dns-security-mcp 0.1.0

package/dist/threat/index.js

@@ -0,0 +1,999 @@
+import { z } from "zod";
+import { text, json } from "../types/index.js";
+import { createResolver, resolveAll, reverseIp, shannonEntropy } from "../utils/dns-client.js";
+import { TTLCache } from "../utils/cache.js";
+import { RateLimiter } from "../utils/rate-limiter.js";
+import * as dns from "node:dns/promises";
+// ─── Constants ───
+const FETCH_TIMEOUT = 10_000;
+const CRT_SH_BASE = "https://crt.sh";
+// ─── Rate Limiter & Cache ───
+const threatLimiter = new RateLimiter(500);
+const threatCache = new TTLCache(5 * 60 * 1000); // 5 min
+// ─── Known Sinkhole IP Ranges & Patterns ───
+const SINKHOLE_OPERATORS = [
+    {
+        operator: "Microsoft Digital Crimes Unit",
+        ranges: [
+            { prefix: "157.56.149.", cidr: 24 },
+            { prefix: "204.95.99.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+    {
+        operator: "Shadowserver Foundation",
+        ranges: [
+            { prefix: "74.82.47.", cidr: 24 },
+            { prefix: "184.105.176.", cidr: 24 },
+            { prefix: "184.105.192.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+    {
+        operator: "abuse.ch",
+        ranges: [
+            { prefix: "195.154.169.", cidr: 24 },
+        ],
+        patterns: ["sinkhole.abuse.ch"],
+    },
+    {
+        operator: "FBI / IC3",
+        ranges: [
+            { prefix: "153.31.120.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+    {
+        operator: "Palo Alto Networks",
+        ranges: [],
+        patterns: ["sinkhole.paloaltonetworks.com"],
+    },
+    {
+        operator: "Kaspersky",
+        ranges: [
+            { prefix: "77.74.181.", cidr: 24 },
+            { prefix: "77.74.182.", cidr: 24 },
+        ],
+        patterns: ["sinkhole.kaspersky.com"],
+    },
+    {
+        operator: "CrowdStrike",
+        ranges: [],
+        patterns: ["sinkhole.crowdstrike.com"],
+    },
+    {
+        operator: "CERT.PL",
+        ranges: [
+            { prefix: "148.81.111.", cidr: 24 },
+        ],
+        patterns: ["sinkhole.cert.pl"],
+    },
+    {
+        operator: "Spamhaus",
+        ranges: [],
+        patterns: ["sinkhole.spamhaus.org"],
+    },
+    {
+        operator: "Zinkhole / Georgia Tech",
+        ranges: [
+            { prefix: "143.215.130.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+    {
+        operator: "Cloudflare",
+        ranges: [],
+        patterns: ["sinkhole.cloudflare.com"],
+    },
+    {
+        operator: "Akamai",
+        ranges: [],
+        patterns: ["sinkhole.akamai.com"],
+    },
+    {
+        operator: "FireEye / Mandiant",
+        ranges: [
+            { prefix: "66.220.23.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+    {
+        operator: "Arbor Networks / Netscout",
+        ranges: [
+            { prefix: "216.218.185.", cidr: 24 },
+        ],
+        patterns: [],
+    },
+];
+async function queryCrtSh(query) {
+    await threatLimiter.acquire();
+    const url = `${CRT_SH_BASE}/?q=${encodeURIComponent(query)}&output=json`;
+    const res = await fetch(url, {
+        signal: AbortSignal.timeout(FETCH_TIMEOUT),
+        headers: { Accept: "application/json" },
+    });
+    if (!res.ok)
+        throw new Error(`crt.sh error: ${res.status} ${res.statusText}`);
+    const data = await res.json();
+    return data ?? [];
+}
+function ipMatchesPrefix(ip, prefix) {
+    return ip.startsWith(prefix);
+}
+function consonantRatio(str) {
+    const consonants = str.replace(/[^bcdfghjklmnpqrstvwxyz]/gi, "");
+    const alpha = str.replace(/[^a-z]/gi, "");
+    if (alpha.length === 0)
+        return 0;
+    return consonants.length / alpha.length;
+}
+async function lookupDnsbl(query, dnsblDomain) {
+    const resolver = createResolver();
+    try {
+        const results = await resolver.resolve4(`${query}.${dnsblDomain}`);
+        return results.length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+async function cymruAsnLookup(ip) {
+    const resolver = createResolver();
+    try {
+        const reversed = reverseIp(ip);
+        const txtResults = await resolver.resolveTxt(`${reversed}.origin.asn.cymru.com`);
+        if (txtResults.length === 0)
+            return null;
+        const parts = txtResults[0].join("").split("|").map((s) => s.trim());
+        const asn = parts[0] ?? "unknown";
+        const prefix = parts[1] ?? "unknown";
+        // Lookup AS name
+        let asName = "unknown";
+        try {
+            const nameResults = await resolver.resolveTxt(`AS${asn}.asn.cymru.com`);
+            if (nameResults.length > 0) {
+                const nameParts = nameResults[0].join("").split("|").map((s) => s.trim());
+                asName = nameParts[4] ?? "unknown";
+            }
+        }
+        catch {
+            // AS name lookup failed — not critical
+        }
+        return { asn, prefix, asName };
+    }
+    catch {
+        return null;
+    }
+}
+async function rdapLookup(domain) {
+    try {
+        const res = await fetch(`https://rdap.org/domain/${encodeURIComponent(domain)}`, {
+            signal: AbortSignal.timeout(FETCH_TIMEOUT),
+            headers: { Accept: "application/rdap+json" },
+        });
+        if (!res.ok)
+            return null;
+        const data = (await res.json());
+        let registrar;
+        const entities = data.entities;
+        if (entities) {
+            for (const entity of entities) {
+                if (entity.roles?.includes("registrar")) {
+                    const vcard = entity.vcardArray;
+                    if (vcard && Array.isArray(vcard[1])) {
+                        for (const entry of vcard[1]) {
+                            if (entry[0] === "fn") {
+                                registrar = entry[3];
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        const events = data.events;
+        let created;
+        let updated;
+        let expires;
+        if (events) {
+            for (const ev of events) {
+                if (ev.eventAction === "registration")
+                    created = ev.eventDate;
+                if (ev.eventAction === "last changed")
+                    updated = ev.eventDate;
+                if (ev.eventAction === "expiration")
+                    expires = ev.eventDate;
+            }
+        }
+        return { registrar, created, updated, expires };
+    }
+    catch {
+        return null;
+    }
+}
+// ─── Tool 1: threat_passive_dns ───
+const threatPassiveDns = {
+    name: "threat_passive_dns",
+    description: "Query passive DNS data for a domain. Uses SecurityTrails API if SECURITYTRAILS_API_KEY is set, " +
+        "otherwise falls back to Certificate Transparency logs (crt.sh) for historical cert data plus " +
+        "current multi-resolver comparison. Returns historical IPs, first/last seen timestamps.",
+    schema: {
+        domain: z.string().describe("The domain to query passive DNS history for (e.g. 'example.com')"),
+    },
+    async execute(args, ctx) {
+        const domain = args.domain;
+        const cacheKey = `threat_passive_dns:${domain}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            const apiKey = ctx.config.securitytrailsApiKey ?? process.env.SECURITYTRAILS_API_KEY;
+            if (apiKey) {
+                // ── SecurityTrails API path ──
+                await threatLimiter.acquire();
+                const res = await fetch(`https://api.securitytrails.com/v1/history/${encodeURIComponent(domain)}/dns/a`, {
+                    signal: AbortSignal.timeout(FETCH_TIMEOUT),
+                    headers: {
+                        Accept: "application/json",
+                        APIKEY: apiKey,
+                    },
+                });
+                if (!res.ok) {
+                    throw new Error(`SecurityTrails API error: ${res.status} ${res.statusText}`);
+                }
+                const data = (await res.json());
+                const records = (data.records ?? []).map((r) => ({
+                    ips: r.values.map((v) => v.ip),
+                    first_seen: r.first_seen,
+                    last_seen: r.last_seen,
+                    organizations: r.organizations ?? [],
+                    type: r.type,
+                }));
+                // Collect all unique IPs with date ranges
+                const ipHistory = new Map();
+                for (const rec of records) {
+                    for (const ip of rec.ips) {
+                        const existing = ipHistory.get(ip);
+                        if (!existing) {
+                            ipHistory.set(ip, { first_seen: rec.first_seen, last_seen: rec.last_seen });
+                        }
+                        else {
+                            if (rec.first_seen < existing.first_seen)
+                                existing.first_seen = rec.first_seen;
+                            if (rec.last_seen > existing.last_seen)
+                                existing.last_seen = rec.last_seen;
+                        }
+                    }
+                }
+                const result = {
+                    domain,
+                    source: "securitytrails",
+                    total_records: records.length,
+                    unique_ips: ipHistory.size,
+                    ip_history: Array.from(ipHistory.entries()).map(([ip, dates]) => ({
+                        ip,
+                        first_seen: dates.first_seen,
+                        last_seen: dates.last_seen,
+                    })),
+                    records,
+                };
+                threatCache.set(cacheKey, result);
+                return json(result);
+            }
+            // ── Fallback: CT logs + multi-resolver comparison ──
+            const [ctEntries, currentRecords] = await Promise.all([
+                queryCrtSh(domain).catch(() => []),
+                resolveAll(domain, ["A", "AAAA"]),
+            ]);
+            // Extract unique IPs from current DNS
+            const currentIps = currentRecords.map((r) => r.data);
+            // Extract historical data from CT log timestamps
+            const certTimeline = [];
+            const seenSerials = new Set();
+            for (const entry of ctEntries.slice(0, 200)) {
+                if (seenSerials.has(entry.serial_number))
+                    continue;
+                seenSerials.add(entry.serial_number);
+                certTimeline.push({
+                    common_name: entry.common_name,
+                    not_before: entry.not_before,
+                    not_after: entry.not_after,
+                });
+            }
+            // Multi-resolver comparison for current state
+            const resolverIps = [];
+            const resolvers = ["8.8.8.8", "1.1.1.1", "9.9.9.9", "208.67.222.222"];
+            await Promise.all(resolvers.map(async (server) => {
+                try {
+                    const resolver = createResolver(server);
+                    const results = await resolver.resolve4(domain);
+                    resolverIps.push({ resolver: server, ips: results });
+                }
+                catch {
+                    resolverIps.push({ resolver: server, ips: [] });
+                }
+            }));
+            // Detect resolver inconsistencies
+            const allResolvedIps = new Set();
+            for (const r of resolverIps) {
+                for (const ip of r.ips)
+                    allResolvedIps.add(ip);
+            }
+            const inconsistent = resolverIps.some((r) => r.ips.length > 0 && r.ips.sort().join(",") !== resolverIps[0].ips.sort().join(","));
+            const result = {
+                domain,
+                source: "ct_logs_and_resolvers",
+                note: "Set SECURITYTRAILS_API_KEY for richer passive DNS data",
+                current_ips: currentIps,
+                resolver_comparison: resolverIps,
+                resolver_inconsistency: inconsistent,
+                all_observed_ips: [...allResolvedIps],
+                ct_certificate_timeline: certTimeline.slice(0, 50),
+                total_ct_certs: certTimeline.length,
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error querying passive DNS for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 2: threat_cohosting ───
+const threatCohosting = {
+    name: "threat_cohosting",
+    description: "Analyzes domain co-hosting by resolving the domain to its IP, performing reverse DNS (PTR) lookups, " +
+        "and searching CT logs for other domains on the same IP. Flags hosting with suspicious co-hosted domains.",
+    schema: {
+        domain: z.string().describe("The domain to analyze for co-hosting relationships (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        const cacheKey = `threat_cohosting:${domain}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            // Resolve domain to IPs
+            const resolver = createResolver();
+            let ips = [];
+            try {
+                ips = await resolver.resolve4(domain);
+            }
+            catch {
+                return text(`Error: Could not resolve ${domain} to any IP address.`);
+            }
+            if (ips.length === 0) {
+                return text(`Error: No A records found for ${domain}.`);
+            }
+            const cohostedResults = [];
+            for (const ip of ips.slice(0, 5)) {
+                // Reverse DNS
+                let ptrRecords = [];
+                try {
+                    ptrRecords = await dns.reverse(ip);
+                }
+                catch {
+                    // No PTR records
+                }
+                // CT log search for domains on this IP
+                let ctDomains = [];
+                try {
+                    // crt.sh doesn't support IP search directly; we use PTR results
+                    // Additionally, search for each PTR domain in CT
+                    const ptDomainSet = new Set();
+                    for (const ptr of ptrRecords) {
+                        ptDomainSet.add(ptr.replace(/\.$/, ""));
+                    }
+                    ctDomains = [...ptDomainSet];
+                }
+                catch {
+                    // CT lookup failed
+                }
+                cohostedResults.push({
+                    ip,
+                    ptr_records: ptrRecords,
+                    ct_domains: ctDomains,
+                });
+            }
+            // Collect all unique co-hosted domains (excluding the queried domain)
+            const allCohosted = new Set();
+            for (const r of cohostedResults) {
+                for (const d of r.ptr_records) {
+                    const cleaned = d.replace(/\.$/, "").toLowerCase();
+                    if (cleaned !== domain.toLowerCase())
+                        allCohosted.add(cleaned);
+                }
+                for (const d of r.ct_domains) {
+                    const cleaned = d.replace(/\.$/, "").toLowerCase();
+                    if (cleaned !== domain.toLowerCase())
+                        allCohosted.add(cleaned);
+                }
+            }
+            // Flag suspicious patterns in co-hosted domains
+            const suspiciousPatterns = [
+                /phish/i, /malware/i, /spam/i, /hack/i, /exploit/i,
+                /bot/i, /trojan/i, /ransom/i, /scam/i, /fraud/i,
+                /fake/i, /steal/i, /crypt/i, /miner/i, /c2/i,
+            ];
+            const flags = [];
+            const suspiciousDomains = [];
+            for (const d of allCohosted) {
+                for (const pattern of suspiciousPatterns) {
+                    if (pattern.test(d)) {
+                        suspiciousDomains.push(d);
+                        break;
+                    }
+                }
+            }
+            if (suspiciousDomains.length > 0) {
+                flags.push(`${suspiciousDomains.length} co-hosted domain(s) match suspicious patterns`);
+            }
+            if (allCohosted.size > 50) {
+                flags.push(`High-density shared hosting: ${allCohosted.size} domains on same IP(s)`);
+            }
+            if (ips.length > 5) {
+                flags.push(`Domain resolves to multiple IPs (${ips.length}) — possible CDN/load balancer`);
+            }
+            const result = {
+                domain,
+                resolved_ips: ips,
+                cohosted_domain_count: allCohosted.size,
+                cohosted_domains: [...allCohosted].sort().slice(0, 100),
+                per_ip_details: cohostedResults,
+                suspicious_cohosted: suspiciousDomains,
+                flags,
+                risk_level: suspiciousDomains.length > 3
+                    ? "high"
+                    : suspiciousDomains.length > 0
+                        ? "medium"
+                        : "low",
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error analyzing co-hosting for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 3: threat_ip_to_domains ───
+const threatIpToDomains = {
+    name: "threat_ip_to_domains",
+    description: "Resolves an IP address to all known domains and subdomains via reverse DNS (PTR records) " +
+        "and Certificate Transparency log searches. Returns all domains/subdomains hosted on the given IP.",
+    schema: {
+        ip: z.string().describe("The IP address to resolve to domains (e.g. '93.184.216.34')"),
+    },
+    async execute(args) {
+        const ip = args.ip;
+        const cacheKey = `threat_ip_to_domains:${ip}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            // Step 1: Reverse DNS lookup
+            let ptrRecords = [];
+            try {
+                ptrRecords = await dns.reverse(ip);
+            }
+            catch {
+                // No PTR records — not unusual
+            }
+            // Step 2: Search CT logs using PTR results to discover related domains
+            const discoveredDomains = new Set();
+            for (const ptr of ptrRecords) {
+                const cleaned = ptr.replace(/\.$/, "");
+                discoveredDomains.add(cleaned);
+                // Extract base domain from PTR and search CT
+                const parts = cleaned.split(".");
+                if (parts.length >= 2) {
+                    const baseDomain = parts.slice(-2).join(".");
+                    try {
+                        const ctEntries = await queryCrtSh(`%.${baseDomain}`);
+                        for (const entry of ctEntries.slice(0, 200)) {
+                            const names = entry.name_value.split("\n");
+                            for (const name of names) {
+                                const trimmed = name.trim().replace(/^\*\./, "");
+                                if (trimmed)
+                                    discoveredDomains.add(trimmed);
+                            }
+                        }
+                    }
+                    catch {
+                        // CT lookup failed for this base domain
+                    }
+                }
+            }
+            // Step 3: Verify which discovered domains actually resolve to this IP
+            const verifiedDomains = [];
+            const unverifiedDomains = [];
+            const resolver = createResolver();
+            const domainsToCheck = [...discoveredDomains].slice(0, 100);
+            await Promise.all(domainsToCheck.map(async (d) => {
+                try {
+                    const resolvedIps = await resolver.resolve4(d);
+                    if (resolvedIps.includes(ip)) {
+                        verifiedDomains.push(d);
+                    }
+                    else {
+                        unverifiedDomains.push(d);
+                    }
+                }
+                catch {
+                    unverifiedDomains.push(d);
+                }
+            }));
+            const result = {
+                ip,
+                ptr_records: ptrRecords,
+                total_discovered: discoveredDomains.size,
+                verified_on_ip: verifiedDomains.sort(),
+                verified_count: verifiedDomains.length,
+                discovered_but_different_ip: unverifiedDomains.sort().slice(0, 50),
+                note: ptrRecords.length === 0
+                    ? "No PTR records found — reverse DNS not configured for this IP"
+                    : undefined,
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error resolving IP ${ip} to domains: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 4: threat_malicious_feed ───
+const threatMaliciousFeed = {
+    name: "threat_malicious_feed",
+    description: "Checks a domain against free threat intelligence feeds: DNS-based blocklists (Spamhaus DBL, SURBL) " +
+        "via DNS lookups, and HTTP-based feeds (URLhaus abuse.ch). Returns feed hits and threat categories.",
+    schema: {
+        domain: z.string().describe("The domain to check against threat intelligence feeds (e.g. 'suspicious-domain.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        const cacheKey = `threat_malicious_feed:${domain}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            const feedResults = [];
+            // ── DNS-based blocklists ──
+            const dnsFeeds = [
+                { name: "Spamhaus DBL", domain: "dbl.spamhaus.org", category: "spam/malware" },
+                { name: "SURBL Multi", domain: "multi.surbl.org", category: "spam/phishing" },
+                { name: "Spamhaus ZRD", domain: "zrd.spamhaus.org", category: "newly-registered" },
+                { name: "SURBL Phishing", domain: "phishing.surbl.org", category: "phishing" },
+                { name: "SURBL Malware", domain: "malware.surbl.org", category: "malware" },
+                { name: "URIBL", domain: "multi.uribl.com", category: "spam" },
+            ];
+            await Promise.all(dnsFeeds.map(async (feed) => {
+                const listed = await lookupDnsbl(domain, feed.domain);
+                feedResults.push({
+                    feed: feed.name,
+                    type: "dns",
+                    listed,
+                    category: feed.category,
+                });
+            }));
+            // ── HTTP-based: URLhaus ──
+            try {
+                await threatLimiter.acquire();
+                const formBody = new URLSearchParams();
+                formBody.set("host", domain);
+                const urlhausRes = await fetch("https://urlhaus-api.abuse.ch/v1/host/", {
+                    method: "POST",
+                    body: formBody,
+                    signal: AbortSignal.timeout(FETCH_TIMEOUT),
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                });
+                if (urlhausRes.ok) {
+                    const data = (await urlhausRes.json());
+                    const isListed = data.query_status === "ok" && (data.urls_online ?? 0) > 0;
+                    const threats = (data.urls ?? [])
+                        .map((u) => u.threat)
+                        .filter((t) => !!t);
+                    const uniqueThreats = [...new Set(threats)];
+                    feedResults.push({
+                        feed: "URLhaus (abuse.ch)",
+                        type: "http",
+                        listed: isListed,
+                        category: uniqueThreats.length > 0 ? uniqueThreats.join(", ") : "malware",
+                        detail: isListed
+                            ? `${data.urls_online ?? 0} active malicious URL(s) found. Reference: ${data.urlhaus_reference ?? "N/A"}`
+                            : undefined,
+                    });
+                }
+            }
+            catch {
+                feedResults.push({
+                    feed: "URLhaus (abuse.ch)",
+                    type: "http",
+                    listed: false,
+                    category: "malware",
+                    detail: "URLhaus lookup failed (timeout or error)",
+                });
+            }
+            const listedFeeds = feedResults.filter((f) => f.listed);
+            const categories = [...new Set(listedFeeds.map((f) => f.category))];
+            const result = {
+                domain,
+                feeds_checked: feedResults.length,
+                feeds_listed: listedFeeds.length,
+                threat_categories: categories,
+                risk_level: listedFeeds.length >= 3
+                    ? "critical"
+                    : listedFeeds.length >= 2
+                        ? "high"
+                        : listedFeeds.length === 1
+                            ? "medium"
+                            : "clean",
+                feed_results: feedResults,
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error checking threat feeds for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 5: threat_c2_detect ───
+const threatC2Detect = {
+    name: "threat_c2_detect",
+    description: "Analyzes a batch of domains for Command & Control (C2) indicators: DGA score (entropy, consonant ratio), " +
+        "fast-flux detection (multiple resolves), very low TTL, and DNSBL listings. Returns per-domain C2 probability score (0-100).",
+    schema: {
+        domains: z.array(z.string()).describe("Array of domains to analyze for C2/DGA indicators (e.g. ['abc123xyz.com', 'normal-site.com'])"),
+    },
+    async execute(args) {
+        const domains = args.domains;
+        if (domains.length === 0) {
+            return text("No domains provided for C2 detection.");
+        }
+        try {
+            const results = await Promise.all(domains.slice(0, 100).map(async (domain) => {
+                let score = 0;
+                const indicators = [];
+                // ── DGA Analysis (entropy + consonant ratio) ──
+                const domainBase = domain.split(".").slice(0, -1).join(".");
+                const entropy = shannonEntropy(domainBase);
+                const consRatio = consonantRatio(domainBase);
+                // High entropy → likely DGA
+                if (entropy >= 4.0) {
+                    score += 30;
+                    indicators.push(`Very high entropy (${entropy.toFixed(2)}) — strong DGA indicator`);
+                }
+                else if (entropy >= 3.5) {
+                    score += 15;
+                    indicators.push(`Elevated entropy (${entropy.toFixed(2)}) — possible DGA`);
+                }
+                // High consonant ratio → likely DGA
+                if (consRatio > 0.75) {
+                    score += 20;
+                    indicators.push(`High consonant ratio (${(consRatio * 100).toFixed(1)}%) — DGA-like character distribution`);
+                }
+                else if (consRatio > 0.65) {
+                    score += 10;
+                    indicators.push(`Elevated consonant ratio (${(consRatio * 100).toFixed(1)}%)`);
+                }
+                // Short numerical or hex-like patterns
+                if (/^[a-f0-9]{8,}$/.test(domainBase)) {
+                    score += 15;
+                    indicators.push("Domain base is entirely hex characters — possible DGA or C2");
+                }
+                // ── Fast-Flux Detection (multiple resolves with different IPs) ──
+                const resolverList = ["8.8.8.8", "1.1.1.1", "9.9.9.9"];
+                const allIps = new Set();
+                let minTtl = Infinity;
+                await Promise.all(resolverList.map(async (server) => {
+                    try {
+                        const resolver = createResolver(server);
+                        const results = await resolver.resolve4(domain, { ttl: true });
+                        for (const r of results) {
+                            allIps.add(r.address);
+                            if (r.ttl < minTtl)
+                                minTtl = r.ttl;
+                        }
+                    }
+                    catch {
+                        // Resolution failed
+                    }
+                }));
+                // Fast-flux: many unique IPs
+                if (allIps.size >= 5) {
+                    score += 20;
+                    indicators.push(`Fast-flux detected: ${allIps.size} unique IPs across resolvers`);
+                }
+                else if (allIps.size >= 3) {
+                    score += 10;
+                    indicators.push(`Multiple IPs (${allIps.size}) across resolvers — possible fast-flux`);
+                }
+                // Very low TTL
+                if (minTtl !== Infinity && minTtl <= 60) {
+                    score += 15;
+                    indicators.push(`Very low TTL (${minTtl}s) — fast-flux/C2 indicator`);
+                }
+                else if (minTtl !== Infinity && minTtl <= 300) {
+                    score += 5;
+                    indicators.push(`Low TTL (${minTtl}s)`);
+                }
+                // ── DNSBL check (Spamhaus DBL) ──
+                const isBlocklisted = await lookupDnsbl(domain, "dbl.spamhaus.org");
+                if (isBlocklisted) {
+                    score += 15;
+                    indicators.push("Listed on Spamhaus DBL — known malicious domain");
+                }
+                // Clamp score
+                score = Math.max(0, Math.min(100, score));
+                return {
+                    domain,
+                    c2_probability: score,
+                    risk_level: score >= 70
+                        ? "critical"
+                        : score >= 50
+                            ? "high"
+                            : score >= 30
+                                ? "medium"
+                                : score >= 15
+                                    ? "low"
+                                    : "clean",
+                    entropy: Math.round(entropy * 1000) / 1000,
+                    consonant_ratio: Math.round(consRatio * 1000) / 1000,
+                    resolved_ips: [...allIps],
+                    min_ttl: minTtl === Infinity ? null : minTtl,
+                    dnsbl_listed: isBlocklisted,
+                    indicators,
+                };
+            }));
+            const highRisk = results.filter((r) => r.c2_probability >= 50);
+            return json({
+                total_analyzed: results.length,
+                high_risk_count: highRisk.length,
+                results,
+                high_risk_domains: highRisk,
+            });
+        }
+        catch (err) {
+            return text(`Error running C2 detection: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 6: threat_actor_infra ───
+const threatActorInfra = {
+    name: "threat_actor_infra",
+    description: "Maps domain infrastructure fingerprint: NS, MX, IP, ASN (via Team Cymru), registrar (RDAP). " +
+        "Cross-references shared infrastructure to discover related domains via shared nameservers, mail servers, and IPs.",
+    schema: {
+        domain: z.string().describe("The domain to map infrastructure for (e.g. 'example.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        const cacheKey = `threat_actor_infra:${domain}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            // ── Resolve all records ──
+            const records = await resolveAll(domain, ["A", "AAAA", "NS", "MX", "SOA"]);
+            const ips = records.filter((r) => r.type === "A" || r.type === "AAAA").map((r) => r.data);
+            const nsRecords = records.filter((r) => r.type === "NS").map((r) => r.data);
+            const mxRecords = records.filter((r) => r.type === "MX").map((r) => {
+                const parts = r.data.split(" ");
+                return { priority: parseInt(parts[0], 10) || 0, exchange: parts.slice(1).join(" ") };
+            });
+            const soaRecord = records.find((r) => r.type === "SOA");
+            // ── ASN lookup for each IP ──
+            const asnResults = [];
+            await Promise.all(ips.slice(0, 10).map(async (ip) => {
+                const asnInfo = await cymruAsnLookup(ip);
+                if (asnInfo) {
+                    asnResults.push({ ip, ...asnInfo });
+                }
+            }));
+            // ── RDAP lookup for registrar ──
+            const rdapInfo = await rdapLookup(domain);
+            // ── Resolve NS IPs to find shared infrastructure ──
+            const nsIps = new Map();
+            const resolver = createResolver();
+            await Promise.all(nsRecords.slice(0, 10).map(async (ns) => {
+                try {
+                    const resolved = await resolver.resolve4(ns);
+                    nsIps.set(ns, resolved);
+                }
+                catch {
+                    nsIps.set(ns, []);
+                }
+            }));
+            // ── Check NS diversity ──
+            const nsSubnets = new Set();
+            for (const [, nsIpList] of nsIps) {
+                for (const nsIp of nsIpList) {
+                    const subnet = nsIp.split(".").slice(0, 3).join(".");
+                    nsSubnets.add(subnet);
+                }
+            }
+            // ── Infrastructure fingerprint ──
+            const fingerprint = {
+                nameservers: nsRecords.sort(),
+                nameserver_ips: Object.fromEntries(nsIps),
+                ns_subnets: [...nsSubnets].sort(),
+                ns_diversity: nsSubnets.size,
+                mail_servers: mxRecords.sort((a, b) => a.priority - b.priority),
+                ips,
+                asn_info: asnResults,
+                registrar: rdapInfo?.registrar ?? "unknown",
+                registration_dates: {
+                    created: rdapInfo?.created ?? "unknown",
+                    updated: rdapInfo?.updated ?? "unknown",
+                    expires: rdapInfo?.expires ?? "unknown",
+                },
+                soa: soaRecord?.data ?? null,
+            };
+            // ── Cross-reference: find domains sharing same NS ──
+            const sharedInfraHints = [];
+            if (nsRecords.length > 0) {
+                sharedInfraHints.push(`Nameservers: ${nsRecords.join(", ")} — other domains using these NS may be related`);
+            }
+            if (mxRecords.length > 0) {
+                const mxHosts = mxRecords.map((m) => m.exchange);
+                sharedInfraHints.push(`Mail servers: ${mxHosts.join(", ")} — shared MX infrastructure`);
+            }
+            const uniqueAsns = [...new Set(asnResults.map((a) => `AS${a.asn} (${a.asName})`))];
+            if (uniqueAsns.length > 0) {
+                sharedInfraHints.push(`ASN(s): ${uniqueAsns.join(", ")}`);
+            }
+            const result = {
+                domain,
+                infrastructure_fingerprint: fingerprint,
+                shared_infrastructure_hints: sharedInfraHints,
+                summary: {
+                    ip_count: ips.length,
+                    ns_count: nsRecords.length,
+                    mx_count: mxRecords.length,
+                    unique_asns: uniqueAsns.length,
+                    ns_diversity_score: nsSubnets.size,
+                    registrar: rdapInfo?.registrar ?? "unknown",
+                },
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error mapping infrastructure for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Tool 7: threat_sinkhole_check ───
+const threatSinkholeCheck = {
+    name: "threat_sinkhole_check",
+    description: "Resolves a domain and checks if its IP belongs to known sinkhole operators (Microsoft, Shadowserver, " +
+        "abuse.ch, FBI, Palo Alto, Kaspersky, CrowdStrike, etc.). Returns whether the domain is sinkholed and by which operator.",
+    schema: {
+        domain: z.string().describe("The domain to check for sinkhole status (e.g. 'known-malware-domain.com')"),
+    },
+    async execute(args) {
+        const domain = args.domain;
+        const cacheKey = `threat_sinkhole_check:${domain}`;
+        const cached = threatCache.get(cacheKey);
+        if (cached)
+            return json(cached);
+        try {
+            // Resolve domain
+            const resolver = createResolver();
+            let ips = [];
+            try {
+                ips = await resolver.resolve4(domain);
+            }
+            catch {
+                // NXDOMAIN could also indicate sinkhole or takedown
+            }
+            let ipv6s = [];
+            try {
+                ipv6s = await resolver.resolve6(domain);
+            }
+            catch {
+                // No AAAA records
+            }
+            // Check CNAME chain for sinkhole patterns
+            let cnameChain = [];
+            try {
+                const cnames = await resolver.resolveCname(domain);
+                cnameChain = cnames;
+            }
+            catch {
+                // No CNAME
+            }
+            // Check resolved IPs against known sinkhole ranges
+            const sinkholeMatches = [];
+            for (const ip of ips) {
+                for (const sinkhole of SINKHOLE_OPERATORS) {
+                    // Check IP ranges
+                    for (const range of sinkhole.ranges) {
+                        if (ipMatchesPrefix(ip, range.prefix)) {
+                            sinkholeMatches.push({
+                                ip,
+                                operator: sinkhole.operator,
+                                matchType: `IP range match: ${range.prefix}0/${range.cidr ?? 24}`,
+                            });
+                        }
+                    }
+                }
+            }
+            // Check CNAME chain for sinkhole patterns
+            for (const cname of cnameChain) {
+                for (const sinkhole of SINKHOLE_OPERATORS) {
+                    for (const pattern of sinkhole.patterns) {
+                        if (cname.toLowerCase().includes(pattern.toLowerCase())) {
+                            sinkholeMatches.push({
+                                ip: cname,
+                                operator: sinkhole.operator,
+                                matchType: `CNAME pattern match: ${pattern}`,
+                            });
+                        }
+                    }
+                }
+            }
+            // Check PTR records for sinkhole patterns
+            const ptrSinkholeMatches = [];
+            for (const ip of ips) {
+                try {
+                    const ptrs = await dns.reverse(ip);
+                    for (const ptr of ptrs) {
+                        for (const sinkhole of SINKHOLE_OPERATORS) {
+                            for (const pattern of sinkhole.patterns) {
+                                if (ptr.toLowerCase().includes(pattern.toLowerCase())) {
+                                    ptrSinkholeMatches.push({ ip, ptr, operator: sinkhole.operator });
+                                }
+                            }
+                        }
+                    }
+                }
+                catch {
+                    // No PTR
+                }
+            }
+            const isSinkholed = sinkholeMatches.length > 0 || ptrSinkholeMatches.length > 0;
+            const operators = [...new Set([
+                    ...sinkholeMatches.map((m) => m.operator),
+                    ...ptrSinkholeMatches.map((m) => m.operator),
+                ])];
+            // Check if domain resolves to NXDOMAIN (possible takedown without sinkhole)
+            const isNxdomain = ips.length === 0 && ipv6s.length === 0;
+            const result = {
+                domain,
+                resolved_ips: ips,
+                resolved_ipv6s: ipv6s,
+                cname_chain: cnameChain,
+                is_sinkholed: isSinkholed,
+                is_nxdomain: isNxdomain,
+                sinkhole_operators: operators,
+                sinkhole_matches: sinkholeMatches,
+                ptr_sinkhole_matches: ptrSinkholeMatches,
+                status: isSinkholed
+                    ? `SINKHOLED by ${operators.join(", ")}`
+                    : isNxdomain
+                        ? "NXDOMAIN — domain does not resolve (possibly taken down)"
+                        : "ACTIVE — not detected in known sinkhole ranges",
+                note: "This check uses a known-sinkhole IP/pattern database. " +
+                    "New or private sinkholes may not be detected.",
+            };
+            threatCache.set(cacheKey, result);
+            return json(result);
+        }
+        catch (err) {
+            return text(`Error checking sinkhole status for ${domain}: ${err.message}`);
+        }
+    },
+};
+// ─── Export All Threat Tools ───
+export const threatTools = [
+    threatPassiveDns,
+    threatCohosting,
+    threatIpToDomains,
+    threatMaliciousFeed,
+    threatC2Detect,
+    threatActorInfra,
+    threatSinkholeCheck,
+];
+//# sourceMappingURL=index.js.map