diff --git a/blackwall/src/behavior/mod.rs b/blackwall/src/behavior/mod.rs index 8ffbe9f..0a6d902 100644 --- a/blackwall/src/behavior/mod.rs +++ b/blackwall/src/behavior/mod.rs @@ -9,4 +9,6 @@ mod profile; mod transitions; pub use profile::{BehaviorPhase, BehaviorProfile}; -pub use transitions::{TransitionVerdict, evaluate_transitions}; +pub use transitions::{ + SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict, evaluate_transitions, +}; diff --git a/blackwall/src/behavior/transitions.rs b/blackwall/src/behavior/transitions.rs index 26e2de2..5e0ea91 100644 --- a/blackwall/src/behavior/transitions.rs +++ b/blackwall/src/behavior/transitions.rs @@ -33,9 +33,9 @@ const TRUSTED_AGE_SECS: u64 = 300; /// Minimum packets for Trusted promotion. const TRUSTED_PACKET_THRESHOLD: u64 = 100; /// Suspicion score increase per escalation event. -const SUSPICION_INCREMENT: f32 = 0.15; +pub const SUSPICION_INCREMENT: f32 = 0.15; /// Maximum suspicion score. -const SUSPICION_MAX: f32 = 1.0; +pub const SUSPICION_MAX: f32 = 1.0; /// Suspicion decay per evaluation when no escalation. const SUSPICION_DECAY: f32 = 0.02; diff --git a/blackwall/src/main.rs b/blackwall/src/main.rs index 4ac7676..1087fc0 100644 --- a/blackwall/src/main.rs +++ b/blackwall/src/main.rs @@ -30,7 +30,10 @@ use std::sync::Arc; use ai::batch::EventBatcher; use ai::classifier::{ThreatClassifier, ThreatVerdict}; use ai::client::OllamaClient; -use behavior::{BehaviorPhase, BehaviorProfile, TransitionVerdict, evaluate_transitions}; +use behavior::{ + BehaviorPhase, BehaviorProfile, SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict, + evaluate_transitions, +}; use feeds::FeedSource; use ja4::assembler::Ja4Assembler; use ja4::db::Ja4Database; @@ -551,7 +554,8 @@ async fn process_events( let profile = profiles .entry(dpi_event.src_ip) .or_insert_with(BehaviorProfile::new); - profile.suspicion_score = (profile.suspicion_score + 15.0).min(100.0); + profile.suspicion_score = + (profile.suspicion_score + SUSPICION_INCREMENT).min(SUSPICION_MAX); } else { tracing::trace!( %src_addr,