clawsec 0.0.1

package/dist/src/detectors/exfiltration/http-detector.js

@@ -0,0 +1,429 @@
+/**
+ * HTTP Exfiltration Detector
+ * Detects HTTP POST/PUT requests that send data to external destinations
+ */
+/**
+ * curl patterns for sending data via POST/PUT
+ */
+const CURL_POST_PATTERNS = [
+    // curl -X PUT with data (check PUT first to avoid POST matching)
+    {
+        pattern: /\bcurl\s+(?:[^|;]+\s+)?(?:-X\s+PUT|-X\s*=?\s*PUT|--request\s+PUT|--request\s*=\s*PUT)\s+(?:[^|;]+\s+)?(?:-d|--data|--data-binary|--data-raw|--data-urlencode|-F|--form)\s+(?:["']?)([^"'\s][^|;]*)/i,
+        method: 'PUT',
+        description: 'curl PUT with data',
+    },
+    // curl -X POST with data flags
+    {
+        pattern: /\bcurl\s+(?:[^|;]+\s+)?(?:-X\s+POST|-X\s*=?\s*POST|--request\s+POST|--request\s*=\s*POST)\s+(?:[^|;]+\s+)?(?:-d|--data|--data-binary|--data-raw|--data-urlencode|-F|--form)\s+(?:["']?)([^"'\s][^|;]*)/i,
+        method: 'POST',
+        description: 'curl POST with data',
+    },
+    // curl with data flags (POST is implicit) - but NOT if -X PUT is present
+    {
+        pattern: /\bcurl\s+(?!.*-X\s+PUT)(?:[^|;]+\s+)?(?:-d|--data|--data-binary|--data-raw|--data-urlencode)\s+(?:["']?)([^"'\s][^|;]*)/i,
+        method: 'POST',
+        description: 'curl with data (implicit POST)',
+    },
+    // curl with -T (upload file)
+    {
+        pattern: /\bcurl\s+(?:[^|;]+\s+)?(?:-T|--upload-file)\s+(?:["']?)([^\s"']+)/i,
+        method: 'PUT',
+        description: 'curl file upload',
+    },
+    // curl with form file upload
+    {
+        pattern: /\bcurl\s+(?:[^|;]+\s+)?(?:-F|--form)\s+(?:["']?)([^"'\s]*@[^\s"';|]+)/i,
+        method: 'POST',
+        description: 'curl form file upload',
+    },
+];
+/**
+ * wget patterns for sending data
+ */
+const WGET_POST_PATTERNS = [
+    // wget --post-data
+    {
+        pattern: /\bwget\s+(?:[^|;]+\s+)?(?:--post-data)\s*=?\s*(?:["']?)([^"'\s][^|;]*)/i,
+        method: 'POST',
+        description: 'wget POST with data',
+    },
+    // wget --post-file
+    {
+        pattern: /\bwget\s+(?:[^|;]+\s+)?(?:--post-file)\s*=?\s*(?:["']?)([^\s"']+)/i,
+        method: 'POST',
+        description: 'wget POST file',
+    },
+];
+/**
+ * httpie patterns (http/https commands)
+ */
+const HTTPIE_PATTERNS = [
+    // http POST with data
+    {
+        pattern: /\bhttps?\s+POST\s+(\S+)\s+.*(?:=|:=|@)/i,
+        method: 'POST',
+        description: 'httpie POST with data',
+    },
+    // http PUT with data
+    {
+        pattern: /\bhttps?\s+PUT\s+(\S+)\s+.*(?:=|:=|@)/i,
+        method: 'PUT',
+        description: 'httpie PUT with data',
+    },
+];
+/**
+ * Code patterns for HTTP exfiltration (fetch, axios, requests, etc.)
+ */
+const CODE_HTTP_PATTERNS = [
+    // JavaScript fetch with POST/PUT
+    {
+        pattern: /\bfetch\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*\{[^}]*method\s*:\s*["'`](POST|PUT)["'`][^}]*body\s*:/i,
+        method: 'POST',
+        description: 'fetch with POST/PUT and body',
+    },
+    {
+        pattern: /\bfetch\s*\(\s*["'`]([^"'`]+)["'`]\s*,\s*\{[^}]*body\s*:[^}]*method\s*:\s*["'`](POST|PUT)["'`]/i,
+        method: 'POST',
+        description: 'fetch with body and POST/PUT',
+    },
+    // axios.post/put
+    {
+        pattern: /\baxios\s*\.\s*(post|put)\s*\(\s*["'`]([^"'`]+)["'`]/i,
+        method: 'POST',
+        description: 'axios POST/PUT',
+    },
+    // Python requests.post/put
+    {
+        pattern: /\brequests\s*\.\s*(post|put)\s*\(\s*["'`]([^"'`]+)["'`]/i,
+        method: 'POST',
+        description: 'Python requests POST/PUT',
+    },
+    // Python httpx.post/put
+    {
+        pattern: /\bhttpx\s*\.\s*(post|put)\s*\(\s*["'`]([^"'`]+)["'`]/i,
+        method: 'POST',
+        description: 'Python httpx POST/PUT',
+    },
+    // Python urllib with POST data
+    {
+        pattern: /\burllib\s*\.\s*request\s*\.\s*urlopen\s*\([^)]*data\s*=/i,
+        method: 'POST',
+        description: 'Python urllib with POST data',
+    },
+    // Node.js http.request with POST
+    {
+        pattern: /\bhttp[s]?\s*\.\s*request\s*\([^)]*method\s*:\s*["'`](POST|PUT)["'`]/i,
+        method: 'POST',
+        description: 'Node http.request POST',
+    },
+    // Ruby Net::HTTP.post/put
+    {
+        pattern: /\bNet::HTTP\s*\.\s*(post|put|post_form)\s*\(/i,
+        method: 'POST',
+        description: 'Ruby Net::HTTP POST',
+    },
+    // Go http.Post/PostForm
+    {
+        pattern: /\bhttp\s*\.\s*(Post|PostForm|NewRequest\s*\([^)]*"(POST|PUT)")/i,
+        method: 'POST',
+        description: 'Go http POST',
+    },
+    // PowerShell Invoke-WebRequest/RestMethod with POST
+    {
+        pattern: /\bInvoke-(?:WebRequest|RestMethod)\s+(?:[^|;]+\s+)?-Method\s+(POST|PUT)\s+(?:[^|;]+\s+)?-Body\s+/i,
+        method: 'POST',
+        description: 'PowerShell POST with body',
+    },
+];
+/**
+ * Encoded exfiltration patterns (piping encoded data to HTTP tools)
+ */
+const ENCODED_EXFIL_PATTERNS = [
+    // base64 | curl
+    {
+        pattern: /\bbase64\s+(?:[^|]+)?\|\s*curl\b/i,
+        method: 'POST',
+        description: 'base64 encoded data to curl',
+    },
+    // gzip/compress | curl
+    {
+        pattern: /\b(?:gzip|bzip2|xz|compress|tar)\s+(?:[^|]+)?\|\s*curl\b/i,
+        method: 'POST',
+        description: 'compressed data to curl',
+    },
+    // openssl enc | curl
+    {
+        pattern: /\bopenssl\s+enc\s+(?:[^|]+)?\|\s*curl\b/i,
+        method: 'POST',
+        description: 'encrypted data to curl',
+    },
+    // xxd/hexdump | curl
+    {
+        pattern: /\b(?:xxd|hexdump|od)\s+(?:[^|]+)?\|\s*curl\b/i,
+        method: 'POST',
+        description: 'hex encoded data to curl',
+    },
+    // Any pipe to curl with POST
+    {
+        pattern: /\|\s*curl\s+(?:[^|;]+\s+)?(?:-X\s+POST|--data|--data-binary|-d)/i,
+        method: 'POST',
+        description: 'piped data to curl POST',
+    },
+];
+/**
+ * Extract URL from curl/wget command
+ */
+function extractUrl(command) {
+    // Try to find URL in the command
+    const urlPatterns = [
+        /\bhttps?:\/\/[^\s"'<>]+/i,
+        /\bftp:\/\/[^\s"'<>]+/i,
+    ];
+    for (const pattern of urlPatterns) {
+        const match = command.match(pattern);
+        if (match) {
+            return match[0];
+        }
+    }
+    return undefined;
+}
+/**
+ * Extract data source from command
+ */
+function extractDataSource(command) {
+    // Look for file references
+    const filePatterns = [
+        /-d\s*@([^\s"']+)/i, // curl -d @file
+        /--data-binary\s*@([^\s"']+)/i, // curl --data-binary @file
+        /-F\s*[^@]*@([^\s"';]+)/i, // curl -F file=@path
+        /-T\s*([^\s"']+)/i, // curl -T file
+        /--post-file\s*=?\s*([^\s"']+)/i, // wget --post-file
+        /--upload-file\s*([^\s"']+)/i, // curl --upload-file
+    ];
+    for (const pattern of filePatterns) {
+        const match = command.match(pattern);
+        if (match) {
+            return match[1];
+        }
+    }
+    // Look for piped input
+    if (command.includes('|')) {
+        const pipeMatch = command.match(/([^|]+)\s*\|\s*(?:curl|wget)/i);
+        if (pipeMatch) {
+            return `piped from: ${pipeMatch[1].trim().substring(0, 50)}`;
+        }
+    }
+    return undefined;
+}
+/**
+ * Match curl POST/PUT commands
+ */
+export function matchCurlCommand(command) {
+    for (const { pattern, method, description } of CURL_POST_PATTERNS) {
+        const match = command.match(pattern);
+        if (match) {
+            return {
+                matched: true,
+                command,
+                httpMethod: method,
+                destination: extractUrl(command),
+                dataSource: extractDataSource(command),
+                confidence: 0.9,
+                description,
+            };
+        }
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * Match wget POST commands
+ */
+export function matchWgetCommand(command) {
+    for (const { pattern, method, description } of WGET_POST_PATTERNS) {
+        const match = command.match(pattern);
+        if (match) {
+            return {
+                matched: true,
+                command,
+                httpMethod: method,
+                destination: extractUrl(command),
+                dataSource: match[1] || extractDataSource(command),
+                confidence: 0.9,
+                description,
+            };
+        }
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * Match httpie commands
+ */
+export function matchHttpieCommand(command) {
+    for (const { pattern, method, description } of HTTPIE_PATTERNS) {
+        const match = command.match(pattern);
+        if (match) {
+            return {
+                matched: true,
+                command,
+                httpMethod: method,
+                destination: match[1],
+                confidence: 0.85,
+                description,
+            };
+        }
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * Match HTTP client library patterns in code
+ */
+export function matchCodeHttpPattern(code) {
+    for (const { pattern, method, description } of CODE_HTTP_PATTERNS) {
+        const match = code.match(pattern);
+        if (match) {
+            // Extract URL from the match
+            const url = match[2] || match[1];
+            return {
+                matched: true,
+                command: code,
+                httpMethod: typeof match[1] === 'string' && ['post', 'put'].includes(match[1].toLowerCase())
+                    ? match[1].toUpperCase()
+                    : method,
+                destination: url?.startsWith('http') ? url : undefined,
+                confidence: 0.85,
+                description,
+            };
+        }
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * Match encoded exfiltration patterns
+ */
+export function matchEncodedExfiltration(command) {
+    for (const { pattern, method, description } of ENCODED_EXFIL_PATTERNS) {
+        const match = command.match(pattern);
+        if (match) {
+            return {
+                matched: true,
+                command,
+                httpMethod: method,
+                destination: extractUrl(command),
+                dataSource: extractDataSource(command) || 'encoded/piped data',
+                confidence: 0.95, // Higher confidence for encoded exfiltration
+                description,
+            };
+        }
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * Comprehensive HTTP exfiltration matching
+ */
+export function matchHttpExfiltration(text) {
+    // Try encoded exfiltration first (highest confidence)
+    const encodedResult = matchEncodedExfiltration(text);
+    if (encodedResult.matched) {
+        return encodedResult;
+    }
+    // Try curl
+    const curlResult = matchCurlCommand(text);
+    if (curlResult.matched) {
+        return curlResult;
+    }
+    // Try wget
+    const wgetResult = matchWgetCommand(text);
+    if (wgetResult.matched) {
+        return wgetResult;
+    }
+    // Try httpie
+    const httpieResult = matchHttpieCommand(text);
+    if (httpieResult.matched) {
+        return httpieResult;
+    }
+    // Try code patterns
+    const codeResult = matchCodeHttpPattern(text);
+    if (codeResult.matched) {
+        return codeResult;
+    }
+    return { matched: false, confidence: 0 };
+}
+/**
+ * HTTP exfiltration detector class
+ */
+export class HttpDetector {
+    severity;
+    constructor(severity = 'high') {
+        this.severity = severity;
+    }
+    /**
+     * Extract text content from tool context
+     */
+    extractContent(context) {
+        const input = context.toolInput;
+        // Direct command field
+        if (typeof input.command === 'string') {
+            return input.command;
+        }
+        // Shell/bash command field
+        if (typeof input.shell === 'string') {
+            return input.shell;
+        }
+        if (typeof input.bash === 'string') {
+            return input.bash;
+        }
+        // Script field
+        if (typeof input.script === 'string') {
+            return input.script;
+        }
+        // Code field
+        if (typeof input.code === 'string') {
+            return input.code;
+        }
+        // Text content
+        if (typeof input.text === 'string') {
+            return input.text;
+        }
+        // Content field
+        if (typeof input.content === 'string') {
+            return input.content;
+        }
+        // Body field (for write operations)
+        if (typeof input.body === 'string') {
+            return input.body;
+        }
+        return null;
+    }
+    detect(context) {
+        const content = this.extractContent(context);
+        if (!content) {
+            return null;
+        }
+        const result = matchHttpExfiltration(content);
+        if (!result.matched) {
+            return null;
+        }
+        const destInfo = result.destination ? ` to ${result.destination}` : '';
+        const dataInfo = result.dataSource ? ` (${result.dataSource})` : '';
+        return {
+            detected: true,
+            category: 'exfiltration',
+            severity: this.severity,
+            confidence: result.confidence,
+            reason: `HTTP exfiltration detected: ${result.description || `${result.httpMethod} request`}${destInfo}${dataInfo}`,
+            metadata: {
+                method: 'http',
+                destination: result.destination,
+                dataSource: result.dataSource,
+                command: result.command,
+            },
+        };
+    }
+}
+/**
+ * Create an HTTP detector with the given severity
+ */
+export function createHttpDetector(severity = 'high') {
+    return new HttpDetector(severity);
+}
+//# sourceMappingURL=http-detector.js.map

package/dist/src/detectors/exfiltration/http-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-detector.js","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/http-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAUH;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,iEAAiE;IACjE;QACE,OAAO,EAAE,qMAAqM;QAC9M,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,oBAAoB;KAClC;IACD,+BAA+B;IAC/B;QACE,OAAO,EAAE,yMAAyM;QAClN,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,qBAAqB;KACnC;IACD,yEAAyE;IACzE;QACE,OAAO,EAAE,0HAA0H;QACnI,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,gCAAgC;KAC9C;IACD,6BAA6B;IAC7B;QACE,OAAO,EAAE,oEAAoE;QAC7E,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,kBAAkB;KAChC;IACD,6BAA6B;IAC7B;QACE,OAAO,EAAE,wEAAwE;QACjF,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,uBAAuB;KACrC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,mBAAmB;IACnB;QACE,OAAO,EAAE,yEAAyE;QAClF,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,qBAAqB;KACnC;IACD,mBAAmB;IACnB;QACE,OAAO,EAAE,oEAAoE;QAC7E,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,gBAAgB;KAC9B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG;IACtB,sBAAsB;IACtB;QACE,OAAO,EAAE,yCAAyC;QAClD,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,uBAAuB;KACrC;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,wCAAwC;QACjD,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,sBAAsB;KACpC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,iCAAiC;IACjC;QACE,OAAO,EAAE,iGAAiG;QAC1G,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,OAAO,EAAE,iGAAiG;QAC1G,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,8BAA8B;KAC5C;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,gBAAgB;KAC9B;IACD,2BAA2B;IAC3B;QACE,OAAO,EAAE,0DAA0D;QACnE,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,0BAA0B;KACxC;IACD,wBAAwB;IACxB;QACE,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,uBAAuB;KACrC;IACD,+BAA+B;IAC/B;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,8BAA8B;KAC5C;IACD,iCAAiC;IACjC;QACE,OAAO,EAAE,uEAAuE;QAChF,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,wBAAwB;KACtC;IACD,0BAA0B;IAC1B;QACE,OAAO,EAAE,+CAA+C;QACxD,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,qBAAqB;KACnC;IACD,wBAAwB;IACxB;QACE,OAAO,EAAE,iEAAiE;QAC1E,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,cAAc;KAC5B;IACD,oDAAoD;IACpD;QACE,OAAO,EAAE,mGAAmG;QAC5G,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,2BAA2B;KACzC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG;IAC7B,gBAAgB;IAChB;QACE,OAAO,EAAE,mCAAmC;QAC5C,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,6BAA6B;KAC3C;IACD,uBAAuB;IACvB;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,yBAAyB;KACvC;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,0CAA0C;QACnD,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,wBAAwB;KACtC;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,+CAA+C;QACxD,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,0BAA0B;KACxC;IACD,6BAA6B;IAC7B;QACE,OAAO,EAAE,kEAAkE;QAC3E,MAAM,EAAE,MAAM;QACd,WAAW,EAAE,yBAAyB;KACvC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,UAAU,CAAC,OAAe;IACjC,iCAAiC;IACjC,MAAM,WAAW,GAAG;QAClB,0BAA0B;QAC1B,uBAAuB;KACxB,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,2BAA2B;IAC3B,MAAM,YAAY,GAAG;QACnB,mBAAmB,EAAY,gBAAgB;QAC/C,8BAA8B,EAAE,2BAA2B;QAC3D,yBAAyB,EAAO,qBAAqB;QACrD,kBAAkB,EAAc,eAAe;QAC/C,gCAAgC,EAAE,mBAAmB;QACrD,6BAA6B,EAAG,qBAAqB;KACtD,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACjE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,eAAe,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,UAAU,EAAE,MAAM;gBAClB,WAAW,EAAE,UAAU,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,iBAAiB,CAAC,OAAO,CAAC;gBACtC,UAAU,EAAE,GAAG;gBACf,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,UAAU,EAAE,MAAM;gBAClB,WAAW,EAAE,UAAU,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,iBAAiB,CAAC,OAAO,CAAC;gBAClD,UAAU,EAAE,GAAG;gBACf,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,eAAe,EAAE,CAAC;QAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,UAAU,EAAE,MAAM;gBAClB,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC;gBACrB,UAAU,EAAE,IAAI;gBAChB,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,KAAK,EAAE,CAAC;YACV,6BAA6B;YAC7B,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;YACjC,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;oBAC1F,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE;oBACxB,CAAC,CAAC,MAAM;gBACV,WAAW,EAAE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBACtD,UAAU,EAAE,IAAI;gBAChB,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,sBAAsB,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO;gBACP,UAAU,EAAE,MAAM;gBAClB,WAAW,EAAE,UAAU,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,iBAAiB,CAAC,OAAO,CAAC,IAAI,oBAAoB;gBAC9D,UAAU,EAAE,IAAI,EAAE,6CAA6C;gBAC/D,WAAW;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,sDAAsD;IACtD,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;QAC1B,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,WAAW;IACX,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;QACvB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,WAAW;IACX,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;QACvB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,aAAa;IACb,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,oBAAoB;IACpB,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;QACvB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,QAAQ,CAAW;IAE3B,YAAY,WAAqB,MAAM;QACrC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,OAAyB;QAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC;QAEhC,uBAAuB;QACvB,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC,OAAO,CAAC;QACvB,CAAC;QAED,2BAA2B;QAC3B,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,KAAK,CAAC,KAAK,CAAC;QACrB,CAAC;QAED,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,eAAe;QACf,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC,MAAM,CAAC;QACtB,CAAC;QAED,aAAa;QACb,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,eAAe;QACf,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,gBAAgB;QAChB,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC,OAAO,CAAC;QACvB,CAAC;QAED,oCAAoC;QACpC,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,OAAyB;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAE9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACvE,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAEpE,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,cAAc;YACxB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,+BAA+B,MAAM,CAAC,WAAW,IAAI,GAAG,MAAM,CAAC,UAAU,UAAU,GAAG,QAAQ,GAAG,QAAQ,EAAE;YACnH,QAAQ,EAAE;gBACR,MAAM,EAAE,MAAM;gBACd,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB;SACF,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAqB,MAAM;IAC5D,OAAO,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;AACpC,CAAC"}

package/dist/src/detectors/exfiltration/index.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Exfiltration Detector
+ * Main export for detecting data exfiltration attempts via HTTP, cloud, and network methods
+ */
+export type { DetectionContext, ExfiltrationMethod, ExfiltrationDetectionResult, ExfiltrationDetectorConfig, ExfiltrationDetector as IExfiltrationDetector, SubDetector, HttpMatchResult, CloudUploadMatchResult, NetworkMatchResult, } from './types.js';
+export { HttpDetector, createHttpDetector, matchCurlCommand, matchWgetCommand, matchHttpieCommand, matchCodeHttpPattern, matchEncodedExfiltration, matchHttpExfiltration, } from './http-detector.js';
+export { CloudUploadDetector, createCloudUploadDetector, matchAwsS3Upload, matchGcpUpload, matchAzureUpload, matchRcloneUpload, matchOtherCloudUpload, matchCloudSdkUpload, matchCloudUpload, } from './cloud-detector.js';
+export { NetworkDetector, createNetworkDetector, matchNetcatCommand, matchDevTcpPattern, matchSocatCommand, matchTelnetCommand, matchSshExfiltration, matchDnsExfiltration, matchOtherNetworkPattern, matchNetworkExfiltration, } from './network-detector.js';
+import type { DetectionContext, ExfiltrationDetectionResult, ExfiltrationDetectorConfig, ExfiltrationDetector } from './types.js';
+import type { ExfiltrationRule } from '../../config/index.js';
+/**
+ * Main exfiltration detector implementation
+ */
+export declare class ExfiltrationDetectorImpl implements ExfiltrationDetector {
+    private config;
+    private httpDetector;
+    private cloudDetector;
+    private networkDetector;
+    constructor(config: ExfiltrationDetectorConfig);
+    detect(context: DetectionContext): Promise<ExfiltrationDetectionResult>;
+    /**
+     * Get the configured action for detected exfiltration
+     */
+    getAction(): "block" | "confirm" | "agent-confirm" | "warn" | "log";
+    /**
+     * Check if the detector is enabled
+     */
+    isEnabled(): boolean;
+}
+/**
+ * Create an exfiltration detector from configuration
+ */
+export declare function createExfiltrationDetector(config: ExfiltrationDetectorConfig | ExfiltrationRule): ExfiltrationDetectorImpl;
+/**
+ * Create a default exfiltration detector with standard settings
+ */
+export declare function createDefaultExfiltrationDetector(): ExfiltrationDetectorImpl;
+declare const _default: {
+    ExfiltrationDetectorImpl: typeof ExfiltrationDetectorImpl;
+    createExfiltrationDetector: typeof createExfiltrationDetector;
+    createDefaultExfiltrationDetector: typeof createDefaultExfiltrationDetector;
+};
+export default _default;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/detectors/exfiltration/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,YAAY,EACV,gBAAgB,EAChB,kBAAkB,EAClB,2BAA2B,EAC3B,0BAA0B,EAC1B,oBAAoB,IAAI,qBAAqB,EAC7C,WAAW,EACX,eAAe,EACf,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,KAAK,EACV,gBAAgB,EAChB,2BAA2B,EAC3B,0BAA0B,EAC1B,oBAAoB,EACrB,MAAM,YAAY,CAAC;AAIpB,OAAO,KAAK,EAAY,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAqDxE;;GAEG;AACH,qBAAa,wBAAyB,YAAW,oBAAoB;IACnE,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,eAAe,CAAkB;gBAE7B,MAAM,EAAE,0BAA0B;IASxC,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAqB7E;;OAEG;IACH,SAAS;IAIT;;OAEG;IACH,SAAS,IAAI,OAAO;CAGrB;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,0BAA0B,GAAG,gBAAgB,GACpD,wBAAwB,CAE1B;AAED;;GAEG;AACH,wBAAgB,iCAAiC,IAAI,wBAAwB,CAM5E;;;;;;AAGD,wBAIE"}

package/dist/src/detectors/exfiltration/index.js

@@ -0,0 +1,118 @@
+/**
+ * Exfiltration Detector
+ * Main export for detecting data exfiltration attempts via HTTP, cloud, and network methods
+ */
+// Re-export HTTP detector
+export { HttpDetector, createHttpDetector, matchCurlCommand, matchWgetCommand, matchHttpieCommand, matchCodeHttpPattern, matchEncodedExfiltration, matchHttpExfiltration, } from './http-detector.js';
+// Re-export cloud upload detector
+export { CloudUploadDetector, createCloudUploadDetector, matchAwsS3Upload, matchGcpUpload, matchAzureUpload, matchRcloneUpload, matchOtherCloudUpload, matchCloudSdkUpload, matchCloudUpload, } from './cloud-detector.js';
+// Re-export network detector
+export { NetworkDetector, createNetworkDetector, matchNetcatCommand, matchDevTcpPattern, matchSocatCommand, matchTelnetCommand, matchSshExfiltration, matchDnsExfiltration, matchOtherNetworkPattern, matchNetworkExfiltration, } from './network-detector.js';
+import { createHttpDetector } from './http-detector.js';
+import { createCloudUploadDetector } from './cloud-detector.js';
+import { createNetworkDetector } from './network-detector.js';
+/**
+ * Create a no-detection result
+ */
+function noDetection(severity) {
+    return {
+        detected: false,
+        category: 'exfiltration',
+        severity,
+        confidence: 0,
+        reason: 'No exfiltration detected',
+    };
+}
+/**
+ * Combine results from multiple sub-detectors
+ */
+function combineResults(results, defaultSeverity) {
+    // Filter out null results
+    const validResults = results.filter((r) => r !== null && r.detected);
+    if (validResults.length === 0) {
+        return noDetection(defaultSeverity);
+    }
+    // Sort by confidence (highest first)
+    validResults.sort((a, b) => b.confidence - a.confidence);
+    // Take the highest confidence result
+    const best = validResults[0];
+    // Boost confidence if multiple detectors matched
+    let confidence = best.confidence;
+    if (validResults.length > 1) {
+        // Boost by 5% for each additional detection, max 0.99
+        confidence = Math.min(0.99, confidence + (validResults.length - 1) * 0.05);
+    }
+    return {
+        ...best,
+        confidence,
+        reason: validResults.length > 1
+            ? `${best.reason} (confirmed by ${validResults.length} detection methods)`
+            : best.reason,
+    };
+}
+/**
+ * Main exfiltration detector implementation
+ */
+export class ExfiltrationDetectorImpl {
+    config;
+    httpDetector;
+    cloudDetector;
+    networkDetector;
+    constructor(config) {
+        this.config = config;
+        // Initialize sub-detectors
+        this.httpDetector = createHttpDetector(config.severity);
+        this.cloudDetector = createCloudUploadDetector(config.severity);
+        this.networkDetector = createNetworkDetector(config.severity);
+    }
+    async detect(context) {
+        // Check if detector is enabled
+        if (!this.config.enabled) {
+            return noDetection(this.config.severity);
+        }
+        const results = [];
+        // Run HTTP detector
+        results.push(this.httpDetector.detect(context));
+        // Run cloud upload detector
+        results.push(this.cloudDetector.detect(context));
+        // Run network detector
+        results.push(this.networkDetector.detect(context));
+        // Combine results
+        return combineResults(results, this.config.severity);
+    }
+    /**
+     * Get the configured action for detected exfiltration
+     */
+    getAction() {
+        return this.config.action;
+    }
+    /**
+     * Check if the detector is enabled
+     */
+    isEnabled() {
+        return this.config.enabled;
+    }
+}
+/**
+ * Create an exfiltration detector from configuration
+ */
+export function createExfiltrationDetector(config) {
+    return new ExfiltrationDetectorImpl(config);
+}
+/**
+ * Create a default exfiltration detector with standard settings
+ */
+export function createDefaultExfiltrationDetector() {
+    return new ExfiltrationDetectorImpl({
+        enabled: true,
+        severity: 'high',
+        action: 'block',
+    });
+}
+// Default export
+export default {
+    ExfiltrationDetectorImpl,
+    createExfiltrationDetector,
+    createDefaultExfiltrationDetector,
+};
+//# sourceMappingURL=index.js.map

package/dist/src/detectors/exfiltration/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAeH,0BAA0B;AAC1B,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,kCAAkC;AAClC,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAE7B,6BAA6B;AAC7B,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAQ/B,OAAO,EAAgB,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAuB,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrF,OAAO,EAAmB,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAG/E;;GAEG;AACH,SAAS,WAAW,CAAC,QAAkB;IACrC,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,cAAc;QACxB,QAAQ;QACR,UAAU,EAAE,CAAC;QACb,MAAM,EAAE,0BAA0B;KACnC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CACrB,OAA+C,EAC/C,eAAyB;IAEzB,0BAA0B;IAC1B,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CACjC,CAAC,CAAC,EAAoC,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,QAAQ,CAClE,CAAC;IAEF,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,WAAW,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC;IAED,qCAAqC;IACrC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;IAEzD,qCAAqC;IACrC,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAE7B,iDAAiD;IACjD,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACjC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,sDAAsD;QACtD,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO;QACL,GAAG,IAAI;QACP,UAAU;QACV,MAAM,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC;YAC7B,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,kBAAkB,YAAY,CAAC,MAAM,qBAAqB;YAC1E,CAAC,CAAC,IAAI,CAAC,MAAM;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,wBAAwB;IAC3B,MAAM,CAA6B;IACnC,YAAY,CAAe;IAC3B,aAAa,CAAsB;IACnC,eAAe,CAAkB;IAEzC,YAAY,MAAkC;QAC5C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,2BAA2B;QAC3B,IAAI,CAAC,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,aAAa,GAAG,yBAAyB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChE,IAAI,CAAC,eAAe,GAAG,qBAAqB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAyB;QACpC,+BAA+B;QAC/B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAA2C,EAAE,CAAC;QAE3D,oBAAoB;QACpB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAEhD,4BAA4B;QAC5B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAEjD,uBAAuB;QACvB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAEnD,kBAAkB;QAClB,OAAO,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;IAC7B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAqD;IAErD,OAAO,IAAI,wBAAwB,CAAC,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iCAAiC;IAC/C,OAAO,IAAI,wBAAwB,CAAC;QAClC,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAC;AACL,CAAC;AAED,iBAAiB;AACjB,eAAe;IACb,wBAAwB;IACxB,0BAA0B;IAC1B,iCAAiC;CAClC,CAAC"}

package/dist/src/detectors/exfiltration/network-detector.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Network Exfiltration Detector
+ * Detects raw network commands used for data exfiltration (netcat, socat, /dev/tcp, etc.)
+ */
+import type { NetworkMatchResult, DetectionContext, ExfiltrationDetectionResult, SubDetector } from './types.js';
+import type { Severity } from '../../config/index.js';
+/**
+ * Match netcat patterns
+ */
+export declare function matchNetcatCommand(command: string): NetworkMatchResult;
+/**
+ * Match /dev/tcp patterns
+ */
+export declare function matchDevTcpPattern(command: string): NetworkMatchResult;
+/**
+ * Match socat patterns
+ */
+export declare function matchSocatCommand(command: string): NetworkMatchResult;
+/**
+ * Match telnet patterns
+ */
+export declare function matchTelnetCommand(command: string): NetworkMatchResult;
+/**
+ * Match SSH/SCP exfiltration patterns
+ */
+export declare function matchSshExfiltration(command: string): NetworkMatchResult;
+/**
+ * Match DNS exfiltration patterns
+ */
+export declare function matchDnsExfiltration(command: string): NetworkMatchResult;
+/**
+ * Match other network exfiltration patterns
+ */
+export declare function matchOtherNetworkPattern(command: string): NetworkMatchResult;
+/**
+ * Comprehensive network exfiltration matching
+ */
+export declare function matchNetworkExfiltration(text: string): NetworkMatchResult;
+/**
+ * Network exfiltration detector class
+ */
+export declare class NetworkDetector implements SubDetector {
+    private severity;
+    constructor(severity?: Severity);
+    /**
+     * Extract text content from tool context
+     */
+    private extractContent;
+    detect(context: DetectionContext): ExfiltrationDetectionResult | null;
+}
+/**
+ * Create a network detector with the given severity
+ */
+export declare function createNetworkDetector(severity?: Severity): NetworkDetector;
+//# sourceMappingURL=network-detector.d.ts.map

package/dist/src/detectors/exfiltration/network-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-detector.d.ts","sourceRoot":"","sources":["../../../../src/detectors/exfiltration/network-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,EAC3B,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAyOtD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAsBtE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAsBtE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAsBrE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAiBtE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAoBxE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAexE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CAgB5E;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,CA4CzE;AAED;;GAEG;AACH,qBAAa,eAAgB,YAAW,WAAW;IACjD,OAAO,CAAC,QAAQ,CAAW;gBAEf,QAAQ,GAAE,QAAiB;IAIvC;;OAEG;IACH,OAAO,CAAC,cAAc;IA6CtB,MAAM,CAAC,OAAO,EAAE,gBAAgB,GAAG,2BAA2B,GAAG,IAAI;CAiCtE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,GAAE,QAAiB,GAAG,eAAe,CAElF"}