apunkt/blackwall
1
0
Fork 0
mirror of https://github.com/xzcrpw/blackwall.git synced 2026-04-24 11:56:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: use behavioral engine's suspicion scale in DPI handler

Browse source 
The DPI event handler in process_events was adding 15.0 to
suspicion_score and capping at 100.0, but the behavioral engine
operates on a 0.0-1.0 scale (SUSPICION_INCREMENT = 0.15,
SUSPICION_MAX = 1.0). A single DPI detection would push the
score so high that trusted promotion (requires < 0.1) became
effectively unreachable.

// ticktockbent
This commit is contained in:
TickTockBent 2026-04-05 14:47:49 -04:00
parent e9ad617716
commit 8e34e10727
3 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
blackwall/src/behavior/mod.rs
View file

@ -9,4 +9,6 @@ mod profile;
mod transitions; mod transitions;
pub use profile::{BehaviorPhase, BehaviorProfile}; pub use profile::{BehaviorPhase, BehaviorProfile};
pub use transitions::{TransitionVerdict, evaluate_transitions}; pub use transitions::{
SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict, evaluate_transitions,
};

4
blackwall/src/behavior/transitions.rs
View file

@ -33,9 +33,9 @@ const TRUSTED_AGE_SECS: u64 = 300;
/// Minimum packets for Trusted promotion. /// Minimum packets for Trusted promotion.
const TRUSTED_PACKET_THRESHOLD: u64 = 100; const TRUSTED_PACKET_THRESHOLD: u64 = 100;
/// Suspicion score increase per escalation event. /// Suspicion score increase per escalation event.
const SUSPICION_INCREMENT: f32 = 0.15; pub const SUSPICION_INCREMENT: f32 = 0.15;
/// Maximum suspicion score. /// Maximum suspicion score.
const SUSPICION_MAX: f32 = 1.0; pub const SUSPICION_MAX: f32 = 1.0;
/// Suspicion decay per evaluation when no escalation. /// Suspicion decay per evaluation when no escalation.
const SUSPICION_DECAY: f32 = 0.02; const SUSPICION_DECAY: f32 = 0.02;

8
blackwall/src/main.rs
View file

@ -30,7 +30,10 @@ use std::sync::Arc;
use ai::batch::EventBatcher; use ai::batch::EventBatcher;
use ai::classifier::{ThreatClassifier, ThreatVerdict}; use ai::classifier::{ThreatClassifier, ThreatVerdict};
use ai::client::OllamaClient; use ai::client::OllamaClient;
use behavior::{BehaviorPhase, BehaviorProfile, TransitionVerdict, evaluate_transitions}; use behavior::{
BehaviorPhase, BehaviorProfile, SUSPICION_INCREMENT, SUSPICION_MAX, TransitionVerdict,
evaluate_transitions,
};
use feeds::FeedSource; use feeds::FeedSource;
use ja4::assembler::Ja4Assembler; use ja4::assembler::Ja4Assembler;
use ja4::db::Ja4Database; use ja4::db::Ja4Database;
@ -551,7 +554,8 @@ async fn process_events(
let profile = profiles let profile = profiles
.entry(dpi_event.src_ip) .entry(dpi_event.src_ip)
.or_insert_with(BehaviorProfile::new); .or_insert_with(BehaviorProfile::new);
profile.suspicion_score = (profile.suspicion_score + 15.0).min(100.0); profile.suspicion_score =
(profile.suspicion_score + SUSPICION_INCREMENT).min(SUSPICION_MAX);
} else { } else {
tracing::trace!( tracing::trace!(
%src_addr, %src_addr,