In [23]:
import requests
import pandas as pd
from datetime import datetime, timedelta

LOKI_URL = "http://localhost:3100/loki/api/v1/query_range"

# Dictionnaire des signatures d'attaques (Patterns de d√©tection)
THREAT_SIGNATURES = {
    "SQL Injection": '{container="web_server"} | json | request_uri =~ ".*(%27|OR|1%3D1|--).*"',
    "Path Traversal": '{container="web_server"} | json | request_uri =~ ".*etc/passwd.*"',
    "Nmap Scan": '{container="web_server"} | json | http_user_agent =~ ".*Nmap.*"',
    "SSH Brute Force": '{container="victim_server"} |= "Failed password"'
}

def hunt_threats():
    end_time = datetime.now()
    start_time = end_time - timedelta(minutes=10)
    
    print(f"--- üïµÔ∏è‚Äç‚ôÇÔ∏è SESSION DE THREAT HUNTING ({end_time.strftime('%H:%M')}) ---")
    
    for attack_type, query in THREAT_SIGNATURES.items():
        params = {
            'query': query,
            'start': int(start_time.timestamp() * 1e9),
            'limit': 500
        }
        
        try:
            r = requests.get(LOKI_URL, params=params)
            results = r.json()['data']['result']
            count = sum(len(res['values']) for res in results)
            
            status = "üî¥ D√âTECT√â" if count > 0 else "üü¢ RAS"
            print(f"[{status}] {attack_type.ljust(20)} : {count} occurrences")
            
            # Si on d√©tecte une SQLi, on affiche les IPs attaquantes
            if count > 0 and "SQL" in attack_type:
                for res in results:
                    ip = res['stream'].get('remote_addr', 'Inconnue')
                    print(f"   ‚Ü≥ IP Source suspecte : {ip}")
                    
        except Exception as e:
            print(f"‚ùå Erreur sur {attack_type}: {e}")

hunt_threats()

--- üïµÔ∏è‚Äç‚ôÇÔ∏è SESSION DE THREAT HUNTING (01:16) ---
[üî¥ D√âTECT√â] SQL Injection        : 30 occurrences
   ‚Ü≥ IP Source suspecte : 172.28.0.4
   ‚Ü≥ IP Source suspecte : 172.28.0.4
   ‚Ü≥ IP Source suspecte : 172.28.0.4
[üî¥ D√âTECT√â] Path Traversal       : 30 occurrences
[üî¥ D√âTECT√â] Nmap Scan            : 3 occurrences
[üî¥ D√âTECT√â] SSH Brute Force      : 36 occurrences
