62c3a2b238
Modify syslog_parser.py to load environment variables from .env file and force IPv4 connection to the database. Update replit.md to reflect recent fixes and workflow changes. Increment version in version.json. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 727221f9-ad54-4498-b2e4-e87a951b4308 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/c9ITWqD
5.5 KiB
5.5 KiB
IDS - Intrusion Detection System
Sistema di rilevamento intrusioni per router MikroTik basato su Machine Learning.
Progetto
Tipo: Full-stack Web Application + Python ML Backend
Stack: React + FastAPI + PostgreSQL + MikroTik API REST
Architettura
Frontend (React)
- Dashboard monitoring real-time
- Visualizzazione detections e router
- Gestione whitelist
- ShadCN UI components
- TanStack Query per data fetching
Backend Python (FastAPI)
- ML Analyzer: Isolation Forest con 25 feature mirate
- MikroTik Manager: Comunicazione API REST parallela con 10+ router
- Detection Engine: Scoring 0-100 con 5 livelli di rischio
- Endpoints: /train, /detect, /block-ip, /unblock-ip, /stats
Backend Node.js (Express)
- API REST per frontend
- Gestione database PostgreSQL
- Routes: routers, detections, logs, whitelist, training-history
Database (PostgreSQL)
routers: Configurazione router MikroTiknetwork_logs: Log syslog da routerdetections: Anomalie rilevate dal MLwhitelist: IP fidatitraining_history: Storia training modelli
Workflow
- Log Collection: Router → Syslog (UDP:514) → RSyslog → syslog_parser.py → PostgreSQL
network_logs - Training: Python ML estrae 25 feature → Isolation Forest
- Detection: Analisi real-time → Scoring 0-100 → Classificazione
- Auto-Block: IP critico (>=80) → API REST → Tutti i router (parallelo)
Fix Recenti (Novembre 2025)
PostgreSQL Authentication Fix
- Problema: Password authentication failed (SCRAM-SHA-256 vs MD5)
- Soluzione:
deployment/fix_postgresql_auth.shconfigura SCRAM-SHA-256 in pg_hba.conf - Password encryption: ALTER SYSTEM SET password_encryption = 'scram-sha-256'
- Utente ricreato: DROP + CREATE con formato SCRAM corretto
IPv4 Force Fix
- Problema: syslog_parser si connetteva a ::1 (IPv6) invece di 127.0.0.1 (IPv4)
- Soluzione: PGHOST=127.0.0.1 in .env (NON usare localhost)
- Parser: load_dotenv() carica .env automaticamente
Git Ownership Fix
- Problema: dubious ownership error in /opt/ids
- Soluzione:
deployment/fix_git_ownership.shaggiunge safe.directory - Update script:
deployment/update_from_git.shora esegue git come utente ids
File Importanti
Python ML Backend
python_ml/ml_analyzer.py: Core ML (25 feature, Isolation Forest)python_ml/mikrotik_manager.py: Gestione router API RESTpython_ml/main.py: FastAPI serverpython_ml/requirements.txt: Dipendenze Python
Frontend
client/src/pages/Dashboard.tsx: Dashboard principaleclient/src/pages/Detections.tsx: Lista rilevamenticlient/src/pages/Routers.tsx: Gestione routerclient/src/App.tsx: App root con sidebar
Backend Node
server/routes.ts: API endpointsserver/storage.ts: Database operationsserver/db.ts: PostgreSQL connectionshared/schema.ts: Drizzle ORM schema
Comandi Utili
Start Python Backend
cd python_ml
pip install -r requirements.txt
python main.py
API Calls
# Training
curl -X POST http://localhost:8000/train \
-H "Content-Type: application/json" \
-d '{"max_records": 10000, "hours_back": 24}'
# Detection
curl -X POST http://localhost:8000/detect \
-H "Content-Type: application/json" \
-d '{"max_records": 5000, "auto_block": true, "risk_threshold": 75}'
# Stats
curl http://localhost:8000/stats
Database
npm run db:push # Sync schema to PostgreSQL
Configurazione Router MikroTik
Abilita API REST
/ip service
set api-ssl disabled=no
set www-ssl disabled=no
Aggiungi Router
Via dashboard web o SQL:
INSERT INTO routers (name, ip_address, username, password, api_port, enabled)
VALUES ('Router 1', '192.168.1.1', 'admin', 'password', 443, true);
Feature ML (25 totali)
Volume (5)
- total_packets, total_bytes, conn_count
- avg_packet_size, bytes_per_second
Temporali (8)
- time_span_seconds, conn_per_second
- hour_of_day, day_of_week
- max_burst, avg_burst, burst_variance, avg_interval
Protocol Diversity (6)
- unique_protocols, unique_dest_ports, unique_dest_ips
- protocol_entropy, tcp_ratio, udp_ratio
Port Scanning (3)
- unique_ports_contacted, port_scan_score, sequential_ports
Behavioral (3)
- packets_per_conn, packet_size_variance, blocked_ratio
Livelli di Rischio
- 🔴 CRITICO (85-100): Blocco immediato
- 🟠 ALTO (70-84): Blocco + monitoring
- 🟡 MEDIO (60-69): Monitoring
- 🔵 BASSO (40-59): Logging
- 🟢 NORMALE (0-39): Nessuna azione
Vantaggi vs Sistema Precedente
- Feature: 150+ → 25 (mirate)
- Training: ~5 min → ~10 sec
- Detection: Lento → <2 sec
- Router Comm: SSH → API REST
- Multi-Router: Sequenziale → Parallelo
- Database: MySQL → PostgreSQL
- Falsi Negativi: Alti → Bassi
Note
- Whitelist: IP protetti da blocco automatico
- Timeout: Blocchi scadono dopo 1h (configurabile)
- Parallel Blocking: Tutti i router aggiornati simultaneamente
- Auto-Training: Configurabile via cron (consigliato ogni 12h)
- Auto-Detection: Configurabile via cron (consigliato ogni 5 min)
Sicurezza
- Password router gestite da database (non in codice)
- API REST più sicura di SSH
- Timeout automatico blocchi
- Logging completo operazioni
- PostgreSQL con connessione sicura
Development
- Frontend: Workflow "Start application" (auto-reload)
- Python Backend:
python python_ml/main.py - API Docs: http://localhost:8000/docs
- Database: PostgreSQL via Neon (environment variables auto-configurate)