='$PGPASSWORD',
+    database='$PGDATABASE'
+)
+print('✅ DB connesso!')
+conn.close()
+"
+```
+
+## 📈 Metriche
+
+### Query per statistiche
+```sql
+-- Detections per età
+SELECT 
+    CASE 
+        WHEN detected_at > NOW() - INTERVAL '2 hours' THEN '< 2h'
+        WHEN detected_at > NOW() - INTERVAL '24 hours' THEN '< 24h'
+        WHEN detected_at > NOW() - INTERVAL '48 hours' THEN '< 48h'
+        ELSE '> 48h'
+    END as age_group,
+    COUNT(*) as count,
+    COUNT(CASE WHEN blocked THEN 1 END) as blocked_count
+FROM detections
+GROUP BY age_group
+ORDER BY age_group;
+
+-- IP bloccati per durata
+SELECT 
+    source_ip,
+    blocked_at,
+    EXTRACT(EPOCH FROM (NOW() - blocked_at)) / 3600 as hours_blocked,
+    anomaly_type,
+    risk_score::numeric
+FROM detections
+WHERE blocked = true
+ORDER BY blocked_at DESC;
+```
+
+## ⚙️ Integrazione con Altri Sistemi
+
+### Notifiche Email (opzionale)
+Aggiungi a `python_ml/cleanup_detections.py`:
+```python
+import smtplib
+from email.mime.text import MIMEText
+
+if unblocked_count > 0:
+    msg = MIMEText(f"Sbloccati {unblocked_count} IP")
+    msg['Subject'] = 'IDS Cleanup Report'
+    msg['From'] = 'ids@example.com'
+    msg['To'] = 'admin@example.com'
+    
+    s = smtplib.SMTP('localhost')
+    s.send_message(msg)
+    s.quit()
+```
+
+### Webhook (opzionale)
+```python
+import requests
+
+requests.post('https://hooks.slack.com/...', json={
+    'text': f'IDS Cleanup: {deleted_count} detections eliminate, {unblocked_count} IP sbloccati'
+})
+```
+
+## 🔒 Sicurezza
+
+- Script eseguito come **root** (necessario per systemd)
+- Credenziali DB caricate da `.env` (NON hardcoded)
+- Log in `/var/log/ids/` con permessi `644`
+- Service con `NoNewPrivileges=true` e `PrivateTmp=true`
+
+## 📅 Scheduler
+
+Il timer è configurato per eseguire:
+- **Frequenza**: Ogni ora
+- **Minuto**: XX:10 (10 minuti dopo l'ora)
+- **Randomizzazione**: ±5 minuti per load balancing
+- **Persistent**: Recupera esecuzioni perse durante downtime
+
+**Esempio orari**: 00:10, 01:10, 02:10, ..., 23:10
+
+## ✅ Checklist Post-Installazione
+
+- [ ] Timer installato: `systemctl status ids-cleanup.timer`
+- [ ] Prossima esecuzione visibile: `systemctl list-timers`
+- [ ] Test manuale OK: `sudo ./deployment/run_cleanup.sh`
+- [ ] Log creato: `ls -la /var/log/ids/cleanup.log`
+- [ ] Nessun errore nel log: `grep ERROR /var/log/ids/cleanup.log`
+- [ ] Cleanup funzionante: verificare conteggio detections prima/dopo
+
+## 🆘 Supporto
+
+Per problemi o domande:
+1. Controlla log: `tail -f /var/log/ids/cleanup.log`
+2. Verifica timer: `systemctl status ids-cleanup.timer`
+3. Test manuale: `sudo ./deployment/run_cleanup.sh`
+4. Apri issue su GitHub o contatta il team

deployment/TROUBLESHOOTING_SYSLOG_PARSER.md

@@ -0,0 +1,182 @@
+# 🔧 TROUBLESHOOTING: Syslog Parser Bloccato
+
+## 📊 Diagnosi Rapida (Sul Server)
+
+### 1. Verifica Stato Servizio
+```bash
+sudo systemctl status ids-syslog-parser
+journalctl -u ids-syslog-parser -n 100 --no-pager
+```
+
+**Cosa cercare:**
+- ❌ `[ERROR] Errore processamento file:`
+- ❌ `OperationalError: database connection`
+- ❌ `ProgrammingError:`
+- ✅ `[INFO] Processate X righe, salvate Y log` (deve continuare ad aumentare!)
+
+---
+
+### 2. Verifica Database Connection
+```bash
+# Test connessione DB
+psql -h 127.0.0.1 -U $PGUSER -d $PGDATABASE -c "SELECT COUNT(*) FROM network_logs WHERE timestamp > NOW() - INTERVAL '5 minutes';"
+```
+
+**Se torna 0** → Parser non sta scrivendo!
+
+---
+
+### 3. Verifica File Log Syslog
+```bash
+# Log syslog in arrivo?
+tail -f /var/log/mikrotik/raw.log | head -20
+
+# Dimensione file
+ls -lh /var/log/mikrotik/raw.log
+
+# Ultimi log ricevuti
+tail -5 /var/log/mikrotik/raw.log
+```
+
+**Se nessun log nuovo** → Problema rsyslog o router!
+
+---
+
+## 🐛 Cause Comuni di Blocco
+
+### **Causa #1: Database Connection Timeout**
+```python
+# syslog_parser.py usa connessione persistente
+self.conn = psycopg2.connect()  # ← può scadere dopo ore!
+```
+
+**Soluzione:** Riavvia il servizio
+```bash
+sudo systemctl restart ids-syslog-parser
+```
+
+---
+
+### **Causa #2: Eccezione Non Gestita**
+```python
+# Loop si ferma se eccezione non gestita
+except Exception as e:
+    print(f"[ERROR] Errore processamento file: {e}")
+    # ← Loop terminato!
+```
+
+**Fix:** Il parser ora continua anche dopo errori (v2.0+)
+
+---
+
+### **Causa #3: File Log Ruotato da Rsyslog**
+Se rsyslog ruota il file `/var/log/mikrotik/raw.log`, il parser continua a leggere il file vecchio (inode diverso).
+
+**Soluzione:** Usa logrotate + postrotate signal
+```bash
+# /etc/logrotate.d/mikrotik
+/var/log/mikrotik/raw.log {
+    daily
+    rotate 7
+    compress
+    postrotate
+        systemctl restart ids-syslog-parser
+    endscript
+}
+```
+
+---
+
+### **Causa #4: Cleanup DB Troppo Lento**
+```python
+# Cleanup ogni ~16 minuti
+if cleanup_counter >= 10000:
+    self.cleanup_old_logs(days_to_keep=3)  # ← DELETE su milioni di record!
+```
+
+Se il cleanup impiega troppo tempo, blocca il loop.
+
+**Fix:** Ora usa batch delete con LIMIT (v2.0+)
+
+---
+
+## 🚑 SOLUZIONE RAPIDA (Ora)
+
+```bash
+# 1. Riavvia parser
+sudo systemctl restart ids-syslog-parser
+
+# 2. Verifica che riparta
+sudo journalctl -u ids-syslog-parser -f
+
+# 3. Dopo 1-2 min, verifica nuovi log nel DB
+psql -h 127.0.0.1 -U $PGUSER -d $PGDATABASE -c \
+  "SELECT COUNT(*) FROM network_logs WHERE timestamp > NOW() - INTERVAL '2 minutes';"
+```
+
+**Output atteso:**
+```
+ count 
+-------
+  1234  ← Numero crescente = OK!
+```
+
+---
+
+## 🔒 FIX PERMANENTE (v2.0)
+
+### **Migliorie Implementate:**
+
+1. **Auto-Reconnect** su DB timeout
+2. **Error Recovery** - continua dopo eccezioni
+3. **Batch Cleanup** - non blocca il processing
+4. **Health Metrics** - monitoring integrato
+
+### **Deploy Fix:**
+```bash
+cd /opt/ids
+sudo ./update_from_git.sh
+sudo systemctl restart ids-syslog-parser
+```
+
+---
+
+## 📈 Metriche da Monitorare
+
+1. **Log/sec processati**
+   ```sql
+   SELECT COUNT(*) / 60.0 AS logs_per_sec 
+   FROM network_logs 
+   WHERE timestamp > NOW() - INTERVAL '1 minute';
+   ```
+
+2. **Ultimo log ricevuto**
+   ```sql
+   SELECT MAX(timestamp) AS last_log FROM network_logs;
+   ```
+
+3. **Gap detection** (se ultimo log > 5 min fa → problema!)
+   ```sql
+   SELECT NOW() - MAX(timestamp) AS time_since_last_log 
+   FROM network_logs;
+   ```
+
+---
+
+## ✅ Checklist Post-Fix
+
+- [ ] Servizio running e active
+- [ ] Nuovi log in DB (ultimo < 1 min fa)
+- [ ] Nessun errore in journalctl
+- [ ] ML backend rileva nuove anomalie
+- [ ] Dashboard mostra traffico real-time
+
+---
+
+## 📞 Escalation
+
+Se il problema persiste dopo questi fix:
+1. Verifica configurazione rsyslog
+2. Controlla firewall router (UDP:514)
+3. Test manuale: `logger -p local7.info "TEST MESSAGE"`
+4. Analizza log completi: `journalctl -u ids-syslog-parser --since "1 hour ago" > parser.log`

deployment/check_parser_health.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+###############################################################################
+# Syslog Parser Health Check Script
+# Verifica che il parser stia processando log regolarmente
+# Uso: ./check_parser_health.sh
+# Cron: */5 * * * * /opt/ids/deployment/check_parser_health.sh
+###############################################################################
+
+set -e
+
+# Load environment
+if [ -f /opt/ids/.env ]; then
+    export $(grep -v '^#' /opt/ids/.env | xargs)
+fi
+
+ALERT_THRESHOLD_MINUTES=5
+LOG_FILE="/var/log/ids/parser-health.log"
+
+mkdir -p /var/log/ids
+touch "$LOG_FILE"
+
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] === Health Check Start ===" >> "$LOG_FILE"
+
+# Check 1: Service running?
+if ! systemctl is-active --quiet ids-syslog-parser; then
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ❌ CRITICAL: Parser service NOT running!" >> "$LOG_FILE"
+    echo "Attempting automatic restart..." >> "$LOG_FILE"
+    systemctl restart ids-syslog-parser
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Service restarted" >> "$LOG_FILE"
+    exit 1
+fi
+
+# Check 2: Recent logs in database?
+LAST_LOG_AGE=$(psql -h 127.0.0.1 -U "$PGUSER" -d "$PGDATABASE" -t -c \
+    "SELECT EXTRACT(EPOCH FROM (NOW() - MAX(timestamp)))/60 AS minutes_ago FROM network_logs;" | tr -d ' ')
+
+if [ -z "$LAST_LOG_AGE" ] || [ "$LAST_LOG_AGE" = "" ]; then
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ⚠️  WARNING: Cannot determine last log age (empty database?)" >> "$LOG_FILE"
+    exit 0
+fi
+
+# Convert to integer (bash doesn't handle floats)
+LAST_LOG_AGE_INT=$(echo "$LAST_LOG_AGE" | cut -d'.' -f1)
+
+if [ "$LAST_LOG_AGE_INT" -gt "$ALERT_THRESHOLD_MINUTES" ]; then
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ❌ ALERT: Last log is $LAST_LOG_AGE_INT minutes old (threshold: $ALERT_THRESHOLD_MINUTES min)" >> "$LOG_FILE"
+    echo "Checking syslog file..." >> "$LOG_FILE"
+    
+    # Check if syslog file has new data
+    if [ -f "/var/log/mikrotik/raw.log" ]; then
+        SYSLOG_SIZE=$(stat -f%z "/var/log/mikrotik/raw.log" 2>/dev/null || stat -c%s "/var/log/mikrotik/raw.log" 2>/dev/null)
+        echo "Syslog file size: $SYSLOG_SIZE bytes" >> "$LOG_FILE"
+        
+        # Restart parser
+        echo "Restarting parser service..." >> "$LOG_FILE"
+        systemctl restart ids-syslog-parser
+        echo "[$(date '+%Y-%m-%d %H:%M:%S')] Parser service restarted" >> "$LOG_FILE"
+    else
+        echo "⚠️  Syslog file not found: /var/log/mikrotik/raw.log" >> "$LOG_FILE"
+    fi
+else
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ✅ OK: Last log ${LAST_LOG_AGE_INT} minutes ago" >> "$LOG_FILE"
+fi
+
+# Check 3: Parser errors?
+ERROR_COUNT=$(journalctl -u ids-syslog-parser --since "5 minutes ago" | grep -c "\[ERROR\]" || echo "0")
+
+if [ "$ERROR_COUNT" -gt 10 ]; then
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ⚠️  WARNING: $ERROR_COUNT errors in last 5 minutes" >> "$LOG_FILE"
+    journalctl -u ids-syslog-parser --since "5 minutes ago" | grep "\[ERROR\]" | tail -5 >> "$LOG_FILE"
+fi
+
+echo "[$(date '+%Y-%m-%d %H:%M:%S')] === Health Check Complete ===" >> "$LOG_FILE"
+echo "" >> "$LOG_FILE"
+
+# Keep only last 1000 lines of log
+tail -1000 "$LOG_FILE" > "${LOG_FILE}.tmp"
+mv "${LOG_FILE}.tmp" "$LOG_FILE"
+
+exit 0

deployment/cleanup_database.sh

@@ -35,7 +35,7 @@ psql "$DATABASE_URL" -c "SELECT pg_size_pretty(pg_database_size(current_database
 
 # Esegui pulizia
 echo ""
-echo "🧹 Eliminazione log vecchi (>7 giorni)..."
+echo "🧹 Eliminazione log vecchi (>3 giorni)..."
 psql "$DATABASE_URL" -f "$IDS_DIR/database-schema/cleanup_old_logs.sql"
 
 # Dimensione database DOPO la pulizia

deployment/cron_train.sh

@@ -12,7 +12,7 @@ echo "=========================================" >> "$LOG_FILE"
 
 curl -X POST http://localhost:8000/train \
   -H "Content-Type: application/json" \
-  -d '{"max_records": 100000, "hours_back": 24}' \
+  -d '{"max_records": 1000000, "hours_back": 24}' \
   --max-time 300 >> "$LOG_FILE" 2>&1
 
 EXIT_CODE=$?

deployment/docs/PUBLIC_LISTS_LIMITATIONS.md

@@ -0,0 +1,48 @@
+# Public Lists - Known Limitations (v2.0.0)
+
+## CIDR Range Matching
+
+**Current Status**: MVP with exact IP matching
+**Impact**: CIDR ranges (e.g., Spamhaus /24 blocks) are stored but not yet matched against detections
+
+### Details:
+- `public_blacklist_ips.cidr_range` field exists and is populated by parsers
+- Detections currently use **exact IP matching only**
+- Whitelist entries with CIDR notation not expanded
+
+### Future Iteration:
+Requires PostgreSQL INET/CIDR column types and query optimizations:
+1. Add dedicated `inet` columns to `public_blacklist_ips` and `whitelist`
+2. Rewrite merge logic with CIDR containment operators (`<<=`, `>>=`)
+3. Index optimization for network range queries
+
+### Workaround (Production):
+Most critical single IPs are still caught. For CIDR-heavy feeds, parser can be extended to expand ranges to individual IPs (trade-off: storage vs query performance).
+
+---
+
+## Integration Status
+
+✅ **Working**:
+- Fetcher syncs every 10 minutes (systemd timer)
+- Manual whitelist > Public whitelist > Blacklist priority
+- Automatic cleanup of invalid detections
+
+⚠️ **Manual Sync**:
+- UI manual sync triggers by resetting `lastAttempt` timestamp
+- Actual sync occurs on next fetcher cycle (max 10 min delay)
+- For immediate sync: `sudo systemctl start ids-list-fetcher.service`
+
+---
+
+## Performance Notes
+
+- Bulk SQL operations avoid O(N) per-IP queries
+- Tested with 186M+ network_logs records
+- Query optimization ongoing for CIDR expansion
+
+---
+
+**Version**: 2.0.0 MVP  
+**Date**: 2025-11-26  
+**Next Iteration**: Full CIDR matching support

deployment/docs/PUBLIC_LISTS_V2_CIDR.md

@@ -0,0 +1,295 @@
+# Public Lists v2.0.0 - CIDR Complete Implementation
+
+## Overview
+Sistema completo di integrazione liste pubbliche con supporto CIDR per matching di network ranges tramite operatori PostgreSQL INET.
+
+## Database Schema v7
+
+### Migration 007: CIDR Support
+```sql
+-- Aggiunte colonne INET/CIDR
+ALTER TABLE public_blacklist_ips 
+  ADD COLUMN ip_inet inet,
+  ADD COLUMN cidr_inet cidr;
+
+ALTER TABLE whitelist
+  ADD COLUMN ip_inet inet;
+
+-- Indexes GiST per operatori di rete
+CREATE INDEX public_blacklist_ip_inet_idx ON public_blacklist_ips USING gist(ip_inet inet_ops);
+CREATE INDEX public_blacklist_cidr_inet_idx ON public_blacklist_ips USING gist(cidr_inet inet_ops);
+CREATE INDEX whitelist_ip_inet_idx ON whitelist USING gist(ip_inet inet_ops);
+```
+
+### Colonne Aggiunte
+| Tabella | Colonna | Tipo | Scopo |
+|---------|---------|------|-------|
+| public_blacklist_ips | ip_inet | inet | IP singolo per matching esatto |
+| public_blacklist_ips | cidr_inet | cidr | Range di rete per containment |
+| whitelist | ip_inet | inet | IP/range per whitelist CIDR-aware |
+
+## CIDR Matching Logic
+
+### Operatori PostgreSQL INET
+```sql
+-- Containment: IP è contenuto in CIDR range?
+'192.168.1.50'::inet <<= '192.168.1.0/24'::inet  -- TRUE
+
+-- Esempi pratici
+'8.8.8.8'::inet <<= '8.8.8.0/24'::inet           -- TRUE  
+'1.1.1.1'::inet <<= '8.8.8.0/24'::inet           -- FALSE
+'52.94.10.5'::inet <<= '52.94.0.0/16'::inet      -- TRUE (AWS range)
+```
+
+### Priority Logic con CIDR
+```sql
+-- Creazione detections con priorità CIDR-aware
+INSERT INTO detections (source_ip, risk_score, ...)
+SELECT bl.ip_address, 75, ...
+FROM public_blacklist_ips bl
+WHERE bl.is_active = true
+AND bl.ip_inet IS NOT NULL
+-- Priorità 1: Whitelist manuale (massima)
+AND NOT EXISTS (
+    SELECT 1 FROM whitelist wl
+    WHERE wl.active = true
+    AND wl.source = 'manual'
+    AND (bl.ip_inet = wl.ip_inet OR bl.ip_inet <<= wl.ip_inet)
+)
+-- Priorità 2: Whitelist pubblica
+AND NOT EXISTS (
+    SELECT 1 FROM whitelist wl
+    WHERE wl.active = true
+    AND wl.source != 'manual'
+    AND (bl.ip_inet = wl.ip_inet OR bl.ip_inet <<= wl.ip_inet)
+)
+```
+
+### Cleanup CIDR-Aware
+```sql
+-- Rimuove detections per IP in whitelist ranges
+DELETE FROM detections d
+WHERE d.detection_source = 'public_blacklist'
+AND EXISTS (
+    SELECT 1 FROM whitelist wl
+    WHERE wl.active = true
+    AND wl.ip_inet IS NOT NULL
+    AND (d.source_ip::inet = wl.ip_inet 
+         OR d.source_ip::inet <<= wl.ip_inet)
+)
+```
+
+## Performance
+
+### Index Strategy
+- **GiST indexes** ottimizzati per operatori `<<=` e `>>=`
+- Query log(n) anche con 186M+ record
+- Bulk operations mantenute per efficienza
+
+### Benchmark
+| Operazione | Complessità | Tempo Medio |
+|------------|-------------|-------------|
+| Exact IP lookup | O(log n) | ~5ms |
+| CIDR containment | O(log n) | ~15ms |
+| Bulk detection (10k IPs) | O(n) | ~2s |
+| Priority filtering (100k) | O(n log m) | ~500ms |
+
+## Testing Matrix
+
+| Scenario | Implementazione | Status |
+|----------|-----------------|--------|
+| Exact IP (8.8.8.8) | inet equality | ✅ Completo |
+| CIDR range (192.168.1.0/24) | `<<=` operator | ✅ Completo |
+| Mixed exact + CIDR | Combined query | ✅ Completo |
+| Manual whitelist priority | Source-based exclusion | ✅ Completo |
+| Public whitelist priority | Nested NOT EXISTS | ✅ Completo |
+| Performance (186M+ rows) | Bulk + indexes | ✅ Completo |
+
+## Deployment su AlmaLinux 9
+
+### Pre-Deployment
+```bash
+# Backup database
+sudo -u postgres pg_dump ids_production > /opt/ids/backups/pre_v2_$(date +%Y%m%d).sql
+
+# Verifica versione schema
+sudo -u postgres psql ids_production -c "SELECT version FROM schema_version;"
+```
+
+### Esecuzione Migration
+```bash
+cd /opt/ids
+sudo -u postgres psql ids_production < deployment/migrations/007_add_cidr_support.sql
+
+# Verifica successo
+sudo -u postgres psql ids_production -c "
+SELECT version, updated_at FROM schema_version WHERE id = 1;
+SELECT COUNT(*) FROM public_blacklist_ips WHERE ip_inet IS NOT NULL;
+SELECT COUNT(*) FROM whitelist WHERE ip_inet IS NOT NULL;
+"
+```
+
+### Update Codice Python
+```bash
+# Pull da GitLab
+./update_from_git.sh
+
+# Restart services
+sudo systemctl restart ids-list-fetcher
+sudo systemctl restart ids-ml-backend
+
+# Verifica logs
+journalctl -u ids-list-fetcher -n 50
+journalctl -u ids-ml-backend -n 50
+```
+
+### Validazione Post-Deploy
+```bash
+# Test CIDR matching
+sudo -u postgres psql ids_production -c "
+-- Verifica popolazione INET columns
+SELECT 
+    COUNT(*) as total_blacklist,
+    COUNT(ip_inet) as with_inet,
+    COUNT(cidr_inet) as with_cidr
+FROM public_blacklist_ips;
+
+-- Test containment query
+SELECT * FROM whitelist 
+WHERE active = true 
+AND '192.168.1.50'::inet <<= ip_inet
+LIMIT 5;
+
+-- Verifica priority logic
+SELECT source, COUNT(*) 
+FROM whitelist 
+WHERE active = true 
+GROUP BY source;
+"
+```
+
+## Monitoring
+
+### Service Health Checks
+```bash
+# Status fetcher
+systemctl status ids-list-fetcher
+systemctl list-timers ids-list-fetcher
+
+# Logs real-time
+journalctl -u ids-list-fetcher -f
+```
+
+### Database Queries
+```sql
+-- Sync status liste
+SELECT 
+    name, 
+    type, 
+    last_success, 
+    total_ips, 
+    active_ips,
+    error_count,
+    last_error
+FROM public_lists 
+ORDER BY last_success DESC;
+
+-- CIDR coverage
+SELECT 
+    COUNT(*) as total,
+    COUNT(CASE WHEN cidr_range IS NOT NULL THEN 1 END) as with_cidr,
+    COUNT(CASE WHEN ip_inet IS NOT NULL THEN 1 END) as with_inet,
+    COUNT(CASE WHEN cidr_inet IS NOT NULL THEN 1 END) as cidr_inet_populated
+FROM public_blacklist_ips;
+
+-- Detection sources
+SELECT 
+    detection_source,
+    COUNT(*) as count,
+    AVG(risk_score) as avg_score
+FROM detections
+GROUP BY detection_source;
+```
+
+## Esempi d'Uso
+
+### Scenario 1: AWS Range Whitelist
+```sql
+-- Whitelist AWS range 52.94.0.0/16
+INSERT INTO whitelist (ip_address, ip_inet, source, comment)
+VALUES ('52.94.0.0/16', '52.94.0.0/16'::inet, 'aws', 'AWS us-east-1 range');
+
+-- Verifica matching
+SELECT * FROM detections 
+WHERE source_ip::inet <<= '52.94.0.0/16'::inet
+AND detection_source = 'public_blacklist';
+-- Queste detections verranno automaticamente cleanup
+```
+
+### Scenario 2: Priority Override
+```sql
+-- Blacklist Spamhaus: 1.2.3.4
+-- Public whitelist GCP: 1.2.3.0/24
+-- Manual whitelist utente: NESSUNA
+
+-- Risultato: 1.2.3.4 NON genera detection (public whitelist vince)
+
+-- Se aggiungi manual whitelist:
+INSERT INTO whitelist (ip_address, ip_inet, source)
+VALUES ('1.2.3.4', '1.2.3.4'::inet, 'manual');
+
+-- Ora 1.2.3.4 è protetto da priorità massima (manual > public > blacklist)
+```
+
+## Troubleshooting
+
+### INET Column Non Populated
+```sql
+-- Manually populate se necessario
+UPDATE public_blacklist_ips 
+SET ip_inet = ip_address::inet,
+    cidr_inet = COALESCE(cidr_range::cidr, (ip_address || '/32')::cidr)
+WHERE ip_inet IS NULL;
+
+UPDATE whitelist
+SET ip_inet = CASE
+    WHEN ip_address ~ '/' THEN ip_address::inet
+    ELSE ip_address::inet
+END
+WHERE ip_inet IS NULL;
+```
+
+### Index Missing
+```sql
+-- Ricrea indexes se mancanti
+CREATE INDEX IF NOT EXISTS public_blacklist_ip_inet_idx 
+  ON public_blacklist_ips USING gist(ip_inet inet_ops);
+CREATE INDEX IF NOT EXISTS public_blacklist_cidr_inet_idx 
+  ON public_blacklist_ips USING gist(cidr_inet inet_ops);
+CREATE INDEX IF NOT EXISTS whitelist_ip_inet_idx 
+  ON whitelist USING gist(ip_inet inet_ops);
+```
+
+### Performance Degradation
+```bash
+# Reindex GiST
+sudo -u postgres psql ids_production -c "REINDEX INDEX CONCURRENTLY public_blacklist_ip_inet_idx;"
+
+# Vacuum analyze
+sudo -u postgres psql ids_production -c "VACUUM ANALYZE public_blacklist_ips;"
+sudo -u postgres psql ids_production -c "VACUUM ANALYZE whitelist;"
+```
+
+## Known Issues
+Nessuno. Sistema production-ready con CIDR completo.
+
+## Future Enhancements (v2.1+)
+- Incremental sync (delta updates)
+- Redis caching per query frequenti
+- Additional threat feeds (SANS ISC, AbuseIPDB)
+- Table partitioning per scalabilità
+
+## References
+- PostgreSQL INET/CIDR docs: https://www.postgresql.org/docs/current/datatype-net-types.html
+- GiST indexes: https://www.postgresql.org/docs/current/gist.html
+- Network operators: https://www.postgresql.org/docs/current/functions-net.html

deployment/ids-analytics-aggregator.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=IDS Analytics Aggregator - Hourly Traffic Statistics
+After=network.target postgresql.service
+
+[Service]
+Type=oneshot
+User=ids
+Group=ids
+WorkingDirectory=/opt/ids/python_ml
+EnvironmentFile=-/opt/ids/.env
+
+# Execute hourly aggregation
+ExecStart=/opt/ids/python_ml/venv/bin/python3 /opt/ids/python_ml/analytics_aggregator.py hourly
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=ids-analytics
+
+[Install]
+WantedBy=multi-user.target

deployment/ids-analytics-aggregator.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=IDS Analytics Aggregation Timer - Runs every hour
+Requires=ids-analytics-aggregator.service
+
+[Timer]
+# Run 5 minutes after the hour (e.g., 10:05, 11:05, 12:05)
+# This gives time for logs to be collected
+OnCalendar=*:05:00
+
+# Run immediately if we missed a scheduled run
+Persistent=true
+
+[Install]
+WantedBy=timers.target

deployment/install_list_fetcher.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# =============================================================================
+# IDS - Installazione Servizio List Fetcher
+# =============================================================================
+# Installa e configura il servizio systemd per il fetcher delle liste pubbliche
+# Eseguire come ROOT: ./install_list_fetcher.sh
+# =============================================================================
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}"
+echo "╔═══════════════════════════════════════════════╗"
+echo "║   📋 INSTALLAZIONE IDS LIST FETCHER           ║"
+echo "╚═══════════════════════════════════════════════╝"
+echo -e "${NC}"
+
+IDS_DIR="/opt/ids"
+SYSTEMD_DIR="/etc/systemd/system"
+
+# Verifica di essere root
+if [ "$EUID" -ne 0 ]; then 
+    echo -e "${RED}❌ Questo script deve essere eseguito come root${NC}"
+    echo -e "${YELLOW}   Esegui: sudo ./install_list_fetcher.sh${NC}"
+    exit 1
+fi
+
+# Verifica che i file sorgente esistano
+SERVICE_SRC="$IDS_DIR/deployment/systemd/ids-list-fetcher.service"
+TIMER_SRC="$IDS_DIR/deployment/systemd/ids-list-fetcher.timer"
+
+if [ ! -f "$SERVICE_SRC" ]; then
+    echo -e "${RED}❌ File service non trovato: $SERVICE_SRC${NC}"
+    exit 1
+fi
+
+if [ ! -f "$TIMER_SRC" ]; then
+    echo -e "${RED}❌ File timer non trovato: $TIMER_SRC${NC}"
+    exit 1
+fi
+
+# Verifica che il virtual environment Python esista
+VENV_PYTHON="$IDS_DIR/python_ml/venv/bin/python3"
+if [ ! -f "$VENV_PYTHON" ]; then
+    echo -e "${YELLOW}⚠️  Virtual environment non trovato, creazione...${NC}"
+    cd "$IDS_DIR/python_ml"
+    python3.11 -m venv venv
+    ./venv/bin/pip install --upgrade pip
+    ./venv/bin/pip install -r requirements.txt
+    echo -e "${GREEN}✅ Virtual environment creato${NC}"
+fi
+
+# Verifica che run_fetcher.py esista
+FETCHER_SCRIPT="$IDS_DIR/python_ml/list_fetcher/run_fetcher.py"
+if [ ! -f "$FETCHER_SCRIPT" ]; then
+    echo -e "${RED}❌ Script fetcher non trovato: $FETCHER_SCRIPT${NC}"
+    exit 1
+fi
+
+# Copia file systemd
+echo -e "${BLUE}📦 Installazione file systemd...${NC}"
+
+cp "$SERVICE_SRC" "$SYSTEMD_DIR/ids-list-fetcher.service"
+cp "$TIMER_SRC" "$SYSTEMD_DIR/ids-list-fetcher.timer"
+
+echo -e "${GREEN}   ✅ ids-list-fetcher.service installato${NC}"
+echo -e "${GREEN}   ✅ ids-list-fetcher.timer installato${NC}"
+
+# Ricarica systemd
+echo -e "${BLUE}🔄 Ricarica configurazione systemd...${NC}"
+systemctl daemon-reload
+echo -e "${GREEN}✅ Daemon ricaricato${NC}"
+
+# Abilita e avvia timer
+echo -e "${BLUE}⏱️  Abilitazione timer (ogni 10 minuti)...${NC}"
+systemctl enable ids-list-fetcher.timer
+systemctl start ids-list-fetcher.timer
+echo -e "${GREEN}✅ Timer abilitato e avviato${NC}"
+
+# Test esecuzione manuale
+echo -e "${BLUE}🧪 Test esecuzione fetcher...${NC}"
+if systemctl start ids-list-fetcher.service; then
+    echo -e "${GREEN}✅ Fetcher eseguito con successo${NC}"
+else
+    echo -e "${YELLOW}⚠️  Prima esecuzione potrebbe fallire se liste non configurate${NC}"
+fi
+
+# Mostra stato
+echo ""
+echo -e "${GREEN}╔═══════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   ✅ INSTALLAZIONE COMPLETATA                 ║${NC}"
+echo -e "${GREEN}╚═══════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "${BLUE}📋 COMANDI UTILI:${NC}"
+echo -e "   • Stato timer:     ${YELLOW}systemctl status ids-list-fetcher.timer${NC}"
+echo -e "   • Stato service:   ${YELLOW}systemctl status ids-list-fetcher.service${NC}"
+echo -e "   • Esegui manuale:  ${YELLOW}systemctl start ids-list-fetcher.service${NC}"
+echo -e "   • Visualizza logs: ${YELLOW}journalctl -u ids-list-fetcher -n 50${NC}"
+echo -e "   • Timer attivi:    ${YELLOW}systemctl list-timers | grep ids${NC}"
+echo ""

deployment/install_ml_deps.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Script per installare dipendenze ML Hybrid Detector
+# SEMPLIFICATO: usa sklearn.IsolationForest (nessuna compilazione richiesta!)
+
+set -e
+
+echo "╔═══════════════════════════════════════════════╗"
+echo "║   INSTALLAZIONE DIPENDENZE ML HYBRID        ║"
+echo "╚═══════════════════════════════════════════════╝"
+echo ""
+
+# Vai alla directory python_ml
+cd "$(dirname "$0")/../python_ml" || exit 1
+
+echo "📍 Directory corrente: $(pwd)"
+echo ""
+
+# Verifica venv
+if [ ! -d "venv" ]; then
+    echo "❌ ERRORE: Virtual environment non trovato in $(pwd)/venv"
+    echo "   Esegui prima: python3 -m venv venv"
+    exit 1
+fi
+
+# Attiva venv
+echo "🔧 Attivazione virtual environment..."
+source venv/bin/activate
+
+# Verifica che stiamo usando il venv
+PYTHON_PATH=$(which python)
+echo "📍 Python in uso: $PYTHON_PATH"
+if [[ ! "$PYTHON_PATH" =~ "venv" ]]; then
+    echo "⚠️  WARNING: Non stiamo usando il venv correttamente!"
+fi
+
+echo ""
+
+# STEP 1: Aggiorna pip/setuptools/wheel
+echo "📦 Step 1/2: Aggiornamento pip/setuptools/wheel..."
+python -m pip install --upgrade pip setuptools wheel
+
+if [ $? -eq 0 ]; then
+    echo "✅ pip/setuptools/wheel aggiornati"
+else
+    echo "❌ Errore durante aggiornamento pip"
+    exit 1
+fi
+
+echo ""
+
+# STEP 2: Installa dipendenze ML da requirements.txt
+echo "📦 Step 2/2: Installazione dipendenze ML..."
+python -m pip install xgboost==2.0.3 joblib==1.3.2
+
+if [ $? -eq 0 ]; then
+    echo "✅ Dipendenze ML installate con successo"
+else
+    echo "❌ Errore durante installazione dipendenze ML"
+    exit 1
+fi
+
+echo ""
+echo "✅ INSTALLAZIONE COMPLETATA!"
+echo ""
+echo "🧪 Test import componenti ML..."
+python -c "from sklearn.ensemble import IsolationForest; from xgboost import XGBClassifier; print('✅ sklearn IsolationForest OK'); print('✅ XGBoost OK')"
+
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "✅ TUTTO OK! Hybrid ML Detector pronto per l'uso"
+    echo ""
+    echo "ℹ️  INFO: Sistema usa sklearn.IsolationForest (compatibile Python 3.11+)"
+    echo ""
+    echo "📋 Prossimi step:"
+    echo "   1. Test rapido: python train_hybrid.py --mode test"
+    echo "   2. Training completo: python train_hybrid.py --mode train"
+else
+    echo "❌ Errore durante test import componenti ML"
+    exit 1
+fi

deployment/install_python_deps.sh

@@ -57,6 +57,8 @@ pip install psycopg2-binary==2.9.9
 pip install pandas==2.1.3
 pip install numpy==1.26.2
 pip install scikit-learn==1.3.2
+pip install httpx==0.25.1
+pip install joblib==1.3.2
 
 echo -e "${GREEN}✅ Dipendenze Python installate${NC}"
 
@@ -64,13 +66,22 @@ echo -e "${GREEN}✅ Dipendenze Python installate${NC}"
 echo -e "${BLUE}🔐 Impostazione permessi...${NC}"
 chown -R ids:ids "$VENV_DIR"
 
+# Crea directory models per salvataggio modelli ML
+echo -e "${BLUE}📁 Creazione directory models...${NC}"
+mkdir -p "${IDS_DIR}/python_ml/models"
+chown -R ids:ids "${IDS_DIR}/python_ml/models"
+chmod 755 "${IDS_DIR}/python_ml/models"
+echo -e "${GREEN}✅ Directory models configurata${NC}"
+
 # Verifica installazione
 echo -e "\n${BLUE}🔍 Verifica installazione:${NC}"
 source "${VENV_DIR}/bin/activate"
-python3 -c "import fastapi; print(f'FastAPI: {fastapi.__version__}')"
+python3 -c "import fastapi; print(f'✅ FastAPI: {fastapi.__version__}')"
-python3 -c "import uvicorn; print(f'Uvicorn: {uvicorn.__version__}')"
+python3 -c "import uvicorn; print(f'✅ Uvicorn: {uvicorn.__version__}')"
-python3 -c "import sklearn; print(f'Scikit-learn: {sklearn.__version__}')"
+python3 -c "import sklearn; print(f'✅ Scikit-learn: {sklearn.__version__}')"
-python3 -c "import pandas; print(f'Pandas: {pandas.__version__}')"
+python3 -c "import pandas; print(f'✅ Pandas: {pandas.__version__}')"
+python3 -c "import httpx; print(f'✅ HTTPX: {httpx.__version__}')"
+python3 -c "import joblib; print(f'✅ Joblib: {joblib.__version__}')"
 
 echo -e "\n${GREEN}╔═══════════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║   ✅ DIPENDENZE PYTHON INSTALLATE             ║${NC}"

deployment/install_systemd_services.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Install IDS Systemd Services
+# Run this script with sudo on the AlmaLinux server
+
+set -e
+
+echo "========================================="
+echo "IDS Systemd Services Installation"
+echo "========================================="
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then 
+  echo "Error: This script must be run as root (use sudo)"
+  exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+echo ""
+echo "📋 Installing systemd service files..."
+
+# Copy service files
+cp "$PROJECT_ROOT/deployment/systemd/ids-ml-backend.service" /etc/systemd/system/
+cp "$PROJECT_ROOT/deployment/systemd/ids-syslog-parser.service" /etc/systemd/system/
+
+# Ensure correct permissions
+chmod 644 /etc/systemd/system/ids-ml-backend.service
+chmod 644 /etc/systemd/system/ids-syslog-parser.service
+
+echo "✅ Service files copied to /etc/systemd/system/"
+
+echo ""
+echo "🔄 Reloading systemd daemon..."
+systemctl daemon-reload
+
+echo ""
+echo "🔧 Enabling services to start on boot..."
+systemctl enable ids-ml-backend.service
+systemctl enable ids-syslog-parser.service
+
+echo ""
+echo "========================================="
+echo "✅ Installation Complete!"
+echo "========================================="
+echo ""
+echo "Next steps:"
+echo ""
+echo "1. Start the services:"
+echo "   sudo systemctl start ids-ml-backend"
+echo "   sudo systemctl start ids-syslog-parser"
+echo ""
+echo "2. Check status:"
+echo "   sudo systemctl status ids-ml-backend"
+echo "   sudo systemctl status ids-syslog-parser"
+echo ""
+echo "3. View logs:"
+echo "   tail -f /var/log/ids/ml_backend.log"
+echo "   tail -f /var/log/ids/syslog_parser.log"
+echo ""
+echo "Services are now configured with auto-restart (Restart=always)"
+echo "They will automatically restart on crash and at system boot."
+echo ""

deployment/migrations/006_add_public_lists.sql

@@ -0,0 +1,116 @@
+-- Migration 006: Add Public Lists Integration
+-- Description: Adds blacklist/whitelist public sources with auto-sync support
+-- Author: IDS System
+-- Date: 2024-11-26
+-- NOTE: Fully idempotent - safe to run multiple times
+
+BEGIN;
+
+-- ============================================================================
+-- 1. CREATE NEW TABLES
+-- ============================================================================
+
+-- Public threat/whitelist sources configuration
+CREATE TABLE IF NOT EXISTS public_lists (
+    id VARCHAR PRIMARY KEY DEFAULT gen_random_uuid(),
+    name TEXT NOT NULL,
+    type TEXT NOT NULL CHECK (type IN ('blacklist', 'whitelist')),
+    url TEXT NOT NULL,
+    enabled BOOLEAN NOT NULL DEFAULT true,
+    fetch_interval_minutes INTEGER NOT NULL DEFAULT 10,
+    last_fetch TIMESTAMP,
+    last_success TIMESTAMP,
+    total_ips INTEGER NOT NULL DEFAULT 0,
+    active_ips INTEGER NOT NULL DEFAULT 0,
+    error_count INTEGER NOT NULL DEFAULT 0,
+    last_error TEXT,
+    created_at TIMESTAMP NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS public_lists_type_idx ON public_lists(type);
+CREATE INDEX IF NOT EXISTS public_lists_enabled_idx ON public_lists(enabled);
+
+-- Public blacklist IPs from external sources
+CREATE TABLE IF NOT EXISTS public_blacklist_ips (
+    id VARCHAR PRIMARY KEY DEFAULT gen_random_uuid(),
+    ip_address TEXT NOT NULL,
+    cidr_range TEXT,
+    list_id VARCHAR NOT NULL REFERENCES public_lists(id) ON DELETE CASCADE,
+    first_seen TIMESTAMP NOT NULL DEFAULT NOW(),
+    last_seen TIMESTAMP NOT NULL DEFAULT NOW(),
+    is_active BOOLEAN NOT NULL DEFAULT true
+);
+
+CREATE INDEX IF NOT EXISTS public_blacklist_ip_idx ON public_blacklist_ips(ip_address);
+CREATE INDEX IF NOT EXISTS public_blacklist_list_idx ON public_blacklist_ips(list_id);
+CREATE INDEX IF NOT EXISTS public_blacklist_active_idx ON public_blacklist_ips(is_active);
+
+-- Create unique constraint only if not exists
+DO $$ 
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_indexes 
+        WHERE indexname = 'public_blacklist_ip_list_key'
+    ) THEN
+        CREATE UNIQUE INDEX public_blacklist_ip_list_key ON public_blacklist_ips(ip_address, list_id);
+    END IF;
+END $$;
+
+-- ============================================================================
+-- 2. ALTER EXISTING TABLES
+-- ============================================================================
+
+-- Extend detections table with public list source tracking
+ALTER TABLE detections 
+ADD COLUMN IF NOT EXISTS detection_source TEXT NOT NULL DEFAULT 'ml_model',
+ADD COLUMN IF NOT EXISTS blacklist_id VARCHAR;
+
+CREATE INDEX IF NOT EXISTS detection_source_idx ON detections(detection_source);
+
+-- Add check constraint for valid detection sources
+DO $$ 
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint 
+        WHERE conname = 'detections_source_check'
+    ) THEN
+        ALTER TABLE detections 
+        ADD CONSTRAINT detections_source_check 
+        CHECK (detection_source IN ('ml_model', 'public_blacklist', 'hybrid'));
+    END IF;
+END $$;
+
+-- Extend whitelist table with source tracking
+ALTER TABLE whitelist
+ADD COLUMN IF NOT EXISTS source TEXT NOT NULL DEFAULT 'manual',
+ADD COLUMN IF NOT EXISTS list_id VARCHAR;
+
+CREATE INDEX IF NOT EXISTS whitelist_source_idx ON whitelist(source);
+
+-- Add check constraint for valid whitelist sources
+DO $$ 
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint 
+        WHERE conname = 'whitelist_source_check'
+    ) THEN
+        ALTER TABLE whitelist 
+        ADD CONSTRAINT whitelist_source_check 
+        CHECK (source IN ('manual', 'aws', 'gcp', 'cloudflare', 'iana', 'ntp', 'other'));
+    END IF;
+END $$;
+
+-- ============================================================================
+-- 3. UPDATE SCHEMA VERSION
+-- ============================================================================
+
+INSERT INTO schema_version (id, version, description)
+VALUES (1, 6, 'Add public lists integration (blacklist/whitelist sources)')
+ON CONFLICT (id) DO UPDATE 
+SET version = 6, 
+    description = 'Add public lists integration (blacklist/whitelist sources)',
+    applied_at = NOW();
+
+COMMIT;
+
+SELECT 'Migration 006 completed successfully' as status;

deployment/migrations/007_add_cidr_support.sql

@@ -0,0 +1,88 @@
+-- Migration 007: Add INET/CIDR support for proper network range matching
+-- Required for public lists integration (Spamhaus /24, AWS ranges, etc.)
+-- Date: 2025-11-26
+-- NOTE: Handles case where columns exist as TEXT type (from Drizzle)
+
+BEGIN;
+
+-- ============================================================================
+-- FIX: Drop TEXT columns and recreate as proper INET/CIDR types
+-- ============================================================================
+
+-- Check column type and fix if needed for public_blacklist_ips
+DO $$
+DECLARE
+    col_type text;
+BEGIN
+    -- Check ip_inet column type
+    SELECT data_type INTO col_type 
+    FROM information_schema.columns 
+    WHERE table_name = 'public_blacklist_ips' AND column_name = 'ip_inet';
+    
+    IF col_type = 'text' THEN
+        -- Drop the wrong type columns
+        ALTER TABLE public_blacklist_ips DROP COLUMN IF EXISTS ip_inet;
+        ALTER TABLE public_blacklist_ips DROP COLUMN IF EXISTS cidr_inet;
+        RAISE NOTICE 'Dropped TEXT columns, will recreate as INET/CIDR';
+    END IF;
+END $$;
+
+-- Add INET/CIDR columns with correct types
+ALTER TABLE public_blacklist_ips 
+  ADD COLUMN IF NOT EXISTS ip_inet inet,
+  ADD COLUMN IF NOT EXISTS cidr_inet cidr;
+
+-- Populate new columns from existing text data
+UPDATE public_blacklist_ips 
+SET ip_inet = ip_address::inet,
+    cidr_inet = CASE 
+      WHEN cidr_range IS NOT NULL THEN cidr_range::cidr
+      ELSE (ip_address || '/32')::cidr
+    END
+WHERE ip_inet IS NULL OR cidr_inet IS NULL;
+
+-- Create GiST indexes for INET operators
+CREATE INDEX IF NOT EXISTS public_blacklist_ip_inet_idx ON public_blacklist_ips USING gist(ip_inet inet_ops);
+CREATE INDEX IF NOT EXISTS public_blacklist_cidr_inet_idx ON public_blacklist_ips USING gist(cidr_inet inet_ops);
+
+-- ============================================================================
+-- Fix whitelist table
+-- ============================================================================
+
+DO $$
+DECLARE
+    col_type text;
+BEGIN
+    SELECT data_type INTO col_type 
+    FROM information_schema.columns 
+    WHERE table_name = 'whitelist' AND column_name = 'ip_inet';
+    
+    IF col_type = 'text' THEN
+        ALTER TABLE whitelist DROP COLUMN IF EXISTS ip_inet;
+        RAISE NOTICE 'Dropped TEXT column from whitelist, will recreate as INET';
+    END IF;
+END $$;
+
+-- Add INET column to whitelist
+ALTER TABLE whitelist
+  ADD COLUMN IF NOT EXISTS ip_inet inet;
+
+-- Populate whitelist INET column
+UPDATE whitelist
+SET ip_inet = CASE
+  WHEN ip_address ~ '/' THEN ip_address::inet
+  ELSE ip_address::inet
+END
+WHERE ip_inet IS NULL;
+
+-- Create index for whitelist INET matching
+CREATE INDEX IF NOT EXISTS whitelist_ip_inet_idx ON whitelist USING gist(ip_inet inet_ops);
+
+-- Update schema version
+UPDATE schema_version SET version = 7, applied_at = NOW() WHERE id = 1;
+
+COMMIT;
+
+-- Verification
+SELECT 'Migration 007 completed successfully' as status;
+SELECT version, applied_at FROM schema_version WHERE id = 1;

deployment/migrations/008_force_inet_types.sql

@@ -0,0 +1,92 @@
+-- Migration 008: Force INET/CIDR types (unconditional)
+-- Fixes issues where columns remained TEXT after conditional migration 007
+-- Date: 2026-01-02
+
+BEGIN;
+
+-- ============================================================================
+-- FORCE DROP AND RECREATE ALL INET COLUMNS
+-- This is unconditional - always executes regardless of current state
+-- ============================================================================
+
+-- Drop indexes first (if exist)
+DROP INDEX IF EXISTS public_blacklist_ip_inet_idx;
+DROP INDEX IF EXISTS public_blacklist_cidr_inet_idx;
+DROP INDEX IF EXISTS whitelist_ip_inet_idx;
+
+-- ============================================================================
+-- FIX public_blacklist_ips TABLE
+-- ============================================================================
+
+-- Drop columns unconditionally
+ALTER TABLE public_blacklist_ips DROP COLUMN IF EXISTS ip_inet;
+ALTER TABLE public_blacklist_ips DROP COLUMN IF EXISTS cidr_inet;
+
+-- Recreate with correct INET/CIDR types
+ALTER TABLE public_blacklist_ips ADD COLUMN ip_inet inet;
+ALTER TABLE public_blacklist_ips ADD COLUMN cidr_inet cidr;
+
+-- Populate from existing text data
+UPDATE public_blacklist_ips 
+SET 
+    ip_inet = CASE 
+        WHEN ip_address ~ '/' THEN ip_address::inet
+        ELSE ip_address::inet
+    END,
+    cidr_inet = CASE 
+        WHEN cidr_range IS NOT NULL AND cidr_range != '' THEN cidr_range::cidr
+        WHEN ip_address ~ '/' THEN ip_address::cidr
+        ELSE (ip_address || '/32')::cidr
+    END
+WHERE ip_inet IS NULL;
+
+-- Create GiST indexes for fast INET/CIDR containment operators
+CREATE INDEX public_blacklist_ip_inet_idx ON public_blacklist_ips USING gist(ip_inet inet_ops);
+CREATE INDEX public_blacklist_cidr_inet_idx ON public_blacklist_ips USING gist(cidr_inet inet_ops);
+
+-- ============================================================================
+-- FIX whitelist TABLE
+-- ============================================================================
+
+-- Drop column unconditionally
+ALTER TABLE whitelist DROP COLUMN IF EXISTS ip_inet;
+
+-- Recreate with correct INET type
+ALTER TABLE whitelist ADD COLUMN ip_inet inet;
+
+-- Populate from existing text data
+UPDATE whitelist
+SET ip_inet = CASE
+    WHEN ip_address ~ '/' THEN ip_address::inet
+    ELSE ip_address::inet
+END
+WHERE ip_inet IS NULL;
+
+-- Create index for whitelist
+CREATE INDEX whitelist_ip_inet_idx ON whitelist USING gist(ip_inet inet_ops);
+
+-- ============================================================================
+-- UPDATE SCHEMA VERSION
+-- ============================================================================
+
+UPDATE schema_version SET version = 8, applied_at = NOW() WHERE id = 1;
+
+COMMIT;
+
+-- ============================================================================
+-- VERIFICATION
+-- ============================================================================
+
+SELECT 'Migration 008 completed successfully' as status;
+SELECT version, applied_at FROM schema_version WHERE id = 1;
+
+-- Verify column types
+SELECT 
+    table_name, 
+    column_name, 
+    data_type
+FROM information_schema.columns 
+WHERE 
+    (table_name = 'public_blacklist_ips' AND column_name IN ('ip_inet', 'cidr_inet'))
+    OR (table_name = 'whitelist' AND column_name = 'ip_inet')
+ORDER BY table_name, column_name;

deployment/migrations/009_add_microsoft_meta_lists.sql

@@ -0,0 +1,33 @@
+-- Migration 009: Add Microsoft Azure and Meta/Facebook public lists
+-- Date: 2026-01-02
+
+-- Microsoft Azure IP ranges (whitelist - cloud provider)
+INSERT INTO public_lists (name, url, type, format, enabled, description, fetch_interval)
+VALUES (
+    'Microsoft Azure',
+    'https://raw.githubusercontent.com/femueller/cloud-ip-ranges/master/microsoft-azure-ip-ranges.json',
+    'whitelist',
+    'json',
+    true,
+    'Microsoft Azure cloud IP ranges - auto-updated from Azure Service Tags',
+    3600
+) ON CONFLICT (name) DO UPDATE SET
+    url = EXCLUDED.url,
+    description = EXCLUDED.description;
+
+-- Meta/Facebook IP ranges (whitelist - major service provider)
+INSERT INTO public_lists (name, url, type, format, enabled, description, fetch_interval)
+VALUES (
+    'Meta (Facebook)',
+    'https://raw.githubusercontent.com/parseword/util-misc/master/block-facebook/facebook-ip-ranges.txt',
+    'whitelist',
+    'plain',
+    true,
+    'Meta/Facebook IP ranges (includes Instagram, WhatsApp, Oculus) from BGP AS32934/AS54115/AS63293',
+    3600
+) ON CONFLICT (name) DO UPDATE SET
+    url = EXCLUDED.url,
+    description = EXCLUDED.description;
+
+-- Verify insertion
+SELECT id, name, type, enabled, url FROM public_lists WHERE name IN ('Microsoft Azure', 'Meta (Facebook)');

deployment/restart_frontend.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Restart IDS Frontend (Node.js/Express/Vite)
+# Utility per restart manuale del server frontend
+#
+
+set -e
+
+echo "🔄 Restart Frontend Node.js..."
+
+# Kill AGGRESSIVO di tutti i processi Node/Vite
+echo "⏸️  Stopping all Node/Vite processes..."
+pkill -9 -f "node.*tsx" 2>/dev/null || true
+pkill -9 -f "vite" 2>/dev/null || true
+pkill -9 -f "npm run dev" 2>/dev/null || true
+sleep 2
+
+# Kill processo sulla porta 5000 (se esiste)
+echo "🔍 Liberando porta 5000..."
+lsof -ti:5000 | xargs kill -9 2>/dev/null || true
+sleep 1
+
+# Verifica porta LIBERA
+if lsof -Pi :5000 -sTCP:LISTEN -t >/dev/null 2>&1; then
+    echo "❌ ERRORE: Porta 5000 ancora occupata!"
+    echo "Processi sulla porta:"
+    lsof -i:5000
+    exit 1
+fi
+
+echo "✅ Porta 5000 libera"
+
+# Restart usando check_frontend.sh
+echo "🚀 Starting frontend..."
+/opt/ids/deployment/check_frontend.sh
+
+# Attendi avvio completo
+sleep 5
+
+# Verifica avvio
+if pgrep -f "vite" > /dev/null; then
+    PID=$(pgrep -f "vite")
+    echo "✅ Frontend avviato con PID: $PID"
+    echo "📡 Server disponibile su: http://localhost:5000"
+    
+    # Test rapido
+    sleep 2
+    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:5000/ 2>/dev/null || echo "000")
+    if [ "$HTTP_CODE" = "200" ]; then
+        echo "✅ HTTP test OK (200)"
+    else
+        echo "⚠️  HTTP test: $HTTP_CODE"
+    fi
+else
+    echo "❌ Errore: Frontend non avviato!"
+    echo "📋 Controlla log: tail -f /var/log/ids/frontend.log"
+    exit 1
+fi

deployment/run_analytics.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# IDS Analytics Aggregator - Manual Execution Wrapper
+# Carica credenziali da .env e esegue aggregazione
+#
+# Usage:
+#   ./run_analytics.sh hourly
+#   ./run_analytics.sh daily
+#
+
+set -e
+
+# Verifica parametro
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 {hourly|daily}"
+    exit 1
+fi
+
+MODE=$1
+
+# Verifica modo valido
+if [ "$MODE" != "hourly" ] && [ "$MODE" != "daily" ]; then
+    echo "Errore: modo deve essere 'hourly' o 'daily'"
+    exit 1
+fi
+
+# Directory IDS
+IDS_DIR="/opt/ids"
+ENV_FILE="$IDS_DIR/.env"
+SCRIPT="$IDS_DIR/python_ml/analytics_aggregator.py"
+VENV="$IDS_DIR/python_ml/venv/bin/python3"
+
+# Verifica file .env esiste
+if [ ! -f "$ENV_FILE" ]; then
+    echo "Errore: File $ENV_FILE non trovato!"
+    exit 1
+fi
+
+# Verifica permessi .env (deve essere readable solo da owner)
+ENV_PERMS=$(stat -c %a "$ENV_FILE")
+if [ "$ENV_PERMS" != "600" ] && [ "$ENV_PERMS" != "400" ]; then
+    echo "Attenzione: $ENV_FILE dovrebbe avere permessi 600 (rw-------)"
+    echo "Esegui: chmod 600 $ENV_FILE"
+fi
+
+# Carica variabili d'ambiente e esegui aggregatore
+echo "🔄 Esecuzione aggregazione $MODE..."
+
+# Export variabili da .env
+set -a
+source "$ENV_FILE"
+set +a
+
+# Esegui come user ids con venv
+if [ "$(whoami)" = "ids" ]; then
+    # Già user ids
+    "$VENV" "$SCRIPT" "$MODE"
+else
+    # Switch a user ids
+    sudo -u ids -E "$VENV" "$SCRIPT" "$MODE"
+fi
+
+echo "✅ Aggregazione $MODE completata!"

deployment/run_cleanup.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# =========================================================
+# IDS - Cleanup Detections Runner
+# =========================================================
+# Esegue cleanup automatico delle detections secondo regole:
+# - Cancella detections non anomale dopo 48h
+# - Sblocca IP bloccati se non più anomali dopo 2h
+#
+# Uso: ./run_cleanup.sh
+# =========================================================
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Carica variabili ambiente
+if [ -f "$PROJECT_ROOT/.env" ]; then
+    set -a
+    source "$PROJECT_ROOT/.env"
+    set +a
+else
+    echo "❌ File .env non trovato in $PROJECT_ROOT"
+    exit 1
+fi
+
+# Log
+LOG_FILE="/var/log/ids/cleanup.log"
+mkdir -p /var/log/ids
+
+echo "=========================================" >> "$LOG_FILE"
+echo "[$(date)] Cleanup automatico avviato" >> "$LOG_FILE"
+echo "=========================================" >> "$LOG_FILE"
+
+# Esegui cleanup
+cd "$PROJECT_ROOT"
+python3 python_ml/cleanup_detections.py >> "$LOG_FILE" 2>&1
+
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -eq 0 ]; then
+    echo "[$(date)] Cleanup completato con successo" >> "$LOG_FILE"
+else
+    echo "[$(date)] Cleanup fallito (exit code: $EXIT_CODE)" >> "$LOG_FILE"
+fi
+
+echo "" >> "$LOG_FILE"
+exit $EXIT_CODE

deployment/run_ml_training.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+#
+# ML Training Wrapper - Esecuzione Automatica via Systemd
+# Carica credenziali da .env in modo sicuro
+#
+
+set -e
+
+IDS_ROOT="/opt/ids"
+ENV_FILE="$IDS_ROOT/.env"
+PYTHON_ML_DIR="$IDS_ROOT/python_ml"
+VENV_PYTHON="$PYTHON_ML_DIR/venv/bin/python"
+LOG_DIR="/var/log/ids"
+
+# Crea directory log se non esiste
+mkdir -p "$LOG_DIR"
+
+# File log dedicato
+LOG_FILE="$LOG_DIR/ml-training.log"
+
+# Funzione logging
+log() {
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
+}
+
+log "========================================="
+log "ML Training - Avvio automatico"
+log "========================================="
+
+# Verifica .env
+if [ ! -f "$ENV_FILE" ]; then
+    log "ERROR: File .env non trovato: $ENV_FILE"
+    exit 1
+fi
+
+# Carica variabili ambiente
+log "Caricamento credenziali database..."
+set -a
+source "$ENV_FILE"
+set +a
+
+# Verifica credenziali
+if [ -z "$PGPASSWORD" ]; then
+    log "ERROR: PGPASSWORD non trovata in .env"
+    exit 1
+fi
+
+DB_HOST="${PGHOST:-localhost}"
+DB_PORT="${PGPORT:-5432}"
+DB_NAME="${PGDATABASE:-ids}"
+DB_USER="${PGUSER:-postgres}"
+
+log "Database: $DB_USER@$DB_HOST:$DB_PORT/$DB_NAME"
+
+# Verifica venv
+if [ ! -f "$VENV_PYTHON" ]; then
+    log "ERROR: Venv Python non trovato: $VENV_PYTHON"
+    exit 1
+fi
+
+# Parametri training
+DAYS="${ML_TRAINING_DAYS:-7}"  # Default 7 giorni, configurabile via env var
+
+log "Training ultimi $DAYS giorni di traffico..."
+
+# Esegui training
+cd "$PYTHON_ML_DIR"
+"$VENV_PYTHON" train_hybrid.py --train --source database \
+  --db-host "$DB_HOST" \
+  --db-port "$DB_PORT" \
+  --db-name "$DB_NAME" \
+  --db-user "$DB_USER" \
+  --db-password "$PGPASSWORD" \
+  --days "$DAYS" 2>&1 | tee -a "$LOG_FILE"
+
+# Check exit code
+if [ ${PIPESTATUS[0]} -eq 0 ]; then
+    log "========================================="
+    log "✅ Training completato con successo!"
+    log "========================================="
+    log "Modelli salvati in: $PYTHON_ML_DIR/models/"
+    log ""
+    log "Il ML backend caricherà automaticamente i nuovi modelli al prossimo riavvio."
+    log "Per applicare immediatamente: sudo systemctl restart ids-ml-backend"
+    exit 0
+else
+    log "========================================="
+    log "❌ ERRORE durante il training"
+    log "========================================="
+    log "Controlla log completo: $LOG_FILE"
+    exit 1
+fi

deployment/scripts/deploy_public_lists.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Deploy Public Lists Integration (v2.0.0)
+# Run on AlmaLinux 9 server after git pull
+
+set -e
+
+echo "=================================="
+echo "PUBLIC LISTS DEPLOYMENT - v2.0.0"
+echo "=================================="
+
+# 1. Database Migration
+echo -e "\n[1/5] Running database migration..."
+sudo -u postgres psql -d ids_system -f deployment/migrations/006_add_public_lists.sql
+echo "✓ Migration 006 applied"
+
+# 2. Seed default lists
+echo -e "\n[2/5] Seeding default public lists..."
+cd python_ml/list_fetcher
+DATABASE_URL=$DATABASE_URL python seed_lists.py
+cd ../..
+echo "✓ Default lists seeded"
+
+# 3. Install systemd services
+echo -e "\n[3/5] Installing systemd services..."
+sudo cp deployment/systemd/ids-list-fetcher.service /etc/systemd/system/
+sudo cp deployment/systemd/ids-list-fetcher.timer /etc/systemd/system/
+sudo systemctl daemon-reload
+echo "✓ Systemd services installed"
+
+# 4. Enable and start
+echo -e "\n[4/5] Enabling services..."
+sudo systemctl enable ids-list-fetcher.timer
+sudo systemctl start ids-list-fetcher.timer
+echo "✓ Timer enabled (10-minute intervals)"
+
+# 5. Initial sync
+echo -e "\n[5/5] Running initial sync..."
+sudo systemctl start ids-list-fetcher.service
+echo "✓ Initial sync triggered"
+
+echo -e "\n=================================="
+echo "DEPLOYMENT COMPLETE"
+echo "=================================="
+echo ""
+echo "Verify:"
+echo "  journalctl -u ids-list-fetcher -n 50"
+echo "  systemctl status ids-list-fetcher.timer"
+echo ""
+echo "Check UI: http://your-server/public-lists"
+echo ""

deployment/setup_analytics_timer.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Setup systemd timer for analytics aggregation
+# Deve essere eseguito come root
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${BLUE}╔═══════════════════════════════════════════════╗${NC}"
+echo -e "${BLUE}║   IDS Analytics Timer Setup                  ║${NC}"
+echo -e "${BLUE}╚═══════════════════════════════════════════════╝${NC}"
+echo ""
+
+# Check root
+if [ "$EUID" -ne 0 ]; then 
+    echo -e "${RED}❌ Questo script deve essere eseguito come root${NC}"
+    echo -e "${YELLOW}   Usa: sudo $0${NC}"
+    exit 1
+fi
+
+IDS_DIR="/opt/ids"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Copy systemd files
+echo -e "${BLUE}📋 Copia file systemd...${NC}"
+cp "${SCRIPT_DIR}/ids-analytics-aggregator.service" /etc/systemd/system/
+cp "${SCRIPT_DIR}/ids-analytics-aggregator.timer" /etc/systemd/system/
+
+# Set permissions
+chmod 644 /etc/systemd/system/ids-analytics-aggregator.service
+chmod 644 /etc/systemd/system/ids-analytics-aggregator.timer
+
+# Reload systemd
+echo -e "${BLUE}🔄 Reload systemd daemon...${NC}"
+systemctl daemon-reload
+
+# Enable and start timer
+echo -e "${BLUE}⚙️  Enable e start timer...${NC}"
+systemctl enable ids-analytics-aggregator.timer
+systemctl start ids-analytics-aggregator.timer
+
+# Check status
+echo -e "\n${BLUE}📊 Stato timer:${NC}"
+systemctl status ids-analytics-aggregator.timer --no-pager
+
+echo -e "\n${BLUE}📅 Prossime esecuzioni:${NC}"
+systemctl list-timers ids-analytics-aggregator.timer --no-pager
+
+echo -e "\n${GREEN}╔═══════════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   ✅ ANALYTICS TIMER CONFIGURATO              ║${NC}"
+echo -e "${GREEN}╚═══════════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "${BLUE}📝 Comandi utili:${NC}"
+echo -e "   ${YELLOW}Stato timer:${NC}        sudo systemctl status ids-analytics-aggregator.timer"
+echo -e "   ${YELLOW}Prossime run:${NC}       sudo systemctl list-timers"
+echo -e "   ${YELLOW}Log aggregazione:${NC}   sudo journalctl -u ids-analytics-aggregator -f"
+echo -e "   ${YELLOW}Test manuale:${NC}       sudo systemctl start ids-analytics-aggregator"
+echo ""

deployment/setup_cleanup_timer.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# =========================================================
+# IDS - Setup Cleanup Timer
+# =========================================================
+# Installa e avvia il timer systemd per cleanup automatico
+#
+# Uso: sudo ./deployment/setup_cleanup_timer.sh
+# =========================================================
+
+set -e
+
+if [ "$EUID" -ne 0 ]; then 
+    echo "❌ Questo script deve essere eseguito come root (sudo)"
+    exit 1
+fi
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "🔧 Setup IDS Cleanup Timer..."
+echo ""
+
+# 1. Installa dipendenze Python
+echo "[1/7] Installazione dipendenze Python..."
+pip3 install -q psycopg2-binary python-dotenv || {
+    echo "⚠️  Installazione pip fallita, provo con requirements.txt..."
+    pip3 install -q -r "$SCRIPT_DIR/../python_ml/requirements.txt" || {
+        echo "❌ Errore installazione dipendenze!"
+        echo "💡 Esegui manualmente: sudo pip3 install psycopg2-binary python-dotenv"
+        exit 1
+    }
+}
+
+# 2. Crea directory log
+echo "[2/7] Creazione directory log..."
+mkdir -p /var/log/ids
+chmod 755 /var/log/ids
+
+# 3. Rendi eseguibili gli script
+echo "[3/7] Permessi esecuzione script..."
+chmod +x "$SCRIPT_DIR/run_cleanup.sh"
+chmod +x "$SCRIPT_DIR/../python_ml/cleanup_detections.py"
+
+# 4. Copia service file
+echo "[4/7] Installazione service file..."
+cp "$SCRIPT_DIR/systemd/ids-cleanup.service" /etc/systemd/system/
+cp "$SCRIPT_DIR/systemd/ids-cleanup.timer" /etc/systemd/system/
+
+# 5. Reload systemd
+echo "[5/7] Reload systemd daemon..."
+systemctl daemon-reload
+
+# 6. Abilita timer
+echo "[6/7] Abilitazione timer..."
+systemctl enable ids-cleanup.timer
+
+# 7. Avvia timer
+echo "[7/7] Avvio timer..."
+systemctl start ids-cleanup.timer
+
+echo ""
+echo "✅ Cleanup timer installato e avviato con successo!"
+echo ""
+echo "📊 Status:"
+systemctl status ids-cleanup.timer --no-pager -l
+echo ""
+echo "📅 Prossima esecuzione:"
+systemctl list-timers ids-cleanup.timer --no-pager
+echo ""
+echo "💡 Comandi utili:"
+echo "  - Test manuale:        sudo ./deployment/run_cleanup.sh"
+echo "  - Esegui ora:          sudo systemctl start ids-cleanup.service"
+echo "  - Stato timer:         sudo systemctl status ids-cleanup.timer"
+echo "  - Log cleanup:         tail -f /var/log/ids/cleanup.log"
+echo "  - Disabilita timer:    sudo systemctl stop ids-cleanup.timer && sudo systemctl disable ids-cleanup.timer"
+echo ""

deployment/setup_ml_training_timer.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+#
+# Setup ML Training Systemd Timer
+# Configura training automatico settimanale del modello ML hybrid
+#
+
+set -e
+
+echo "================================================================"
+echo "  SETUP ML TRAINING TIMER - Training Automatico Settimanale"
+echo "================================================================"
+echo ""
+
+# Verifica root
+if [ "$EUID" -ne 0 ]; then 
+    echo "❌ ERRORE: Questo script deve essere eseguito come root"
+    echo "   Usa: sudo $0"
+    exit 1
+fi
+
+IDS_ROOT="/opt/ids"
+SYSTEMD_DIR="/etc/systemd/system"
+
+# Verifica directory IDS
+if [ ! -d "$IDS_ROOT" ]; then
+    echo "❌ ERRORE: Directory IDS non trovata: $IDS_ROOT"
+    exit 1
+fi
+
+echo "📁 Directory IDS: $IDS_ROOT"
+echo ""
+
+# 1. Copia systemd files
+echo "📋 Step 1: Installazione systemd units..."
+
+cp "$IDS_ROOT/deployment/systemd/ids-ml-training.service" "$SYSTEMD_DIR/"
+cp "$IDS_ROOT/deployment/systemd/ids-ml-training.timer" "$SYSTEMD_DIR/"
+
+echo "   ✅ Service copiato: $SYSTEMD_DIR/ids-ml-training.service"
+echo "   ✅ Timer copiato: $SYSTEMD_DIR/ids-ml-training.timer"
+echo ""
+
+# 2. Rendi eseguibile script
+echo "🔧 Step 2: Permessi script..."
+chmod +x "$IDS_ROOT/deployment/run_ml_training.sh"
+echo "   ✅ Script eseguibile: $IDS_ROOT/deployment/run_ml_training.sh"
+echo ""
+
+# 3. Reload systemd
+echo "🔄 Step 3: Reload systemd daemon..."
+systemctl daemon-reload
+echo "   ✅ Daemon reloaded"
+echo ""
+
+# 4. Enable e start timer
+echo "🚀 Step 4: Attivazione timer..."
+systemctl enable ids-ml-training.timer
+systemctl start ids-ml-training.timer
+echo "   ✅ Timer attivato e avviato"
+echo ""
+
+# 5. Verifica status
+echo "📊 Step 5: Verifica configurazione..."
+echo ""
+echo "Timer status:"
+systemctl status ids-ml-training.timer --no-pager
+echo ""
+echo "Prossima esecuzione:"
+systemctl list-timers ids-ml-training.timer --no-pager
+echo ""
+
+echo "================================================================"
+echo "✅ SETUP COMPLETATO!"
+echo "================================================================"
+echo ""
+echo "📅 Schedule: Ogni Lunedì alle 03:00 AM"
+echo "📁 Log: /var/log/ids/ml-training.log"
+echo ""
+echo "🔍 COMANDI UTILI:"
+echo ""
+echo "  # Verifica timer attivo"
+echo "  systemctl status ids-ml-training.timer"
+echo ""
+echo "  # Vedi prossima esecuzione"
+echo "  systemctl list-timers ids-ml-training.timer"
+echo ""
+echo "  # Esegui training manualmente ORA"
+echo "  sudo systemctl start ids-ml-training.service"
+echo ""
+echo "  # Vedi log training"
+echo "  journalctl -u ids-ml-training.service -f"
+echo "  tail -f /var/log/ids/ml-training.log"
+echo ""
+echo "  # Disabilita training automatico"
+echo "  sudo systemctl stop ids-ml-training.timer"
+echo "  sudo systemctl disable ids-ml-training.timer"
+echo ""
+echo "================================================================"

deployment/setup_parser_monitoring.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+###############################################################################
+# Setup Syslog Parser Monitoring
+# Installa cron job per health check automatico ogni 5 minuti
+# Uso: sudo ./deployment/setup_parser_monitoring.sh
+###############################################################################
+
+set -e
+
+echo "📊 Setup Syslog Parser Monitoring..."
+echo
+
+# Make health check script executable
+chmod +x /opt/ids/deployment/check_parser_health.sh
+
+# Setup cron job
+CRON_JOB="*/5 * * * * /opt/ids/deployment/check_parser_health.sh >> /var/log/ids/parser-health-cron.log 2>&1"
+
+# Check if cron job already exists
+if crontab -l 2>/dev/null | grep -q "check_parser_health.sh"; then
+    echo "✅ Cron job già configurato"
+else
+    # Add cron job
+    (crontab -l 2>/dev/null; echo "$CRON_JOB") | crontab -
+    echo "✅ Cron job aggiunto (esecuzione ogni 5 minuti)"
+fi
+
+echo
+echo "📋 Configurazione completata:"
+echo "  - Health check script: /opt/ids/deployment/check_parser_health.sh"
+echo "  - Log file: /var/log/ids/parser-health.log"
+echo "  - Cron log: /var/log/ids/parser-health-cron.log"
+echo "  - Schedule: Every 5 minutes"
+echo
+echo "🔍 Monitoraggio attivo:"
+echo "  - Controlla servizio running"
+echo "  - Verifica log recenti (threshold: 5 min)"
+echo "  - Auto-restart se necessario"
+echo "  - Log errori recenti"
+echo
+echo "📊 Visualizza stato:"
+echo "  tail -f /var/log/ids/parser-health.log"
+echo
+echo "✅ Setup completato!"

deployment/setup_systemd_services.sh

@@ -34,6 +34,13 @@ if [ ! -d "${IDS_DIR}/python_ml/venv" ]; then
     echo ""
 fi
 
+# Crea directory models per ML con permessi corretti
+echo -e "${BLUE}📁 Creazione directory models...${NC}"
+mkdir -p "${IDS_DIR}/python_ml/models"
+chown -R ids:ids "${IDS_DIR}/python_ml/models"
+chmod 755 "${IDS_DIR}/python_ml/models"
+echo -e "${GREEN}✅ Directory models configurata${NC}"
+
 # Verifica esistenza file .env
 if [ ! -f "${IDS_DIR}/.env" ]; then
     echo -e "${RED}❌ File .env non trovato in ${IDS_DIR}/.env${NC}"
@@ -57,12 +64,27 @@ cp "${SYSTEMD_DIR}/ids-syslog-parser.service" /etc/systemd/system/
 echo -e "${BLUE}♻️  Reload systemd daemon...${NC}"
 systemctl daemon-reload
 
-# Stop processi manuali esistenti (se presenti)
+# Stop servizi systemd esistenti (se presenti)
-echo -e "${YELLOW}⏸️  Fermando processi manuali esistenti...${NC}"
+echo -e "${YELLOW}⏸️  Fermando servizi systemd esistenti...${NC}"
-pkill -f "python.*main.py" || true
+systemctl stop ids-ml-backend.service 2>/dev/null || true
-pkill -f "python.*syslog_parser.py" || true
+systemctl stop ids-syslog-parser.service 2>/dev/null || true
+sleep 1
+
+# Kill TUTTI i processi Python manuali dell'utente ids
+echo -e "${YELLOW}🧹 Pulizia processi Python manuali...${NC}"
+pkill -9 -u ids -f "python.*main.py" 2>/dev/null || true
+pkill -9 -u ids -f "python.*syslog_parser.py" 2>/dev/null || true
 sleep 2
 
+# Verifica che porta 8000 sia libera
+if lsof -Pi :8000 -sTCP:LISTEN -t >/dev/null 2>&1; then
+    echo -e "${RED}⚠️  Porta 8000 ancora occupata, killing processo...${NC}"
+    lsof -ti:8000 | xargs kill -9 2>/dev/null || true
+    sleep 1
+fi
+
+echo -e "${GREEN}✅ Pulizia completata${NC}"
+
 # Enable e start services
 echo -e "${BLUE}🚀 Attivazione servizi...${NC}"
 

deployment/systemd/ids-auto-block.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=IDS Auto-Blocking Service - Detect and Block Malicious IPs
+Documentation=https://github.com/yourusername/ids
+After=network.target ids-ml-backend.service postgresql-16.service
+Requires=ids-ml-backend.service
+
+[Service]
+Type=oneshot
+User=ids
+Group=ids
+WorkingDirectory=/opt/ids
+EnvironmentFile=/opt/ids/.env
+
+# Esegui script auto-blocking (usa venv Python)
+ExecStart=/opt/ids/python_ml/venv/bin/python3 /opt/ids/python_ml/auto_block.py
+
+# Logging
+StandardOutput=append:/var/log/ids/auto_block.log
+StandardError=append:/var/log/ids/auto_block.log
+SyslogIdentifier=ids-auto-block
+
+# Security
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Timeout: max 3 minuti per detection+blocking
+TimeoutStartSec=180
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/ids-auto-block.timer

@@ -0,0 +1,20 @@
+[Unit]
+Description=IDS Auto-Blocking Timer - Run every 5 minutes
+Documentation=https://github.com/yourusername/ids
+Requires=ids-auto-block.service
+
+[Timer]
+# Esegui 2 minuti dopo boot (per dare tempo a ML backend di avviarsi)
+OnBootSec=2min
+
+# Poi esegui ogni 5 minuti
+OnUnitActiveSec=5min
+
+# Precisione: ±1 secondo
+AccuracySec=1s
+
+# Esegui subito se il sistema era spento durante l'esecuzione programmata
+Persistent=true
+
+[Install]
+WantedBy=timers.target

deployment/systemd/ids-cleanup.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=IDS Cleanup Detections Service
+Documentation=https://github.com/yourusername/ids
+After=network.target postgresql.service
+
+[Service]
+Type=oneshot
+User=root
+WorkingDirectory=/opt/ids
+EnvironmentFile=/opt/ids/.env
+ExecStart=/opt/ids/deployment/run_cleanup.sh
+
+# Logging
+StandardOutput=append:/var/log/ids/cleanup.log
+StandardError=append:/var/log/ids/cleanup.log
+
+# Security
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Restart policy (non necessario per oneshot)
+# Restart=on-failure
+# RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/ids-cleanup.timer

@@ -0,0 +1,17 @@
+[Unit]
+Description=IDS Cleanup Detections Timer
+Documentation=https://github.com/yourusername/ids
+Requires=ids-cleanup.service
+
+[Timer]
+# Esegui ogni ora al minuto 10 (es. 00:10, 01:10, 02:10, ..., 23:10)
+OnCalendar=*:10:00
+
+# Esegui subito se il sistema era spento durante l'esecuzione programmata
+Persistent=true
+
+# Randomizza esecuzione di ±5 minuti per evitare picchi di carico
+RandomizedDelaySec=300
+
+[Install]
+WantedBy=timers.target

deployment/systemd/ids-list-fetcher.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=IDS Public Lists Fetcher Service
+Documentation=https://github.com/yourorg/ids
+After=network.target postgresql.service
+
+[Service]
+Type=oneshot
+User=root
+WorkingDirectory=/opt/ids/python_ml
+Environment="PYTHONUNBUFFERED=1"
+EnvironmentFile=/opt/ids/.env
+
+# Run list fetcher with virtual environment
+ExecStart=/opt/ids/python_ml/venv/bin/python3 /opt/ids/python_ml/list_fetcher/run_fetcher.py
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=ids-list-fetcher
+
+# Security settings
+PrivateTmp=true
+NoNewPrivileges=true
+
+# Restart policy
+Restart=no
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/ids-list-fetcher.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=IDS Public Lists Fetcher Timer (every 10 minutes)
+Documentation=https://github.com/yourorg/ids
+
+[Timer]
+# Run every 10 minutes
+OnCalendar=*:0/10
+OnBootSec=2min
+AccuracySec=1min
+Persistent=true
+
+[Install]
+WantedBy=timers.target

deployment/systemd/ids-ml-backend.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=IDS ML Backend (FastAPI)
-After=network.target postgresql.service
+After=network.target postgresql-16.service
-Requires=postgresql.service
+Wants=postgresql-16.service
 
 [Service]
 Type=simple
@@ -13,9 +13,11 @@ EnvironmentFile=/opt/ids/.env
 # Comando esecuzione (usa virtual environment)
 ExecStart=/opt/ids/python_ml/venv/bin/python3 main.py
 
-# Restart automatico in caso di crash
+# Restart automatico sempre (non solo on-failure)
-Restart=on-failure
+Restart=always
-RestartSec=10s
+RestartSec=10
+StartLimitInterval=300
+StartLimitBurst=5
 
 # Limiti risorse
 LimitNOFILE=65536

deployment/systemd/ids-ml-training.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=IDS ML Hybrid Detector Training
+Documentation=https://github.com/your-repo/ids
+After=network.target postgresql.service
+Requires=postgresql.service
+
+[Service]
+Type=oneshot
+User=root
+WorkingDirectory=/opt/ids/python_ml
+
+# Carica environment file per credenziali database
+EnvironmentFile=/opt/ids/.env
+
+# Esegui training
+ExecStart=/opt/ids/deployment/run_ml_training.sh
+
+# Timeout generoso (training può richiedere fino a 30 min)
+TimeoutStartSec=1800
+
+# Log
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=ids-ml-training
+
+# Restart policy
+Restart=no
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/ids-ml-training.timer

@@ -0,0 +1,17 @@
+[Unit]
+Description=IDS ML Training - Weekly Retraining
+Documentation=https://github.com/your-repo/ids
+Requires=ids-ml-training.service
+
+[Timer]
+# Esecuzione settimanale: ogni Lunedì alle 03:00 AM
+OnCalendar=Mon *-*-* 03:00:00
+
+# Persistenza: se il server era spento, esegui al prossimo boot
+Persistent=true
+
+# Accuratezza: 5 minuti di tolleranza
+AccuracySec=5min
+
+[Install]
+WantedBy=timers.target

deployment/systemd/ids-syslog-parser.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=IDS Syslog Parser (Network Logs Processor)
-After=network.target postgresql.service rsyslog.service
+After=network.target postgresql-16.service rsyslog.service
-Requires=postgresql.service
+Wants=postgresql-16.service
 
 [Service]
 Type=simple
@@ -13,9 +13,11 @@ EnvironmentFile=/opt/ids/.env
 # Comando esecuzione (usa virtual environment)
 ExecStart=/opt/ids/python_ml/venv/bin/python3 syslog_parser.py
 
-# Restart automatico in caso di crash
+# Restart automatico sempre (non solo on-failure)
-Restart=on-failure
+Restart=always
-RestartSec=10s
+RestartSec=10
+StartLimitInterval=300
+StartLimitBurst=5
 
 # Limiti risorse
 LimitNOFILE=65536

deployment/train_hybrid_production.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+# Training Hybrid ML Detector su Dati Reali
+# Legge credenziali da /opt/ids/.env automaticamente
+#
+
+set -e  # Exit on error
+
+echo "======================================================================="
+echo "  TRAINING HYBRID ML DETECTOR - DATI REALI"
+echo "======================================================================="
+echo ""
+
+# Percorsi
+IDS_ROOT="/opt/ids"
+ENV_FILE="$IDS_ROOT/.env"
+PYTHON_ML_DIR="$IDS_ROOT/python_ml"
+VENV_PYTHON="$PYTHON_ML_DIR/venv/bin/python"
+
+# Verifica file .env esiste
+if [ ! -f "$ENV_FILE" ]; then
+    echo "❌ ERRORE: File .env non trovato in $ENV_FILE"
+    exit 1
+fi
+
+# Carica variabili da .env
+echo "📂 Caricamento credenziali database da .env..."
+source "$ENV_FILE"
+
+# Estrai credenziali database
+DB_HOST="${PGHOST:-localhost}"
+DB_PORT="${PGPORT:-5432}"
+DB_NAME="${PGDATABASE:-ids}"
+DB_USER="${PGUSER:-postgres}"
+DB_PASSWORD="${PGPASSWORD}"
+
+# Verifica password estratta
+if [ -z "$DB_PASSWORD" ]; then
+    echo "❌ ERRORE: PGPASSWORD non trovata nel file .env"
+    echo "   Aggiungi: PGPASSWORD=tua_password_qui"
+    exit 1
+fi
+
+echo "✅ Credenziali caricate:"
+echo "   Host: $DB_HOST"
+echo "   Port: $DB_PORT"
+echo "   Database: $DB_NAME"
+echo "   User: $DB_USER"
+echo "   Password: ****** (nascosta)"
+echo ""
+
+# Parametri training
+DAYS="${1:-7}"  # Default 7 giorni, puoi passare come argomento
+MAX_SAMPLES="${2:-1000000}"  # Default 1M records max
+
+echo "🎯 Parametri training:"
+echo "   Periodo: ultimi $DAYS giorni"
+echo "   Max records: $MAX_SAMPLES"
+echo ""
+
+# Verifica venv Python
+if [ ! -f "$VENV_PYTHON" ]; then
+    echo "❌ ERRORE: Virtual environment non trovato in $VENV_PYTHON"
+    echo "   Esegui prima: cd $IDS_ROOT && python3 -m venv python_ml/venv"
+    exit 1
+fi
+
+echo "🐍 Python: $VENV_PYTHON"
+echo ""
+
+# Verifica dati disponibili nel database
+echo "📊 Verifica dati disponibili nel database..."
+PGPASSWORD="$DB_PASSWORD" psql -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER" -d "$DB_NAME" -c "
+SELECT 
+  TO_CHAR(MIN(timestamp), 'YYYY-MM-DD HH24:MI:SS') as primo_log,
+  TO_CHAR(MAX(timestamp), 'YYYY-MM-DD HH24:MI:SS') as ultimo_log,
+  EXTRACT(DAY FROM (MAX(timestamp) - MIN(timestamp))) || ' giorni' as periodo_totale,
+  TO_CHAR(COUNT(*), 'FM999,999,999') as totale_records
+FROM network_logs;
+" 2>/dev/null
+
+if [ $? -ne 0 ]; then
+    echo "⚠️  WARNING: Impossibile verificare dati database (continuo comunque...)"
+fi
+
+echo ""
+echo "🚀 Avvio training..."
+echo ""
+echo "======================================================================="
+
+# Cambia directory
+cd "$PYTHON_ML_DIR"
+
+# Esegui training
+"$VENV_PYTHON" train_hybrid.py --train --source database \
+  --db-host "$DB_HOST" \
+  --db-port "$DB_PORT" \
+  --db-name "$DB_NAME" \
+  --db-user "$DB_USER" \
+  --db-password "$DB_PASSWORD" \
+  --days "$DAYS"
+
+# Check exit code
+if [ $? -eq 0 ]; then
+    echo ""
+    echo "======================================================================="
+    echo "✅ TRAINING COMPLETATO CON SUCCESSO!"
+    echo "======================================================================="
+    echo ""
+    echo "📁 Modelli salvati in: $PYTHON_ML_DIR/models/"
+    echo ""
+    echo "🔄 PROSSIMI PASSI:"
+    echo "   1. Restart ML backend: sudo systemctl restart ids-ml-backend"
+    echo "   2. Verifica caricamento: sudo journalctl -u ids-ml-backend -f"
+    echo "   3. Test API: curl http://localhost:8000/health"
+    echo ""
+else
+    echo ""
+    echo "======================================================================="
+    echo "❌ ERRORE DURANTE IL TRAINING"
+    echo "======================================================================="
+    echo ""
+    echo "Controlla i log sopra per dettagli sull'errore."
+    exit 1
+fi

deployment/update_from_git.sh

@@ -158,6 +158,20 @@ if [ -f "./deployment/setup_rsyslog.sh" ]; then
     fi
 fi
 
+# Verifica e installa servizio list-fetcher se mancante
+echo -e "\n${BLUE}📋 Verifica servizio list-fetcher...${NC}"
+if ! systemctl list-unit-files | grep -q "ids-list-fetcher"; then
+    echo -e "${YELLOW}   Servizio ids-list-fetcher non installato, installazione...${NC}"
+    if [ -f "./deployment/install_list_fetcher.sh" ]; then
+        chmod +x ./deployment/install_list_fetcher.sh
+        ./deployment/install_list_fetcher.sh
+    else
+        echo -e "${RED}   ❌ Script install_list_fetcher.sh non trovato${NC}"
+    fi
+else
+    echo -e "${GREEN}   ✅ Servizio ids-list-fetcher già installato${NC}"
+fi
+
 # Restart servizi
 echo -e "\n${BLUE}🔄 Restart servizi...${NC}"
 if [ -f "./deployment/restart_all.sh" ]; then