@panguard-ai/panguard-guard 0.1.0

package/dist/rules/builtin-rules.js

@@ -0,0 +1,471 @@
+/**
+ * Built-in Sigma detection rules shipped with Guard
+ * 內建 Sigma 偵測規則
+ *
+ * These rules provide baseline detection capability out of the box.
+ * Additional rules can be loaded from disk or fetched from Threat Cloud.
+ *
+ * @module @panguard-ai/panguard-guard/rules/builtin-rules
+ */
+export const BUILTIN_RULES = [
+    // -------------------------------------------------------------------------
+    // Credential Access / 憑證存取
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-001',
+        title: 'Brute Force Login Attempt',
+        status: 'stable',
+        description: 'Detects failed login attempts indicating brute force attack',
+        author: 'Panguard AI',
+        logsource: { category: 'authentication', product: 'any' },
+        detection: {
+            selection: {
+                category: 'authentication',
+                'description|contains': [
+                    'failed login',
+                    'authentication failure',
+                    'login failed',
+                    'invalid password',
+                    'Failed password',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.credential_access', 'attack.t1110'],
+    },
+    {
+        id: 'panguard-builtin-002',
+        title: 'SSH Brute Force',
+        status: 'stable',
+        description: 'Detects SSH authentication failures from sshd logs',
+        author: 'Panguard AI',
+        logsource: { category: 'authentication', service: 'sshd' },
+        detection: {
+            selection: {
+                category: 'authentication',
+                'description|contains': [
+                    'Failed password for',
+                    'Invalid user',
+                    'Connection closed by authenticating user',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.credential_access', 'attack.t1110.001'],
+    },
+    {
+        id: 'panguard-builtin-003',
+        title: 'Credential Dumping Tool',
+        status: 'stable',
+        description: 'Detects credential dumping tools like mimikatz',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': ['mimikatz', 'sekurlsa', 'lsadump', 'hashdump', 'credential dump'],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.credential_access', 'attack.t1003'],
+    },
+    // -------------------------------------------------------------------------
+    // Execution / 執行
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-004',
+        title: 'Suspicious Reverse Shell',
+        status: 'stable',
+        description: 'Detects reverse shell commands in process or log events',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection_bash: {
+                'description|contains': ['bash -i >& /dev/tcp/', '/bin/bash -c "bash -i'],
+            },
+            selection_nc: {
+                'description|contains': ['nc -e /bin/', 'ncat -e /bin/', 'netcat -e'],
+            },
+            selection_python: {
+                'description|contains': ["python -c 'import socket", 'python3 -c "import socket'],
+            },
+            selection_perl: {
+                'description|contains': ["perl -e 'use Socket"],
+            },
+            condition: 'selection_bash OR selection_nc OR selection_python OR selection_perl',
+        },
+        level: 'critical',
+        tags: ['attack.execution', 'attack.t1059'],
+    },
+    {
+        id: 'panguard-builtin-005',
+        title: 'Command and Scripting Interpreter',
+        status: 'stable',
+        description: 'Detects suspicious use of scripting interpreters',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                category: 'process',
+                'description|contains': [
+                    'powershell -enc',
+                    'powershell -e ',
+                    'cmd /c whoami',
+                    'bash -c "curl',
+                    'wget -O- |',
+                    'curl | bash',
+                    'python -c "import os',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.execution', 'attack.t1059'],
+    },
+    // -------------------------------------------------------------------------
+    // Persistence / 持久化
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-006',
+        title: 'Cron Job Persistence',
+        status: 'stable',
+        description: 'Detects new cron job creation for persistence',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': ['crontab -', '/etc/cron', '/var/spool/cron', 'CRON['],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.persistence', 'attack.t1053.003'],
+    },
+    {
+        id: 'panguard-builtin-007',
+        title: 'Systemd Service Creation',
+        status: 'stable',
+        description: 'Detects new systemd service installation for persistence',
+        author: 'Panguard AI',
+        logsource: { category: 'file_change' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    '/etc/systemd/system/',
+                    '/usr/lib/systemd/system/',
+                    'systemctl enable',
+                    'systemctl daemon-reload',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.persistence', 'attack.t1543.002'],
+    },
+    {
+        id: 'panguard-builtin-008',
+        title: 'SSH Authorized Keys Modification',
+        status: 'stable',
+        description: 'Detects changes to SSH authorized_keys for backdoor access',
+        author: 'Panguard AI',
+        logsource: { category: 'file_change' },
+        detection: {
+            selection: {
+                'description|contains': ['authorized_keys', '.ssh/authorized'],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.persistence', 'attack.t1098.004'],
+    },
+    // -------------------------------------------------------------------------
+    // Discovery & Reconnaissance / 偵察
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-009',
+        title: 'Port Scan Detection',
+        status: 'stable',
+        description: 'Detects port scanning activity from network events',
+        author: 'Panguard AI',
+        logsource: { category: 'network_connection' },
+        detection: {
+            selection: {
+                category: 'network',
+                'description|contains': ['port scan', 'SYN scan', 'connection refused', 'nmap'],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.discovery', 'attack.t1046'],
+    },
+    {
+        id: 'panguard-builtin-010',
+        title: 'Network Enumeration Commands',
+        status: 'stable',
+        description: 'Detects system/network enumeration commands',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'ifconfig -a',
+                    'ip addr show',
+                    'netstat -',
+                    'ss -tulnp',
+                    'arp -a',
+                    'route -n',
+                    'cat /etc/passwd',
+                    'cat /etc/shadow',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.discovery', 'attack.t1016'],
+    },
+    // -------------------------------------------------------------------------
+    // Lateral Movement / 橫向移動
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-011',
+        title: 'Lateral Movement via SSH',
+        status: 'stable',
+        description: 'Detects outbound SSH connections that may indicate lateral movement',
+        author: 'Panguard AI',
+        logsource: { category: 'network_connection' },
+        detection: {
+            selection: {
+                category: 'network',
+                'description|contains': ['ssh connection to', 'Accepted publickey', 'sshpass'],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.lateral_movement', 'attack.t1021.004'],
+    },
+    // -------------------------------------------------------------------------
+    // Defense Evasion / 防禦規避
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-012',
+        title: 'Log Tampering',
+        status: 'stable',
+        description: 'Detects attempts to clear or tamper with system logs',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'truncate -s 0 /var/log',
+                    '> /var/log/',
+                    'rm -f /var/log/',
+                    'shred /var/log/',
+                    'history -c',
+                    'unset HISTFILE',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.defense_evasion', 'attack.t1070.002'],
+    },
+    {
+        id: 'panguard-builtin-013',
+        title: 'Firewall Rule Modification',
+        status: 'stable',
+        description: 'Detects firewall rule changes that may disable security',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'iptables -F',
+                    'iptables -X',
+                    'ufw disable',
+                    'firewall-cmd --remove',
+                    'pfctl -d',
+                    'netsh advfirewall set',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.defense_evasion', 'attack.t1562.004'],
+    },
+    // -------------------------------------------------------------------------
+    // Impact / 衝擊
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-014',
+        title: 'Crypto Mining Activity',
+        status: 'stable',
+        description: 'Detects cryptocurrency mining indicators',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'xmrig',
+                    'minerd',
+                    'stratum+tcp',
+                    'cryptonight',
+                    'coin-hive',
+                    'coinhive',
+                    'minergate',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.impact', 'attack.t1496'],
+    },
+    {
+        id: 'panguard-builtin-015',
+        title: 'Data Exfiltration Indicators',
+        status: 'stable',
+        description: 'Detects data exfiltration via common tools',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'curl -X POST.*--data',
+                    'wget --post-file',
+                    'scp.*@.*:',
+                    'rsync.*@.*:',
+                    'tar.*|.*nc ',
+                    'base64.*|.*curl',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.exfiltration', 'attack.t1048'],
+    },
+    // -------------------------------------------------------------------------
+    // File Integrity / 檔案完整性
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-016',
+        title: 'Critical System File Modification',
+        status: 'stable',
+        description: 'Detects changes to critical system configuration files',
+        author: 'Panguard AI',
+        logsource: { category: 'file_change' },
+        detection: {
+            selection: {
+                category: 'file',
+                'description|contains': [
+                    '/etc/passwd',
+                    '/etc/shadow',
+                    '/etc/sudoers',
+                    '/etc/hosts',
+                    '/etc/resolv.conf',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.persistence', 'attack.t1222'],
+    },
+    {
+        id: 'panguard-builtin-017',
+        title: 'Web Shell Detection',
+        status: 'stable',
+        description: 'Detects potential web shell uploads or access',
+        author: 'Panguard AI',
+        logsource: { category: 'file_change' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'webshell',
+                    'c99shell',
+                    'r57shell',
+                    'WSO shell',
+                    'eval(base64_decode',
+                    'system($_GET',
+                    'passthru(',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.persistence', 'attack.t1505.003'],
+    },
+    // -------------------------------------------------------------------------
+    // Privilege Escalation / 權限提升
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-018',
+        title: 'Sudo Privilege Escalation',
+        status: 'stable',
+        description: 'Detects suspicious sudo usage for privilege escalation',
+        author: 'Panguard AI',
+        logsource: { category: 'authentication' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'sudo:.*COMMAND=',
+                    'user NOT in sudoers',
+                    'sudo su -',
+                    'sudo bash',
+                    'sudo -i',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'medium',
+        tags: ['attack.privilege_escalation', 'attack.t1548.003'],
+    },
+    {
+        id: 'panguard-builtin-019',
+        title: 'SUID/SGID Binary Exploitation',
+        status: 'stable',
+        description: 'Detects SUID/SGID file permission changes',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'chmod +s ',
+                    'chmod u+s',
+                    'chmod 4755',
+                    'chmod 6755',
+                    'find / -perm -4000',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'high',
+        tags: ['attack.privilege_escalation', 'attack.t1548.001'],
+    },
+    // -------------------------------------------------------------------------
+    // Malware / 惡意軟體
+    // -------------------------------------------------------------------------
+    {
+        id: 'panguard-builtin-020',
+        title: 'Ransomware Indicators',
+        status: 'stable',
+        description: 'Detects ransomware behavior patterns',
+        author: 'Panguard AI',
+        logsource: { category: 'process_creation' },
+        detection: {
+            selection: {
+                'description|contains': [
+                    'vssadmin delete shadows',
+                    'wmic shadowcopy delete',
+                    'bcdedit /set.*recoveryenabled.*no',
+                    '.encrypted',
+                    'DECRYPT_INSTRUCTIONS',
+                    'YOUR_FILES_ARE_ENCRYPTED',
+                ],
+            },
+            condition: 'selection',
+        },
+        level: 'critical',
+        tags: ['attack.impact', 'attack.t1486'],
+    },
+];
+//# sourceMappingURL=builtin-rules.js.map

package/dist/rules/builtin-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"builtin-rules.js","sourceRoot":"","sources":["../../src/rules/builtin-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,MAAM,CAAC,MAAM,aAAa,GAAgB;IACxC,4EAA4E;IAC5E,2BAA2B;IAC3B,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,2BAA2B;QAClC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,6DAA6D;QAC1E,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE;QACzD,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,gBAAgB;gBAC1B,sBAAsB,EAAE;oBACtB,cAAc;oBACd,wBAAwB;oBACxB,cAAc;oBACd,kBAAkB;oBAClB,iBAAiB;iBAClB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,0BAA0B,EAAE,cAAc,CAAC;KACnD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,iBAAiB;QACxB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,oDAAoD;QACjE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE;QAC1D,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,gBAAgB;gBAC1B,sBAAsB,EAAE;oBACtB,qBAAqB;oBACrB,cAAc;oBACd,0CAA0C;iBAC3C;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACvD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,yBAAyB;QAChC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,gDAAgD;QAC7D,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,iBAAiB,CAAC;aAC3F;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,0BAA0B,EAAE,cAAc,CAAC;KACnD;IAED,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,0BAA0B;QACjC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,yDAAyD;QACtE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,cAAc,EAAE;gBACd,sBAAsB,EAAE,CAAC,sBAAsB,EAAE,uBAAuB,CAAC;aAC1E;YACD,YAAY,EAAE;gBACZ,sBAAsB,EAAE,CAAC,aAAa,EAAE,eAAe,EAAE,WAAW,CAAC;aACtE;YACD,gBAAgB,EAAE;gBAChB,sBAAsB,EAAE,CAAC,0BAA0B,EAAE,2BAA2B,CAAC;aAClF;YACD,cAAc,EAAE;gBACd,sBAAsB,EAAE,CAAC,qBAAqB,CAAC;aAChD;YACD,SAAS,EAAE,sEAAsE;SAClF;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,kBAAkB,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,mCAAmC;QAC1C,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,kDAAkD;QAC/D,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,SAAS;gBACnB,sBAAsB,EAAE;oBACtB,iBAAiB;oBACjB,gBAAgB;oBAChB,eAAe;oBACf,eAAe;oBACf,YAAY;oBACZ,aAAa;oBACb,sBAAsB;iBACvB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,kBAAkB,EAAE,cAAc,CAAC;KAC3C;IAED,4EAA4E;IAC5E,oBAAoB;IACpB,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,sBAAsB;QAC7B,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,+CAA+C;QAC5D,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,OAAO,CAAC;aAC/E;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;KACjD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,0BAA0B;QACjC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,0DAA0D;QACvE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE;QACtC,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,sBAAsB;oBACtB,0BAA0B;oBAC1B,kBAAkB;oBAClB,yBAAyB;iBAC1B;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;KACjD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,kCAAkC;QACzC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,4DAA4D;QACzE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE;QACtC,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;aAC/D;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;KACjD;IAED,4EAA4E;IAC5E,kCAAkC;IAClC,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,qBAAqB;QAC5B,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,oDAAoD;QACjE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,oBAAoB,EAAE;QAC7C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,SAAS;gBACnB,sBAAsB,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,CAAC;aAChF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,kBAAkB,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,8BAA8B;QACrC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,6CAA6C;QAC1D,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,aAAa;oBACb,cAAc;oBACd,WAAW;oBACX,WAAW;oBACX,QAAQ;oBACR,UAAU;oBACV,iBAAiB;oBACjB,iBAAiB;iBAClB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,kBAAkB,EAAE,cAAc,CAAC;KAC3C;IAED,4EAA4E;IAC5E,0BAA0B;IAC1B,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,0BAA0B;QACjC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,qEAAqE;QAClF,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,oBAAoB,EAAE;QAC7C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,SAAS;gBACnB,sBAAsB,EAAE,CAAC,mBAAmB,EAAE,oBAAoB,EAAE,SAAS,CAAC;aAC/E;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,yBAAyB,EAAE,kBAAkB,CAAC;KACtD;IAED,4EAA4E;IAC5E,yBAAyB;IACzB,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,eAAe;QACtB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,sDAAsD;QACnE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,wBAAwB;oBACxB,aAAa;oBACb,iBAAiB;oBACjB,iBAAiB;oBACjB,YAAY;oBACZ,gBAAgB;iBACjB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,wBAAwB,EAAE,kBAAkB,CAAC;KACrD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,4BAA4B;QACnC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,yDAAyD;QACtE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,aAAa;oBACb,aAAa;oBACb,aAAa;oBACb,uBAAuB;oBACvB,UAAU;oBACV,uBAAuB;iBACxB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,wBAAwB,EAAE,kBAAkB,CAAC;KACrD;IAED,4EAA4E;IAC5E,cAAc;IACd,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,wBAAwB;QAC/B,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,0CAA0C;QACvD,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,OAAO;oBACP,QAAQ;oBACR,aAAa;oBACb,aAAa;oBACb,WAAW;oBACX,UAAU;oBACV,WAAW;iBACZ;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;KACxC;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,8BAA8B;QACrC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,4CAA4C;QACzD,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,sBAAsB;oBACtB,kBAAkB;oBAClB,WAAW;oBACX,aAAa;oBACb,aAAa;oBACb,iBAAiB;iBAClB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,qBAAqB,EAAE,cAAc,CAAC;KAC9C;IAED,4EAA4E;IAC5E,yBAAyB;IACzB,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,mCAAmC;QAC1C,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,wDAAwD;QACrE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE;QACtC,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,QAAQ,EAAE,MAAM;gBAChB,sBAAsB,EAAE;oBACtB,aAAa;oBACb,aAAa;oBACb,cAAc;oBACd,YAAY;oBACZ,kBAAkB;iBACnB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,oBAAoB,EAAE,cAAc,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,qBAAqB;QAC5B,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,+CAA+C;QAC5D,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE;QACtC,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,UAAU;oBACV,UAAU;oBACV,UAAU;oBACV,WAAW;oBACX,oBAAoB;oBACpB,cAAc;oBACd,WAAW;iBACZ;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;KACjD;IAED,4EAA4E;IAC5E,8BAA8B;IAC9B,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,2BAA2B;QAClC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,wDAAwD;QACrE,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE;QACzC,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,iBAAiB;oBACjB,qBAAqB;oBACrB,WAAW;oBACX,WAAW;oBACX,SAAS;iBACV;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,QAAQ;QACf,IAAI,EAAE,CAAC,6BAA6B,EAAE,kBAAkB,CAAC;KAC1D;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,+BAA+B;QACtC,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,2CAA2C;QACxD,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,WAAW;oBACX,WAAW;oBACX,YAAY;oBACZ,YAAY;oBACZ,oBAAoB;iBACrB;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,MAAM;QACb,IAAI,EAAE,CAAC,6BAA6B,EAAE,kBAAkB,CAAC;KAC1D;IAED,4EAA4E;IAC5E,iBAAiB;IACjB,4EAA4E;IAC5E;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,uBAAuB;QAC9B,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,sCAAsC;QACnD,MAAM,EAAE,aAAa;QACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;QAC3C,SAAS,EAAE;YACT,SAAS,EAAE;gBACT,sBAAsB,EAAE;oBACtB,yBAAyB;oBACzB,wBAAwB;oBACxB,mCAAmC;oBACnC,YAAY;oBACZ,sBAAsB;oBACtB,0BAA0B;iBAC3B;aACF;YACD,SAAS,EAAE,WAAW;SACvB;QACD,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;KACxC;CACF,CAAC"}

package/dist/threat-cloud/client-id.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Anonymous Client ID for Threat Cloud deduplication.
+ * Reads or creates a UUID at ~/.panguard/client-id.
+ * Not associated with any user account or email.
+ *
+ * @module @panguard-ai/panguard-guard/threat-cloud/client-id
+ */
+/**
+ * Get or create an anonymous client ID for deduplication.
+ * This ID is a random UUID, not linked to user identity.
+ */
+export declare function getAnonymousClientId(): string;
+//# sourceMappingURL=client-id.d.ts.map

package/dist/threat-cloud/client-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-id.d.ts","sourceRoot":"","sources":["../../src/threat-cloud/client-id.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAkB7C"}

package/dist/threat-cloud/client-id.js

@@ -0,0 +1,38 @@
+/**
+ * Anonymous Client ID for Threat Cloud deduplication.
+ * Reads or creates a UUID at ~/.panguard/client-id.
+ * Not associated with any user account or email.
+ *
+ * @module @panguard-ai/panguard-guard/threat-cloud/client-id
+ */
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { randomUUID } from 'node:crypto';
+const ID_PATH = join(homedir(), '.panguard', 'client-id');
+/**
+ * Get or create an anonymous client ID for deduplication.
+ * This ID is a random UUID, not linked to user identity.
+ */
+export function getAnonymousClientId() {
+    try {
+        if (existsSync(ID_PATH)) {
+            const id = readFileSync(ID_PATH, 'utf-8').trim();
+            if (id.length > 0)
+                return id;
+        }
+    }
+    catch {
+        // Fall through to create
+    }
+    const id = randomUUID();
+    try {
+        mkdirSync(join(homedir(), '.panguard'), { recursive: true });
+        writeFileSync(ID_PATH, id, 'utf-8');
+    }
+    catch {
+        // Best effort - return the ID even if we can't persist it
+    }
+    return id;
+}
+//# sourceMappingURL=client-id.js.map

package/dist/threat-cloud/client-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-id.js","sourceRoot":"","sources":["../../src/threat-cloud/client-id.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;AAE1D;;;GAGG;AACH,MAAM,UAAU,oBAAoB;IAClC,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,MAAM,EAAE,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,IAAI,CAAC;QACH,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,aAAa,CAAC,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;IAC5D,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/threat-cloud/index.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Collective Threat Intelligence (Threat Cloud)
+ * 集體威脅智慧（威脅雲）
+ *
+ * Provides anonymized threat data upload and community rule distribution.
+ * Supports HTTP cloud backend with local file fallback for offline mode.
+ * 提供匿名化威脅數據上傳和社群規則分發。
+ * 支援 HTTP 雲端後端和離線模式的本地檔案備援。
+ *
+ * @module @panguard-ai/panguard-guard/threat-cloud
+ */
+import type { AnonymizedThreatData, ThreatCloudUpdate, ThreatCloudStatus } from '../types.js';
+/**
+ * Threat Cloud Client for collective intelligence sharing
+ * 集體情報分享的威脅雲客戶端
+ */
+export declare class ThreatCloudClient {
+    private readonly endpoint;
+    private readonly dataDir;
+    private readonly clientId;
+    private status;
+    private cache;
+    private uploadQueue;
+    private uploadBuffer;
+    private flushTimer;
+    /** Max events before immediate flush */
+    private static readonly BATCH_SIZE;
+    /** Max buffer size to prevent memory growth */
+    private static readonly MAX_BUFFER;
+    /** Periodic flush interval (ms) */
+    private static readonly FLUSH_INTERVAL;
+    /**
+     * @param endpoint - Cloud API endpoint URL (undefined = offline mode) / 雲端 API 端點 URL
+     * @param dataDir - Local data directory for cache/queue / 本地資料目錄
+     */
+    constructor(endpoint: string | undefined, dataDir: string);
+    /**
+     * Get current connection status / 取得當前連線狀態
+     */
+    getStatus(): ThreatCloudStatus;
+    /**
+     * Upload anonymized threat data to the cloud.
+     * Data is buffered and sent in batches of up to 50 events.
+     * 上傳匿名化威脅數據至雲端。數據會緩衝並批次上傳（最多 50 筆）。
+     *
+     * @param data - Anonymized threat data / 匿名化威脅數據
+     */
+    upload(data: AnonymizedThreatData): Promise<boolean>;
+    /**
+     * Flush the upload buffer (batch POST to cloud).
+     * 清空上傳緩衝區（批次 POST 至雲端）。
+     */
+    private flushBuffer;
+    /**
+     * Stop the flush timer (call on shutdown).
+     * 停止定期清空計時器。
+     */
+    stopFlushTimer(): void;
+    /**
+     * Fetch latest community rules from the cloud
+     * 從雲端取得最新社群規則
+     *
+     * @returns Array of rule updates / 規則更新陣列
+     */
+    fetchRules(): Promise<ThreatCloudUpdate[]>;
+    /**
+     * Flush the upload queue (sync pending data to cloud)
+     * 清空上傳佇列（將待上傳數據同步至雲端）
+     *
+     * @returns Number of items successfully uploaded / 成功上傳的項目數
+     */
+    flushQueue(): Promise<number>;
+    /**
+     * Fetch IP blocklist from the cloud (plain text, one IP per line).
+     * 從雲端取得 IP 封鎖清單（純文字，每行一個 IP）。
+     *
+     * @returns Array of blocked IPs / 封鎖 IP 陣列
+     */
+    fetchBlocklist(): Promise<string[]>;
+    /**
+     * Get cached rules without network call / 取得快取規則（不進行網路呼叫）
+     */
+    getCachedRules(): ThreatCloudUpdate[];
+    /**
+     * Get queue size / 取得佇列大小
+     */
+    getQueueSize(): number;
+    /**
+     * Get statistics / 取得統計
+     */
+    getStats(): {
+        totalUploaded: number;
+        totalRulesReceived: number;
+        queueSize: number;
+    };
+    private httpPost;
+    private httpGet;
+    private loadCache;
+    private saveCache;
+    private loadQueue;
+    private saveQueue;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/threat-cloud/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/threat-cloud/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,KAAK,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAkB9F;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqB;IAC9C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,MAAM,CAAqC;IACnD,OAAO,CAAC,KAAK,CAAY;IACzB,OAAO,CAAC,WAAW,CAA8B;IACjD,OAAO,CAAC,YAAY,CAA8B;IAClD,OAAO,CAAC,UAAU,CAA+C;IAEjE,wCAAwC;IACxC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAM;IACxC,+CAA+C;IAC/C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAQ;IAC1C,mCAAmC;IACnC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAU;IAEhD;;;OAGG;gBACS,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,EAAE,MAAM;IAoBzD;;OAEG;IACH,SAAS,IAAI,iBAAiB;IAI9B;;;;;;OAMG;IACG,MAAM,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,OAAO,CAAC;IAsB1D;;;OAGG;YACW,WAAW;IA4BzB;;;OAGG;IACH,cAAc,IAAI,IAAI;IAOtB;;;;;OAKG;IACG,UAAU,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAsChD;;;;;OAKG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAiCnC;;;;;OAKG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAwBzC;;OAEG;IACH,cAAc,IAAI,iBAAiB,EAAE;IAIrC;;OAEG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACH,QAAQ,IAAI;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,kBAAkB,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE;IAWpF,OAAO,CAAC,QAAQ;IA2ChB,OAAO,CAAC,OAAO;IA2Cf,OAAO,CAAC,SAAS;IAgBjB,OAAO,CAAC,SAAS;IAWjB,OAAO,CAAC,SAAS;IAYjB,OAAO,CAAC,SAAS;CAUlB"}