fix: use behavioral engine's suspicion scale in DPI handler

The DPI event handler in process_events was adding 15.0 to suspicion_score and capping at 100.0, but the behavioral engine operates on a 0.0-1.0 scale (SUSPICION_INCREMENT = 0.15, SUSPICION_MAX = 1.0). A single DPI detection would push the score so high that trusted promotion (requires < 0.1) became effectively unreachable. // ticktockbent
2026-04-24 11:56:21 +02:00 · 2026-04-05 14:47:49 -04:00 · 2026-04-05 14:47:49 -04:00 · 8e34e10727
commit 8e34e10727
parent e9ad617716
3 changed files with 11 additions and 5 deletions
--- a/blackwall/src/behavior/mod.rs
+++ b/blackwall/src/behavior/mod.rs
@ -9,4 +9,6 @@ mod profile;
 mod transitions;

 pub use profile::{BehaviorPhase, BehaviorProfile};
-pub use transitions::{TransitionVerdict, evaluate_transitions};
+pub use transitions::{
+    SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict, evaluate_transitions,
+};
--- a/blackwall/src/behavior/transitions.rs
+++ b/blackwall/src/behavior/transitions.rs
@ -33,9 +33,9 @@ const TRUSTED_AGE_SECS: u64 = 300;
 /// Minimum packets for Trusted promotion.
 const TRUSTED_PACKET_THRESHOLD: u64 = 100;
 /// Suspicion score increase per escalation event.
-const SUSPICION_INCREMENT: f32 = 0.15;
+pub const SUSPICION_INCREMENT: f32 = 0.15;
 /// Maximum suspicion score.
-const SUSPICION_MAX: f32 = 1.0;
+pub const SUSPICION_MAX: f32 = 1.0;
 /// Suspicion decay per evaluation when no escalation.
 const SUSPICION_DECAY: f32 = 0.02;

--- a/blackwall/src/main.rs
+++ b/blackwall/src/main.rs
@ -30,7 +30,10 @@ use std::sync::Arc;
 use ai::batch::EventBatcher;
 use ai::classifier::{ThreatClassifier, ThreatVerdict};
 use ai::client::OllamaClient;
-use behavior::{BehaviorPhase, BehaviorProfile, TransitionVerdict, evaluate_transitions};
+use behavior::{
+    BehaviorPhase, BehaviorProfile, SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict,
+    evaluate_transitions,
+};
 use feeds::FeedSource;
 use ja4::assembler::Ja4Assembler;
 use ja4::db::Ja4Database;
@ -551,7 +554,8 @@ async fn process_events(
                let profile = profiles
                    .entry(dpi_event.src_ip)
                    .or_insert_with(BehaviorProfile::new);
-                profile.suspicion_score = (profile.suspicion_score + 15.0).min(100.0);
+                profile.suspicion_score =
+                    (profile.suspicion_score + SUSPICION_INCREMENT).min(SUSPICION_MAX);
            } else {
                tracing::trace!(
                    %src_addr,