@panguard-ai/panguard-guard 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent/analyze-agent.d.ts +62 -0
- package/dist/agent/analyze-agent.d.ts.map +1 -0
- package/dist/agent/analyze-agent.js +327 -0
- package/dist/agent/analyze-agent.js.map +1 -0
- package/dist/agent/detect-agent.d.ts +59 -0
- package/dist/agent/detect-agent.d.ts.map +1 -0
- package/dist/agent/detect-agent.js +214 -0
- package/dist/agent/detect-agent.js.map +1 -0
- package/dist/agent/index.d.ts +15 -0
- package/dist/agent/index.d.ts.map +1 -0
- package/dist/agent/index.js +14 -0
- package/dist/agent/index.js.map +1 -0
- package/dist/agent/report-agent.d.ts +122 -0
- package/dist/agent/report-agent.d.ts.map +1 -0
- package/dist/agent/report-agent.js +468 -0
- package/dist/agent/report-agent.js.map +1 -0
- package/dist/agent/respond-agent.d.ts +113 -0
- package/dist/agent/respond-agent.d.ts.map +1 -0
- package/dist/agent/respond-agent.js +749 -0
- package/dist/agent/respond-agent.js.map +1 -0
- package/dist/agent-client/index.d.ts +81 -0
- package/dist/agent-client/index.d.ts.map +1 -0
- package/dist/agent-client/index.js +170 -0
- package/dist/agent-client/index.js.map +1 -0
- package/dist/cli/index.d.ts +17 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +295 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/config.d.ts +23 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +108 -0
- package/dist/config.js.map +1 -0
- package/dist/daemon/index.d.ts +66 -0
- package/dist/daemon/index.d.ts.map +1 -0
- package/dist/daemon/index.js +284 -0
- package/dist/daemon/index.js.map +1 -0
- package/dist/dashboard/index.d.ts +78 -0
- package/dist/dashboard/index.d.ts.map +1 -0
- package/dist/dashboard/index.js +455 -0
- package/dist/dashboard/index.js.map +1 -0
- package/dist/guard-engine.d.ts +108 -0
- package/dist/guard-engine.d.ts.map +1 -0
- package/dist/guard-engine.js +740 -0
- package/dist/guard-engine.js.map +1 -0
- package/dist/index.d.ts +29 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +39 -0
- package/dist/index.js.map +1 -0
- package/dist/install/index.d.ts +23 -0
- package/dist/install/index.d.ts.map +1 -0
- package/dist/install/index.js +216 -0
- package/dist/install/index.js.map +1 -0
- package/dist/investigation/index.d.ts +80 -0
- package/dist/investigation/index.d.ts.map +1 -0
- package/dist/investigation/index.js +570 -0
- package/dist/investigation/index.js.map +1 -0
- package/dist/license/index.d.ts +46 -0
- package/dist/license/index.d.ts.map +1 -0
- package/dist/license/index.js +145 -0
- package/dist/license/index.js.map +1 -0
- package/dist/memory/baseline.d.ts +34 -0
- package/dist/memory/baseline.d.ts.map +1 -0
- package/dist/memory/baseline.js +224 -0
- package/dist/memory/baseline.js.map +1 -0
- package/dist/memory/index.d.ts +32 -0
- package/dist/memory/index.d.ts.map +1 -0
- package/dist/memory/index.js +58 -0
- package/dist/memory/index.js.map +1 -0
- package/dist/memory/learning.d.ts +35 -0
- package/dist/memory/learning.d.ts.map +1 -0
- package/dist/memory/learning.js +60 -0
- package/dist/memory/learning.js.map +1 -0
- package/dist/monitors/falco-monitor.d.ts +62 -0
- package/dist/monitors/falco-monitor.d.ts.map +1 -0
- package/dist/monitors/falco-monitor.js +226 -0
- package/dist/monitors/falco-monitor.js.map +1 -0
- package/dist/monitors/suricata-monitor.d.ts +80 -0
- package/dist/monitors/suricata-monitor.d.ts.map +1 -0
- package/dist/monitors/suricata-monitor.js +227 -0
- package/dist/monitors/suricata-monitor.js.map +1 -0
- package/dist/notify/email.d.ts +23 -0
- package/dist/notify/email.d.ts.map +1 -0
- package/dist/notify/email.js +124 -0
- package/dist/notify/email.js.map +1 -0
- package/dist/notify/index.d.ts +31 -0
- package/dist/notify/index.d.ts.map +1 -0
- package/dist/notify/index.js +70 -0
- package/dist/notify/index.js.map +1 -0
- package/dist/notify/line-notify.d.ts.map +1 -0
- package/dist/notify/slack.d.ts +21 -0
- package/dist/notify/slack.d.ts.map +1 -0
- package/dist/notify/slack.js +92 -0
- package/dist/notify/slack.js.map +1 -0
- package/dist/notify/telegram.d.ts +21 -0
- package/dist/notify/telegram.d.ts.map +1 -0
- package/dist/notify/telegram.js +89 -0
- package/dist/notify/telegram.js.map +1 -0
- package/dist/response/file-quarantine.d.ts +63 -0
- package/dist/response/file-quarantine.d.ts.map +1 -0
- package/dist/response/file-quarantine.js +137 -0
- package/dist/response/file-quarantine.js.map +1 -0
- package/dist/response/index.d.ts +4 -0
- package/dist/response/index.d.ts.map +1 -0
- package/dist/response/index.js +4 -0
- package/dist/response/index.js.map +1 -0
- package/dist/response/ip-blocker.d.ts +69 -0
- package/dist/response/ip-blocker.d.ts.map +1 -0
- package/dist/response/ip-blocker.js +191 -0
- package/dist/response/ip-blocker.js.map +1 -0
- package/dist/response/process-killer.d.ts +49 -0
- package/dist/response/process-killer.d.ts.map +1 -0
- package/dist/response/process-killer.js +230 -0
- package/dist/response/process-killer.js.map +1 -0
- package/dist/rules/builtin-rules.d.ts +12 -0
- package/dist/rules/builtin-rules.d.ts.map +1 -0
- package/dist/rules/builtin-rules.js +471 -0
- package/dist/rules/builtin-rules.js.map +1 -0
- package/dist/threat-cloud/client-id.d.ts +13 -0
- package/dist/threat-cloud/client-id.d.ts.map +1 -0
- package/dist/threat-cloud/client-id.js +38 -0
- package/dist/threat-cloud/client-id.js.map +1 -0
- package/dist/threat-cloud/index.d.ts +103 -0
- package/dist/threat-cloud/index.d.ts.map +1 -0
- package/dist/threat-cloud/index.js +386 -0
- package/dist/threat-cloud/index.js.map +1 -0
- package/dist/types.d.ts +336 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +42 -0
- package/dist/types.js.map +1 -0
- package/package.json +35 -0
|
@@ -0,0 +1,214 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Detect Agent - Event detection through rules, threat intelligence, and correlation
|
|
3
|
+
* 偵測代理 - 透過規則、威脅情報和事件關聯進行事件偵測
|
|
4
|
+
*
|
|
5
|
+
* First stage of the multi-agent pipeline. Receives raw SecurityEvents,
|
|
6
|
+
* runs them through the Sigma rule engine and threat intelligence feeds,
|
|
7
|
+
* correlates events within a sliding time window to detect attack chains,
|
|
8
|
+
* and emits DetectionResults for events that match.
|
|
9
|
+
*
|
|
10
|
+
* @module @panguard-ai/panguard-guard/agent/detect-agent
|
|
11
|
+
*/
|
|
12
|
+
import { createLogger, checkThreatIntel } from '@panguard-ai/core';
|
|
13
|
+
const logger = createLogger('panguard-guard:detect-agent');
|
|
14
|
+
/** Correlation window in ms (5 minutes) */
|
|
15
|
+
const CORRELATION_WINDOW_MS = 5 * 60 * 1000;
|
|
16
|
+
/** Max correlated events to keep in memory */
|
|
17
|
+
const MAX_CORRELATION_BUFFER = 1000;
|
|
18
|
+
/** Deduplication window in ms (60 seconds) */
|
|
19
|
+
const DEDUP_WINDOW_MS = 60 * 1000;
|
|
20
|
+
/** Max dedup entries to track */
|
|
21
|
+
const MAX_DEDUP_ENTRIES = 500;
|
|
22
|
+
/** Minimum events from same source to flag as attack chain */
|
|
23
|
+
const ATTACK_CHAIN_THRESHOLD = 3;
|
|
24
|
+
/**
|
|
25
|
+
* Detect Agent processes security events through rule matching,
|
|
26
|
+
* threat intelligence, event correlation, and deduplication.
|
|
27
|
+
*/
|
|
28
|
+
export class DetectAgent {
|
|
29
|
+
ruleEngine;
|
|
30
|
+
detectionCount = 0;
|
|
31
|
+
/** Sliding window for event correlation */
|
|
32
|
+
correlationBuffer = [];
|
|
33
|
+
/** Deduplication tracker: key → last detection timestamp */
|
|
34
|
+
dedupMap = new Map();
|
|
35
|
+
constructor(ruleEngine) {
|
|
36
|
+
this.ruleEngine = ruleEngine;
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Process a security event and detect threats
|
|
40
|
+
*
|
|
41
|
+
* Steps:
|
|
42
|
+
* 1. Match the event against loaded Sigma rules
|
|
43
|
+
* 2. Check threat intelligence for network events (IP lookup, IPv4 + IPv6)
|
|
44
|
+
* 3. Deduplicate: skip if same source+rule fired within dedup window
|
|
45
|
+
* 4. Correlate: check sliding window for attack chain patterns
|
|
46
|
+
* 5. If any matches found, return a DetectionResult; otherwise null
|
|
47
|
+
*/
|
|
48
|
+
detect(event) {
|
|
49
|
+
logger.info(`Processing event: ${event.id} [${event.source}]`);
|
|
50
|
+
// Step 1: Match against Sigma rules
|
|
51
|
+
const ruleMatches = this.ruleEngine.match(event);
|
|
52
|
+
// Step 2: Check threat intelligence (supports multiple IP fields)
|
|
53
|
+
let threatIntelMatch;
|
|
54
|
+
if (event.source === 'network' || event.source === 'suricata') {
|
|
55
|
+
const ip = this.extractIP(event);
|
|
56
|
+
if (ip) {
|
|
57
|
+
const threatEntry = checkThreatIntel(ip);
|
|
58
|
+
if (threatEntry) {
|
|
59
|
+
threatIntelMatch = { ip, threat: `${threatEntry.type} (${threatEntry.source})` };
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
// If no matches found, return null (normal event)
|
|
64
|
+
if (ruleMatches.length === 0 && !threatIntelMatch) {
|
|
65
|
+
return null;
|
|
66
|
+
}
|
|
67
|
+
// Step 3: Deduplication — skip if identical detection within window
|
|
68
|
+
const dedupKey = this.buildDedupKey(event, ruleMatches);
|
|
69
|
+
if (this.isDuplicate(dedupKey)) {
|
|
70
|
+
logger.info(`Dedup: skipping duplicate detection for event ${event.id}`);
|
|
71
|
+
return null;
|
|
72
|
+
}
|
|
73
|
+
this.recordDedup(dedupKey);
|
|
74
|
+
// Step 4: Correlation — check for attack chain
|
|
75
|
+
const sourceIP = this.extractIP(event);
|
|
76
|
+
const ruleIds = ruleMatches.map((m) => m.rule.id);
|
|
77
|
+
const attackChain = this.correlate(event, ruleIds, sourceIP);
|
|
78
|
+
this.detectionCount++;
|
|
79
|
+
const result = {
|
|
80
|
+
event,
|
|
81
|
+
ruleMatches: ruleMatches.map((m) => ({
|
|
82
|
+
ruleId: m.rule.id,
|
|
83
|
+
ruleName: m.rule.title,
|
|
84
|
+
severity: (m.rule.level ?? 'medium'),
|
|
85
|
+
})),
|
|
86
|
+
threatIntelMatch,
|
|
87
|
+
timestamp: new Date().toISOString(),
|
|
88
|
+
// Attach correlation metadata if attack chain detected
|
|
89
|
+
...(attackChain ? { attackChain } : {}),
|
|
90
|
+
};
|
|
91
|
+
logger.info(`Threat detected for event ${event.id}: ${ruleMatches.length} rule matches, ` +
|
|
92
|
+
`threat intel: ${threatIntelMatch ? 'yes' : 'no'}, ` +
|
|
93
|
+
`attack chain: ${attackChain ? `${attackChain.eventCount} events` : 'no'}`);
|
|
94
|
+
return result;
|
|
95
|
+
}
|
|
96
|
+
/**
|
|
97
|
+
* Extract IP address from event metadata (IPv4 + IPv6 support)
|
|
98
|
+
*/
|
|
99
|
+
extractIP(event) {
|
|
100
|
+
const meta = event.metadata;
|
|
101
|
+
if (!meta)
|
|
102
|
+
return undefined;
|
|
103
|
+
// Check multiple possible IP fields
|
|
104
|
+
const candidates = [
|
|
105
|
+
meta['remoteAddress'],
|
|
106
|
+
meta['sourceIP'],
|
|
107
|
+
meta['src_ip'],
|
|
108
|
+
meta['destinationIP'],
|
|
109
|
+
meta['dst_ip'],
|
|
110
|
+
meta['clientIP'],
|
|
111
|
+
meta['peerAddress'],
|
|
112
|
+
];
|
|
113
|
+
for (const candidate of candidates) {
|
|
114
|
+
if (typeof candidate === 'string' && candidate.length > 0) {
|
|
115
|
+
return candidate;
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
return undefined;
|
|
119
|
+
}
|
|
120
|
+
// ---------------------------------------------------------------------------
|
|
121
|
+
// Deduplication
|
|
122
|
+
// ---------------------------------------------------------------------------
|
|
123
|
+
/** Build a dedup key from event source + matched rule IDs */
|
|
124
|
+
buildDedupKey(event, matches) {
|
|
125
|
+
const ip = this.extractIP(event) ?? 'no-ip';
|
|
126
|
+
const rules = matches
|
|
127
|
+
.map((m) => m.rule.id)
|
|
128
|
+
.sort()
|
|
129
|
+
.join(',');
|
|
130
|
+
return `${event.source}:${ip}:${rules}`;
|
|
131
|
+
}
|
|
132
|
+
/** Check if this key was seen within the dedup window */
|
|
133
|
+
isDuplicate(key) {
|
|
134
|
+
const lastSeen = this.dedupMap.get(key);
|
|
135
|
+
if (!lastSeen)
|
|
136
|
+
return false;
|
|
137
|
+
return Date.now() - lastSeen < DEDUP_WINDOW_MS;
|
|
138
|
+
}
|
|
139
|
+
/** Record a dedup entry and evict old entries if over limit */
|
|
140
|
+
recordDedup(key) {
|
|
141
|
+
this.dedupMap.set(key, Date.now());
|
|
142
|
+
// Evict expired entries periodically
|
|
143
|
+
if (this.dedupMap.size > MAX_DEDUP_ENTRIES) {
|
|
144
|
+
const now = Date.now();
|
|
145
|
+
for (const [k, ts] of this.dedupMap) {
|
|
146
|
+
if (now - ts > DEDUP_WINDOW_MS) {
|
|
147
|
+
this.dedupMap.delete(k);
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
// ---------------------------------------------------------------------------
|
|
153
|
+
// Event Correlation (Attack Chain Detection)
|
|
154
|
+
// ---------------------------------------------------------------------------
|
|
155
|
+
/**
|
|
156
|
+
* Correlate events within a sliding time window.
|
|
157
|
+
* Returns attack chain metadata if multiple events from same source detected.
|
|
158
|
+
*/
|
|
159
|
+
correlate(event, ruleIds, sourceIP) {
|
|
160
|
+
const now = Date.now();
|
|
161
|
+
// Add current event to correlation buffer
|
|
162
|
+
this.correlationBuffer.push({
|
|
163
|
+
event,
|
|
164
|
+
ruleIds,
|
|
165
|
+
sourceIP,
|
|
166
|
+
timestamp: now,
|
|
167
|
+
});
|
|
168
|
+
// Evict events outside the correlation window
|
|
169
|
+
while (this.correlationBuffer.length > 0 &&
|
|
170
|
+
now - this.correlationBuffer[0].timestamp > CORRELATION_WINDOW_MS) {
|
|
171
|
+
this.correlationBuffer.shift();
|
|
172
|
+
}
|
|
173
|
+
// Trim buffer if too large
|
|
174
|
+
while (this.correlationBuffer.length > MAX_CORRELATION_BUFFER) {
|
|
175
|
+
this.correlationBuffer.shift();
|
|
176
|
+
}
|
|
177
|
+
// Only correlate if we have a source IP
|
|
178
|
+
if (!sourceIP)
|
|
179
|
+
return undefined;
|
|
180
|
+
// Find all events from this source IP within the window
|
|
181
|
+
const relatedEvents = this.correlationBuffer.filter((e) => e.sourceIP === sourceIP && now - e.timestamp <= CORRELATION_WINDOW_MS);
|
|
182
|
+
if (relatedEvents.length >= ATTACK_CHAIN_THRESHOLD) {
|
|
183
|
+
// Collect all unique rule IDs across the chain
|
|
184
|
+
const allRuleIds = new Set();
|
|
185
|
+
for (const re of relatedEvents) {
|
|
186
|
+
for (const rid of re.ruleIds) {
|
|
187
|
+
allRuleIds.add(rid);
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
logger.warn(`Attack chain detected from ${sourceIP}: ${relatedEvents.length} events, ` +
|
|
191
|
+
`${allRuleIds.size} unique rules in ${CORRELATION_WINDOW_MS / 1000}s window`);
|
|
192
|
+
return {
|
|
193
|
+
sourceIP,
|
|
194
|
+
eventCount: relatedEvents.length,
|
|
195
|
+
ruleIds: [...allRuleIds],
|
|
196
|
+
windowMs: CORRELATION_WINDOW_MS,
|
|
197
|
+
};
|
|
198
|
+
}
|
|
199
|
+
return undefined;
|
|
200
|
+
}
|
|
201
|
+
/** Get total number of detections */
|
|
202
|
+
getDetectionCount() {
|
|
203
|
+
return this.detectionCount;
|
|
204
|
+
}
|
|
205
|
+
/** Get current correlation buffer size (for monitoring) */
|
|
206
|
+
getCorrelationBufferSize() {
|
|
207
|
+
return this.correlationBuffer.length;
|
|
208
|
+
}
|
|
209
|
+
/** Get current dedup map size (for monitoring) */
|
|
210
|
+
getDedupMapSize() {
|
|
211
|
+
return this.dedupMap.size;
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
//# sourceMappingURL=detect-agent.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"detect-agent.js","sourceRoot":"","sources":["../../src/agent/detect-agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAInE,MAAM,MAAM,GAAG,YAAY,CAAC,6BAA6B,CAAC,CAAC;AAE3D,2CAA2C;AAC3C,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE5C,8CAA8C;AAC9C,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC,8CAA8C;AAC9C,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,CAAC;AAElC,iCAAiC;AACjC,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAE9B,8DAA8D;AAC9D,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAiBjC;;;GAGG;AACH,MAAM,OAAO,WAAW;IACL,UAAU,CAAa;IAChC,cAAc,GAAG,CAAC,CAAC;IAE3B,2CAA2C;IAC1B,iBAAiB,GAAsB,EAAE,CAAC;IAE3D,4DAA4D;IAC3C,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEtD,YAAY,UAAsB;QAChC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;;;;;;;OASG;IACH,MAAM,CAAC,KAAoB;QACzB,MAAM,CAAC,IAAI,CAAC,qBAAqB,KAAK,CAAC,EAAE,KAAK,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QAE/D,oCAAoC;QACpC,MAAM,WAAW,GAAgB,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE9D,kEAAkE;QAClE,IAAI,gBAA4D,CAAC;QACjE,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACjC,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,WAAW,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;gBACzC,IAAI,WAAW,EAAE,CAAC;oBAChB,gBAAgB,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,IAAI,KAAK,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC;gBACnF,CAAC;YACH,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,oEAAoE;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACxD,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,iDAAiD,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE3B,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE7D,IAAI,CAAC,cAAc,EAAE,CAAC;QAEtB,MAAM,MAAM,GAAoB;YAC9B,KAAK;YACL,WAAW,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAY,EAAE,EAAE,CAAC,CAAC;gBAC9C,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE;gBACjB,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK;gBACtB,QAAQ,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,IAAI,QAAQ,CAA8B;aAClE,CAAC,CAAC;YACH,gBAAgB;YAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,uDAAuD;YACvD,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxC,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,6BAA6B,KAAK,CAAC,EAAE,KAAK,WAAW,CAAC,MAAM,iBAAiB;YAC3E,iBAAiB,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI;YACpD,iBAAiB,WAAW,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,UAAU,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAC7E,CAAC;QAEF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,KAAoB;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC;QAC5B,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAE5B,oCAAoC;QACpC,MAAM,UAAU,GAAG;YACjB,IAAI,CAAC,eAAe,CAAC;YACrB,IAAI,CAAC,UAAU,CAAC;YAChB,IAAI,CAAC,QAAQ,CAAC;YACd,IAAI,CAAC,eAAe,CAAC;YACrB,IAAI,CAAC,QAAQ,CAAC;YACd,IAAI,CAAC,UAAU,CAAC;YAChB,IAAI,CAAC,aAAa,CAAC;SACpB,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1D,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E,6DAA6D;IACrD,aAAa,CAAC,KAAoB,EAAE,OAAoB;QAC9D,MAAM,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC;QAC5C,MAAM,KAAK,GAAG,OAAO;aAClB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;aACrB,IAAI,EAAE;aACN,IAAI,CAAC,GAAG,CAAC,CAAC;QACb,OAAO,GAAG,KAAK,CAAC,MAAM,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,yDAAyD;IACjD,WAAW,CAAC,GAAW;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,GAAG,eAAe,CAAC;IACjD,CAAC;IAED,+DAA+D;IACvD,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAEnC,qCAAqC;QACrC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,iBAAiB,EAAE,CAAC;YAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,KAAK,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,IAAI,GAAG,GAAG,EAAE,GAAG,eAAe,EAAE,CAAC;oBAC/B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,6CAA6C;IAC7C,8EAA8E;IAE9E;;;OAGG;IACK,SAAS,CACf,KAAoB,EACpB,OAAiB,EACjB,QAAiB;QAEjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,0CAA0C;QAC1C,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;YAC1B,KAAK;YACL,OAAO;YACP,QAAQ;YACR,SAAS,EAAE,GAAG;SACf,CAAC,CAAC;QAEH,8CAA8C;QAC9C,OACE,IAAI,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC;YACjC,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAE,CAAC,SAAS,GAAG,qBAAqB,EAClE,CAAC;YACD,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;QACjC,CAAC;QAED,2BAA2B;QAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,GAAG,sBAAsB,EAAE,CAAC;YAC9D,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC;QACjC,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,QAAQ;YAAE,OAAO,SAAS,CAAC;QAEhC,wDAAwD;QACxD,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CACjD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,IAAI,qBAAqB,CAC7E,CAAC;QAEF,IAAI,aAAa,CAAC,MAAM,IAAI,sBAAsB,EAAE,CAAC;YACnD,+CAA+C;YAC/C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;YACrC,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;gBAC/B,KAAK,MAAM,GAAG,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;oBAC7B,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACtB,CAAC;YACH,CAAC;YAED,MAAM,CAAC,IAAI,CACT,8BAA8B,QAAQ,KAAK,aAAa,CAAC,MAAM,WAAW;gBACxE,GAAG,UAAU,CAAC,IAAI,oBAAoB,qBAAqB,GAAG,IAAI,UAAU,CAC/E,CAAC;YAEF,OAAO;gBACL,QAAQ;gBACR,UAAU,EAAE,aAAa,CAAC,MAAM;gBAChC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;gBACxB,QAAQ,EAAE,qBAAqB;aAChC,CAAC;QACJ,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,qCAAqC;IACrC,iBAAiB;QACf,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED,2DAA2D;IAC3D,wBAAwB;QACtB,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC;IACvC,CAAC;IAED,kDAAkD;IAClD,eAAe;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Multi-Agent Pipeline
|
|
3
|
+
* 多代理管線
|
|
4
|
+
*
|
|
5
|
+
* Exports the four-agent pipeline: Detect -> Analyze -> Respond -> Report.
|
|
6
|
+
* 匯出四代理管線:偵測 -> 分析 -> 回應 -> 報告。
|
|
7
|
+
*
|
|
8
|
+
* @module @panguard-ai/panguard-guard/agent
|
|
9
|
+
*/
|
|
10
|
+
export { DetectAgent } from './detect-agent.js';
|
|
11
|
+
export { AnalyzeAgent } from './analyze-agent.js';
|
|
12
|
+
export { RespondAgent } from './respond-agent.js';
|
|
13
|
+
export { ReportAgent } from './report-agent.js';
|
|
14
|
+
export type { ReportRecord } from './report-agent.js';
|
|
15
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,YAAY,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Multi-Agent Pipeline
|
|
3
|
+
* 多代理管線
|
|
4
|
+
*
|
|
5
|
+
* Exports the four-agent pipeline: Detect -> Analyze -> Respond -> Report.
|
|
6
|
+
* 匯出四代理管線:偵測 -> 分析 -> 回應 -> 報告。
|
|
7
|
+
*
|
|
8
|
+
* @module @panguard-ai/panguard-guard/agent
|
|
9
|
+
*/
|
|
10
|
+
export { DetectAgent } from './detect-agent.js';
|
|
11
|
+
export { AnalyzeAgent } from './analyze-agent.js';
|
|
12
|
+
export { RespondAgent } from './respond-agent.js';
|
|
13
|
+
export { ReportAgent } from './report-agent.js';
|
|
14
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/agent/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Report Agent - Event logging with rotation, streaming reads, and retention policy
|
|
3
|
+
* 報告代理 - 事件記錄,支援 log rotation、串流讀取和資料保留策略
|
|
4
|
+
*
|
|
5
|
+
* Fourth stage of the multi-agent pipeline. Logs all events to JSONL with
|
|
6
|
+
* automatic rotation, updates the baseline during learning mode, and
|
|
7
|
+
* generates anonymized threat data for collective intelligence.
|
|
8
|
+
*
|
|
9
|
+
* @module @panguard-ai/panguard-guard/agent/report-agent
|
|
10
|
+
*/
|
|
11
|
+
import type { SecurityEvent } from '@panguard-ai/core';
|
|
12
|
+
import type { ThreatVerdict, ResponseResult, EnvironmentBaseline, AnonymizedThreatData, GuardMode } from '../types.js';
|
|
13
|
+
/** Full report record written to JSONL */
|
|
14
|
+
export interface ReportRecord {
|
|
15
|
+
event: SecurityEvent;
|
|
16
|
+
verdict: ThreatVerdict;
|
|
17
|
+
response: ResponseResult;
|
|
18
|
+
timestamp: string;
|
|
19
|
+
}
|
|
20
|
+
/** Daily/weekly summary structure */
|
|
21
|
+
export interface ReportSummary {
|
|
22
|
+
period: {
|
|
23
|
+
start: string;
|
|
24
|
+
end: string;
|
|
25
|
+
};
|
|
26
|
+
totalEvents: number;
|
|
27
|
+
threatsBlocked: number;
|
|
28
|
+
suspiciousEvents: number;
|
|
29
|
+
benignEvents: number;
|
|
30
|
+
topAttackSources: Array<{
|
|
31
|
+
ip: string;
|
|
32
|
+
count: number;
|
|
33
|
+
}>;
|
|
34
|
+
actionsTaken: Array<{
|
|
35
|
+
action: string;
|
|
36
|
+
count: number;
|
|
37
|
+
}>;
|
|
38
|
+
verdictBreakdown: {
|
|
39
|
+
benign: number;
|
|
40
|
+
suspicious: number;
|
|
41
|
+
malicious: number;
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
/** Log rotation configuration */
|
|
45
|
+
interface RotationConfig {
|
|
46
|
+
/** Max log file size before rotation (default 50MB) */
|
|
47
|
+
maxFileSizeBytes: number;
|
|
48
|
+
/** Max number of rotated log files to keep (default 10) */
|
|
49
|
+
maxRotatedFiles: number;
|
|
50
|
+
/** Retention period in days (default 90) */
|
|
51
|
+
retentionDays: number;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Report Agent logs events with rotation, updates baselines, and generates anonymized data.
|
|
55
|
+
*/
|
|
56
|
+
export declare class ReportAgent {
|
|
57
|
+
private readonly logPath;
|
|
58
|
+
private mode;
|
|
59
|
+
private reportCount;
|
|
60
|
+
private readonly rotation;
|
|
61
|
+
constructor(logPath: string, mode: GuardMode, rotation?: Partial<RotationConfig>);
|
|
62
|
+
/** Update operating mode */
|
|
63
|
+
setMode(mode: GuardMode): void;
|
|
64
|
+
/**
|
|
65
|
+
* Process a complete pipeline result: log, update baseline, generate anonymized data.
|
|
66
|
+
* Automatically rotates log file when size limit is reached.
|
|
67
|
+
*/
|
|
68
|
+
report(event: SecurityEvent, verdict: ThreatVerdict, response: ResponseResult, baseline: EnvironmentBaseline): {
|
|
69
|
+
updatedBaseline: EnvironmentBaseline;
|
|
70
|
+
anonymizedData?: AnonymizedThreatData;
|
|
71
|
+
};
|
|
72
|
+
/**
|
|
73
|
+
* Rotate log file if it exceeds the size limit.
|
|
74
|
+
* Naming: events.jsonl -> events.jsonl.1 -> events.jsonl.2 -> ...
|
|
75
|
+
* Oldest files beyond maxRotatedFiles are deleted.
|
|
76
|
+
*/
|
|
77
|
+
private rotateIfNeeded;
|
|
78
|
+
/**
|
|
79
|
+
* Delete rotated log files beyond maxRotatedFiles and older than retentionDays
|
|
80
|
+
*/
|
|
81
|
+
private enforceRetention;
|
|
82
|
+
private appendLog;
|
|
83
|
+
/**
|
|
84
|
+
* Read log records from JSONL using streaming (line-by-line).
|
|
85
|
+
* Only loads records after the cutoff date into memory.
|
|
86
|
+
* This replaces the previous readFileSync approach that loaded entire files.
|
|
87
|
+
*/
|
|
88
|
+
readLogRecordsStreaming(after: Date): Promise<ReportRecord[]>;
|
|
89
|
+
/**
|
|
90
|
+
* Get all log files (current + rotated) sorted newest first
|
|
91
|
+
*/
|
|
92
|
+
private getLogFiles;
|
|
93
|
+
/**
|
|
94
|
+
* Stream a single JSONL file, returning records after the cutoff
|
|
95
|
+
*/
|
|
96
|
+
private streamFile;
|
|
97
|
+
/**
|
|
98
|
+
* Generate a summary for the given time period.
|
|
99
|
+
* Uses streaming reader for memory efficiency.
|
|
100
|
+
*/
|
|
101
|
+
generateSummary(hoursBack: number): Promise<ReportSummary>;
|
|
102
|
+
/** Generate daily summary (last 24 hours) */
|
|
103
|
+
generateDailySummary(): Promise<ReportSummary>;
|
|
104
|
+
/** Generate weekly summary (last 7 days) */
|
|
105
|
+
generateWeeklySummary(): Promise<ReportSummary>;
|
|
106
|
+
/**
|
|
107
|
+
* Synchronous summary for backwards compatibility (reads current file only).
|
|
108
|
+
* Prefer async generateSummary() for production use.
|
|
109
|
+
*/
|
|
110
|
+
generateSummarySync(hoursBack: number): ReportSummary;
|
|
111
|
+
/** Synchronous read of current log file only */
|
|
112
|
+
private readLogRecordsSync;
|
|
113
|
+
private generateAnonymizedData;
|
|
114
|
+
/** Get total report count */
|
|
115
|
+
getReportCount(): number;
|
|
116
|
+
/** Get current log file size in bytes */
|
|
117
|
+
getLogSizeBytes(): number;
|
|
118
|
+
/** Get number of rotated log files */
|
|
119
|
+
getRotatedFileCount(): number;
|
|
120
|
+
}
|
|
121
|
+
export {};
|
|
122
|
+
//# sourceMappingURL=report-agent.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"report-agent.d.ts","sourceRoot":"","sources":["../../src/agent/report-agent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAeH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,SAAS,EACV,MAAM,aAAa,CAAC;AAKrB,0CAA0C;AAC1C,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,aAAa,CAAC;IACrB,OAAO,EAAE,aAAa,CAAC;IACvB,QAAQ,EAAE,cAAc,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qCAAqC;AACrC,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvD,YAAY,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvD,gBAAgB,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7E;AAED,iCAAiC;AACjC,UAAU,cAAc;IACtB,uDAAuD;IACvD,gBAAgB,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,eAAe,EAAE,MAAM,CAAC;IACxB,4CAA4C;IAC5C,aAAa,EAAE,MAAM,CAAC;CACvB;AAQD;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,IAAI,CAAY;IACxB,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;gBAE9B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC;IAahF,4BAA4B;IAC5B,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAI9B;;;OAGG;IACH,MAAM,CACJ,KAAK,EAAE,aAAa,EACpB,OAAO,EAAE,aAAa,EACtB,QAAQ,EAAE,cAAc,EACxB,QAAQ,EAAE,mBAAmB,GAC5B;QAAE,eAAe,EAAE,mBAAmB,CAAC;QAAC,cAAc,CAAC,EAAE,oBAAoB,CAAA;KAAE;IAuClF;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAoCtB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAkDxB,OAAO,CAAC,SAAS;IAcjB;;;;OAIG;IACG,uBAAuB,CAAC,KAAK,EAAE,IAAI,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAgBnE;;OAEG;IACH,OAAO,CAAC,WAAW;IAwBnB;;OAEG;IACH,OAAO,CAAC,UAAU;IAgClB;;;OAGG;IACG,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAsDhE,6CAA6C;IACvC,oBAAoB,IAAI,OAAO,CAAC,aAAa,CAAC;IAIpD,4CAA4C;IACtC,qBAAqB,IAAI,OAAO,CAAC,aAAa,CAAC;IAIrD;;;OAGG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,aAAa;IA8CrD,gDAAgD;IAChD,OAAO,CAAC,kBAAkB;IAyB1B,OAAO,CAAC,sBAAsB;IA2B9B,6BAA6B;IAC7B,cAAc,IAAI,MAAM;IAIxB,yCAAyC;IACzC,eAAe,IAAI,MAAM;IAQzB,sCAAsC;IACtC,mBAAmB,IAAI,MAAM;CAS9B"}
|