@profullstack/threatcrush 0.1.0

package/src/commands/init.ts

@@ -0,0 +1,211 @@
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { execSync } from 'node:child_process';
+import chalk from 'chalk';
+import ora from 'ora';
+import { generateDefaultConfig, generateModuleConfig } from '../core/config.js';
+import { banner, logger } from '../core/logger.js';
+
+interface DetectedService {
+  name: string;
+  binary: string;
+  running: boolean;
+  logPath?: string;
+}
+
+const SERVICES_TO_DETECT: Array<{
+  name: string;
+  binaries: string[];
+  logPaths: string[];
+  moduleConfig: Record<string, unknown>;
+}> = [
+  {
+    name: 'sshd',
+    binaries: ['sshd'],
+    logPaths: ['/var/log/auth.log', '/var/log/secure'],
+    moduleConfig: { log_path: '/var/log/auth.log', max_failed_attempts: 5, ban_duration_minutes: 30 },
+  },
+  {
+    name: 'nginx',
+    binaries: ['nginx'],
+    logPaths: ['/var/log/nginx/access.log', '/var/log/nginx/error.log'],
+    moduleConfig: { access_log: '/var/log/nginx/access.log', error_log: '/var/log/nginx/error.log' },
+  },
+  {
+    name: 'apache',
+    binaries: ['apache2', 'httpd'],
+    logPaths: ['/var/log/apache2/access.log', '/var/log/httpd/access_log'],
+    moduleConfig: { access_log: '/var/log/apache2/access.log' },
+  },
+  {
+    name: 'postgresql',
+    binaries: ['postgres', 'postgresql'],
+    logPaths: ['/var/log/postgresql/postgresql-main.log'],
+    moduleConfig: { log_path: '/var/log/postgresql/' },
+  },
+  {
+    name: 'mysql',
+    binaries: ['mysqld', 'mariadbd'],
+    logPaths: ['/var/log/mysql/error.log', '/var/log/mariadb/mariadb.log'],
+    moduleConfig: { log_path: '/var/log/mysql/' },
+  },
+  {
+    name: 'redis',
+    binaries: ['redis-server'],
+    logPaths: ['/var/log/redis/redis-server.log'],
+    moduleConfig: { log_path: '/var/log/redis/' },
+  },
+  {
+    name: 'bind',
+    binaries: ['named', 'bind9'],
+    logPaths: ['/var/log/named/', '/var/log/bind/'],
+    moduleConfig: { log_path: '/var/log/named/' },
+  },
+];
+
+function isProcessRunning(name: string): boolean {
+  try {
+    execSync(`pgrep -x ${name}`, { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function binaryExists(name: string): boolean {
+  try {
+    execSync(`which ${name}`, { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function findLogPath(paths: string[]): string | undefined {
+  return paths.find((p) => existsSync(p));
+}
+
+export async function initCommand(): Promise<void> {
+  banner();
+  logger.info('Initializing ThreatCrush — scanning system...\n');
+
+  const spinner = ora({ text: 'Detecting services...', color: 'green' }).start();
+  const detected: DetectedService[] = [];
+
+  for (const svc of SERVICES_TO_DETECT) {
+    const foundBinary = svc.binaries.find((b) => binaryExists(b));
+    if (foundBinary) {
+      const running = svc.binaries.some((b) => isProcessRunning(b));
+      const logPath = findLogPath(svc.logPaths);
+      detected.push({
+        name: svc.name,
+        binary: foundBinary,
+        running,
+        logPath,
+      });
+    }
+  }
+
+  spinner.succeed(`Found ${detected.length} service(s)\n`);
+
+  // Print findings
+  if (detected.length === 0) {
+    console.log(chalk.yellow('  No monitored services detected on this system.'));
+    console.log(chalk.gray('  ThreatCrush will still work with manual configuration.\n'));
+  } else {
+    console.log(chalk.green.bold('  Detected Services:'));
+    console.log(chalk.gray('  ' + '─'.repeat(60)));
+    for (const svc of detected) {
+      const status = svc.running
+        ? chalk.green('● running')
+        : chalk.yellow('○ installed');
+      const log = svc.logPath
+        ? chalk.gray(` → ${svc.logPath}`)
+        : chalk.gray(' → no log found');
+      console.log(`  ${status}  ${chalk.white.bold(svc.name.padEnd(14))}${log}`);
+    }
+    console.log();
+  }
+
+  // Generate config files
+  const configDir = '/etc/threatcrush';
+  const confDDir = `${configDir}/threatcrushd.conf.d`;
+
+  const canWrite = checkWriteAccess(configDir);
+
+  if (!canWrite) {
+    console.log(chalk.yellow('  ⚠ Cannot write to /etc/threatcrush/ (run with sudo for full setup)'));
+    console.log(chalk.gray('  Printing generated configs instead:\n'));
+
+    // Print main config
+    console.log(chalk.green.bold('  Main config (/etc/threatcrush/threatcrushd.conf):'));
+    console.log(chalk.gray('  ' + '─'.repeat(60)));
+    const mainConfig = generateDefaultConfig(detected.map((d) => d.name));
+    for (const line of mainConfig.split('\n')) {
+      console.log(chalk.gray('  ') + chalk.white(line));
+    }
+    console.log();
+
+    // Print module configs
+    for (const svc of detected) {
+      const svcDef = SERVICES_TO_DETECT.find((s) => s.name === svc.name);
+      if (!svcDef) continue;
+      const modName = svc.name === 'sshd' ? 'ssh-guard' : 'log-watcher';
+      console.log(chalk.green.bold(`  Module config (${confDDir}/${modName}.conf):`));
+      const modConfig = generateModuleConfig(modName, {
+        ...svcDef.moduleConfig,
+        log_path: svc.logPath || svcDef.logPaths[0],
+      });
+      for (const line of modConfig.split('\n')) {
+        console.log(chalk.gray('  ') + chalk.white(line));
+      }
+      console.log();
+    }
+  } else {
+    const spinner2 = ora({ text: 'Writing configuration files...', color: 'green' }).start();
+
+    mkdirSync(confDDir, { recursive: true });
+    mkdirSync('/var/log/threatcrush', { recursive: true });
+    mkdirSync('/var/lib/threatcrush', { recursive: true });
+
+    // Write main config
+    const mainConfig = generateDefaultConfig(detected.map((d) => d.name));
+    writeFileSync(`${configDir}/threatcrushd.conf`, mainConfig);
+
+    // Write module configs
+    for (const svc of detected) {
+      const svcDef = SERVICES_TO_DETECT.find((s) => s.name === svc.name);
+      if (!svcDef) continue;
+      const modName = svc.name === 'sshd' ? 'ssh-guard' : 'log-watcher';
+      const modConfig = generateModuleConfig(modName, {
+        ...svcDef.moduleConfig,
+        log_path: svc.logPath || svcDef.logPaths[0],
+      });
+      writeFileSync(`${confDDir}/${modName}.conf`, modConfig);
+    }
+
+    spinner2.succeed('Configuration written successfully');
+    console.log();
+    console.log(chalk.green('  ✓ Main config:  ') + chalk.white(`${configDir}/threatcrushd.conf`));
+    console.log(chalk.green('  ✓ Module dir:   ') + chalk.white(confDDir));
+    console.log(chalk.green('  ✓ Log dir:      ') + chalk.white('/var/log/threatcrush/'));
+    console.log(chalk.green('  ✓ State dir:    ') + chalk.white('/var/lib/threatcrush/'));
+  }
+
+  console.log();
+  console.log(chalk.green('  Next steps:'));
+  console.log(chalk.gray('    1. Review and edit the config files'));
+  console.log(chalk.gray('    2. Run ') + chalk.white('threatcrush monitor') + chalk.gray(' to start monitoring'));
+  console.log(chalk.gray('    3. Run ') + chalk.white('threatcrush monitor --tui') + chalk.gray(' for the dashboard'));
+  console.log();
+}
+
+function checkWriteAccess(dir: string): boolean {
+  try {
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}

package/src/commands/modules.ts

@@ -0,0 +1,67 @@
+import chalk from 'chalk';
+import { banner } from '../core/logger.js';
+import { discoverModules } from '../core/module-loader.js';
+
+export async function modulesListCommand(): Promise<void> {
+  banner();
+
+  const modules = discoverModules();
+
+  console.log(chalk.green.bold('  Installed Modules'));
+  console.log(chalk.gray('  ' + '─'.repeat(60)));
+
+  if (modules.length === 0) {
+    console.log(chalk.gray('  No modules installed.'));
+    console.log();
+    console.log(chalk.gray('  Built-in modules will be available after running:'));
+    console.log(chalk.white('    threatcrush init'));
+    console.log();
+    console.log(chalk.gray('  Or install from the marketplace:'));
+    console.log(chalk.white('    threatcrush modules install <name>'));
+  } else {
+    console.log();
+    console.log(
+      chalk.gray('  ') +
+      chalk.white.bold('Name'.padEnd(20)) +
+      chalk.white.bold('Version'.padEnd(12)) +
+      chalk.white.bold('Status'.padEnd(12)) +
+      chalk.white.bold('Description'),
+    );
+    console.log(chalk.gray('  ' + '─'.repeat(60)));
+
+    for (const mod of modules) {
+      const enabled = mod.config.enabled !== false;
+      const status = enabled ? chalk.green('enabled') : chalk.gray('disabled');
+      console.log(
+        chalk.gray('  ') +
+        chalk.white(mod.manifest.name.padEnd(20)) +
+        chalk.gray(mod.manifest.version.padEnd(12)) +
+        status.padEnd(21) +
+        chalk.gray(mod.manifest.description || '—'),
+      );
+    }
+  }
+
+  console.log();
+}
+
+export async function modulesInstallCommand(name: string): Promise<void> {
+  banner();
+
+  console.log(chalk.green.bold('  Module Installation'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+  console.log();
+
+  if (name.startsWith('./') || name.startsWith('/')) {
+    console.log(chalk.yellow(`  Local module installation from: ${name}`));
+    console.log(chalk.gray('  → This feature is coming soon.'));
+  } else {
+    console.log(chalk.yellow(`  Installing module: ${chalk.white.bold(name)}`));
+    console.log();
+    console.log(chalk.gray('  Module marketplace is not yet available.'));
+    console.log(chalk.gray('  Stay tuned — module store launching soon at:'));
+    console.log(chalk.cyan('    https://threatcrush.com/modules'));
+  }
+
+  console.log();
+}

package/src/commands/monitor.ts

@@ -0,0 +1,208 @@
+import { existsSync, createReadStream, statSync } from 'node:fs';
+import { createInterface } from 'node:readline';
+import { watch } from 'node:fs';
+import chalk from 'chalk';
+import { formatEvent, logger, banner } from '../core/logger.js';
+import { autoDetectParser, detectAttackPattern, parseAuthLog, parseNginxLog } from '../core/log-parser.js';
+import { initStateDB, insertEvent } from '../core/state.js';
+import type { ThreatEvent, EventSeverity, EventCategory } from '../types/events.js';
+
+interface MonitorOptions {
+  module?: string;
+  tui?: boolean;
+}
+
+interface LogWatcher {
+  path: string;
+  name: string;
+  category: EventCategory;
+}
+
+const LOG_SOURCES: LogWatcher[] = [
+  { path: '/var/log/auth.log', name: 'ssh-guard', category: 'auth' },
+  { path: '/var/log/secure', name: 'ssh-guard', category: 'auth' },
+  { path: '/var/log/nginx/access.log', name: 'log-watcher', category: 'web' },
+  { path: '/var/log/syslog', name: 'log-watcher', category: 'system' },
+];
+
+export async function monitorCommand(options: MonitorOptions): Promise<void> {
+  if (options.tui) {
+    // Dynamic import to avoid loading blessed when not needed
+    const { startDashboard } = await import('../tui/dashboard.js');
+    await startDashboard();
+    return;
+  }
+
+  banner();
+  logger.info('Starting foreground monitor...');
+
+  const moduleFilter = options.module?.split(',').map((m) => m.trim());
+
+  // Find available log files
+  const availableSources = LOG_SOURCES.filter((s) => {
+    if (moduleFilter && !moduleFilter.includes(s.name)) return false;
+    return existsSync(s.path);
+  });
+
+  if (availableSources.length === 0) {
+    logger.warn('No log files found to monitor.');
+    logger.info('Available log paths checked:');
+    for (const s of LOG_SOURCES) {
+      const exists = existsSync(s.path);
+      console.log(`  ${exists ? chalk.green('✓') : chalk.red('✗')} ${s.path}`);
+    }
+    console.log();
+    logger.info('Starting demo mode with synthetic events...\n');
+    await runDemoMode();
+    return;
+  }
+
+  try {
+    initStateDB();
+  } catch {
+    // State DB optional for monitoring
+  }
+
+  logger.info(`Monitoring ${availableSources.length} log source(s):`);
+  for (const src of availableSources) {
+    console.log(`  ${chalk.green('●')} ${chalk.white(src.name.padEnd(14))} → ${chalk.gray(src.path)}`);
+  }
+  console.log();
+  console.log(chalk.gray('  Press Ctrl+C to stop\n'));
+
+  // Tail each log file
+  for (const src of availableSources) {
+    tailLog(src);
+  }
+
+  // Keep process alive
+  await new Promise(() => {});
+}
+
+function tailLog(source: LogWatcher): void {
+  const { path, name, category } = source;
+
+  // Start reading from end of file
+  const stat = statSync(path);
+  let position = stat.size;
+
+  const checkForNewData = () => {
+    try {
+      const currentStat = statSync(path);
+      if (currentStat.size <= position) {
+        if (currentStat.size < position) position = 0; // file rotated
+        return;
+      }
+
+      const stream = createReadStream(path, { start: position, encoding: 'utf-8' });
+      const rl = createInterface({ input: stream });
+
+      rl.on('line', (line) => {
+        if (!line.trim()) return;
+        processLine(line, name, category);
+      });
+
+      rl.on('close', () => {
+        position = currentStat.size;
+      });
+    } catch {
+      // file may not be readable
+    }
+  };
+
+  // Poll for changes (more reliable than fs.watch for log files)
+  setInterval(checkForNewData, 1000);
+}
+
+function processLine(line: string, moduleName: string, category: EventCategory): void {
+  const parsed = autoDetectParser(line);
+  if (!parsed) return;
+
+  let severity: EventSeverity = 'info';
+  let message = line;
+
+  if (parsed.source === 'auth') {
+    const authEntry = parseAuthLog(line);
+    if (!authEntry) return;
+
+    if (/failed password/i.test(authEntry.fields.message)) {
+      severity = 'high';
+      message = `Failed SSH login for ${authEntry.fields.user || 'unknown'} from ${authEntry.fields.ip || 'unknown'}`;
+    } else if (/accepted/i.test(authEntry.fields.message)) {
+      severity = 'info';
+      message = `SSH login accepted for ${authEntry.fields.user || 'unknown'}`;
+    } else if (/invalid user/i.test(authEntry.fields.message)) {
+      severity = 'high';
+      message = `Invalid SSH user attempt: ${authEntry.fields.user || 'unknown'} from ${authEntry.fields.ip || 'unknown'}`;
+    }
+  } else if (parsed.source === 'nginx') {
+    const nginxEntry = parseNginxLog(line);
+    if (!nginxEntry) return;
+
+    const status = parseInt(nginxEntry.fields.status);
+    const attack = detectAttackPattern(nginxEntry.fields.path);
+
+    if (attack) {
+      severity = 'critical';
+      message = `Attack detected [${attack.toUpperCase()}]: ${nginxEntry.fields.method} ${nginxEntry.fields.path}`;
+    } else if (status >= 500) {
+      severity = 'medium';
+      message = `Server error ${status}: ${nginxEntry.fields.method} ${nginxEntry.fields.path}`;
+    } else if (status >= 400) {
+      severity = 'low';
+      message = `Client error ${status}: ${nginxEntry.fields.method} ${nginxEntry.fields.path}`;
+    } else {
+      severity = 'info';
+      message = `${nginxEntry.fields.method} ${nginxEntry.fields.path} → ${status}`;
+    }
+  }
+
+  const event: ThreatEvent = {
+    timestamp: new Date(),
+    module: moduleName,
+    category,
+    severity,
+    message,
+    source_ip: parsed.fields.ip as string | undefined,
+  };
+
+  console.log(formatEvent(event.module, event.severity, event.message, event.source_ip));
+
+  try {
+    insertEvent(event);
+  } catch {
+    // State DB may not be available
+  }
+}
+
+async function runDemoMode(): Promise<void> {
+  const demoEvents: Array<Omit<ThreatEvent, 'timestamp'>> = [
+    { module: 'ssh-guard', category: 'auth', severity: 'info', message: 'SSH login accepted for ubuntu', source_ip: '10.0.0.1' },
+    { module: 'log-watcher', category: 'web', severity: 'info', message: 'GET /api/health → 200', source_ip: '172.16.0.50' },
+    { module: 'ssh-guard', category: 'auth', severity: 'high', message: 'Failed SSH login for root', source_ip: '45.33.22.11' },
+    { module: 'log-watcher', category: 'web', severity: 'low', message: 'GET /admin → 404', source_ip: '91.121.44.55' },
+    { module: 'ssh-guard', category: 'auth', severity: 'high', message: 'Failed SSH login for admin', source_ip: '45.33.22.11' },
+    { module: 'log-watcher', category: 'web', severity: 'critical', message: 'Attack detected [SQLI]: GET /search?q=1%27+OR+1%3D1', source_ip: '185.220.101.44' },
+    { module: 'log-watcher', category: 'web', severity: 'medium', message: 'Server error 502: GET /api/users', source_ip: '10.0.0.2' },
+    { module: 'ssh-guard', category: 'auth', severity: 'high', message: 'Invalid SSH user attempt: admin123', source_ip: '103.77.88.99' },
+    { module: 'log-watcher', category: 'web', severity: 'critical', message: 'Attack detected [PATH_TRAVERSAL]: GET /../../etc/passwd', source_ip: '185.220.101.44' },
+    { module: 'ssh-guard', category: 'auth', severity: 'high', message: 'Brute force detected — 6 failures in 45s', source_ip: '45.33.22.11' },
+    { module: 'log-watcher', category: 'system', severity: 'medium', message: 'Unusual outbound connection to 198.51.100.1:4444', source_ip: '198.51.100.1' },
+    { module: 'log-watcher', category: 'web', severity: 'info', message: 'GET /index.html → 200', source_ip: '172.16.0.51' },
+  ];
+
+  let i = 0;
+  const interval = setInterval(() => {
+    const event = demoEvents[i % demoEvents.length];
+    console.log(formatEvent(event.module, event.severity, event.message, event.source_ip));
+    i++;
+  }, 1500 + Math.random() * 2000);
+
+  process.on('SIGINT', () => {
+    clearInterval(interval);
+    console.log(chalk.gray('\n  Monitor stopped.'));
+    process.exit(0);
+  });
+
+  await new Promise(() => {});
+}