dns-security-mcp 0.1.0

package/dist/tunnel/index.js

@@ -0,0 +1,688 @@
+import { z } from "zod";
+import { text, json } from "../types/index.js";
+import { shannonEntropy, createResolver } from "../utils/dns-client.js";
+import { TUNNEL_SIGNATURES, TUNNEL_THRESHOLDS } from "../data/tunneling-signatures.js";
+// ─── Helpers ───
+/**
+ * Extract subdomain labels from a fully-qualified domain name.
+ * Given "abc.def.example.com", returns ["abc", "def"] (everything before the base domain).
+ * The base domain is assumed to be the last two labels (e.g. "example.com").
+ */
+function extractSubdomainLabels(query) {
+    const labels = query.replace(/\.$/, "").split(".");
+    if (labels.length <= 2)
+        return [];
+    return labels.slice(0, labels.length - 2);
+}
+/**
+ * Classify entropy value against thresholds.
+ */
+function classifyEntropy(entropy) {
+    if (entropy >= TUNNEL_THRESHOLDS.highEntropy)
+        return "likely-tunnel";
+    if (entropy >= TUNNEL_THRESHOLDS.normalEntropy)
+        return "suspicious";
+    return "normal";
+}
+// ─── Tool 1: Entropy Analysis ───
+const tunnelEntropyAnalysis = {
+    name: "tunnel_entropy_analysis",
+    description: "Calculates Shannon entropy per subdomain label to detect DNS tunneling. Normal DNS labels have entropy ~3.0-3.5, while encoded/encrypted data used in tunneling has entropy >4.0.",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to analyze for tunneling entropy patterns"),
+    },
+    execute: async (args) => {
+        const queries = args.queries;
+        if (!queries.length) {
+            return text("No queries provided for entropy analysis.");
+        }
+        const results = queries.map((query) => {
+            const subLabels = extractSubdomainLabels(query);
+            if (subLabels.length === 0) {
+                return {
+                    query,
+                    subdomainLabels: [],
+                    labelEntropies: [],
+                    combinedEntropy: 0,
+                    classification: "normal",
+                    note: "No subdomain labels found — base domain only",
+                };
+            }
+            const combined = subLabels.join("");
+            const combinedEntropy = shannonEntropy(combined);
+            const labelEntropies = subLabels.map((label) => ({
+                label,
+                length: label.length,
+                entropy: Math.round(shannonEntropy(label) * 1000) / 1000,
+            }));
+            const classification = classifyEntropy(combinedEntropy);
+            return {
+                query,
+                subdomainLabels: subLabels,
+                labelEntropies,
+                combinedEntropy: Math.round(combinedEntropy * 1000) / 1000,
+                classification,
+            };
+        });
+        const suspicious = results.filter((r) => r.classification === "suspicious" || r.classification === "likely-tunnel");
+        return json({
+            summary: {
+                totalQueries: queries.length,
+                normalCount: results.filter((r) => r.classification === "normal").length,
+                suspiciousCount: results.filter((r) => r.classification === "suspicious").length,
+                likelyTunnelCount: results.filter((r) => r.classification === "likely-tunnel").length,
+                thresholds: {
+                    normalMax: TUNNEL_THRESHOLDS.normalEntropy,
+                    highEntropy: TUNNEL_THRESHOLDS.highEntropy,
+                },
+            },
+            results,
+            flagged: suspicious,
+        });
+    },
+};
+// ─── Tool 2: Query Length Analysis ───
+const tunnelQueryLength = {
+    name: "tunnel_query_length",
+    description: "Measures subdomain label lengths and total query length to detect DNS tunneling. Normal browsing rarely exceeds 3 labels or 60 total characters. Tunneling often uses labels >40 chars and totals >200 chars.",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to analyze for abnormal length patterns"),
+    },
+    execute: async (args) => {
+        const queries = args.queries;
+        if (!queries.length) {
+            return text("No queries provided for length analysis.");
+        }
+        const results = queries.map((query) => {
+            const labels = query.replace(/\.$/, "").split(".");
+            const subLabels = extractSubdomainLabels(query);
+            const totalLength = query.replace(/\.$/, "").length;
+            const flags = [];
+            const longLabels = subLabels.filter((l) => l.length > TUNNEL_THRESHOLDS.maxLabelLength);
+            if (longLabels.length > 0) {
+                flags.push(`${longLabels.length} label(s) exceed ${TUNNEL_THRESHOLDS.maxLabelLength} chars: [${longLabels.map((l) => `"${l.substring(0, 20)}..." (${l.length})`).join(", ")}]`);
+            }
+            if (totalLength > TUNNEL_THRESHOLDS.maxTotalLength) {
+                flags.push(`Total query length ${totalLength} exceeds threshold ${TUNNEL_THRESHOLDS.maxTotalLength}`);
+            }
+            if (labels.length > TUNNEL_THRESHOLDS.maxLabelCount) {
+                flags.push(`Label count ${labels.length} exceeds threshold ${TUNNEL_THRESHOLDS.maxLabelCount}`);
+            }
+            return {
+                query: query.length > 80 ? query.substring(0, 80) + "..." : query,
+                fullLength: query.length,
+                totalLength,
+                labelCount: labels.length,
+                subdomainLabelCount: subLabels.length,
+                labelLengths: labels.map((l) => ({ label: l.substring(0, 30), length: l.length })),
+                maxLabelLength: Math.max(0, ...labels.map((l) => l.length)),
+                isSuspicious: flags.length > 0,
+                flags,
+            };
+        });
+        const flagged = results.filter((r) => r.isSuspicious);
+        return json({
+            summary: {
+                totalQueries: queries.length,
+                flaggedCount: flagged.length,
+                thresholds: {
+                    maxLabelLength: TUNNEL_THRESHOLDS.maxLabelLength,
+                    maxTotalLength: TUNNEL_THRESHOLDS.maxTotalLength,
+                    maxLabelCount: TUNNEL_THRESHOLDS.maxLabelCount,
+                },
+            },
+            results,
+            flagged,
+        });
+    },
+};
+// ─── Tool 3: TXT Payload Detection ───
+const tunnelTxtPayload = {
+    name: "tunnel_txt_payload",
+    description: "Resolves TXT records for a domain and optional subdomains, then detects encoded payloads commonly used in DNS tunneling: base64, hex-encoded data, binary markers, and high-entropy content.",
+    schema: {
+        domain: z.string().describe("Base domain to resolve TXT records for"),
+        subdomains: z
+            .array(z.string())
+            .optional()
+            .describe("Optional list of subdomains to also check for TXT record payloads"),
+    },
+    execute: async (args, ctx) => {
+        const domain = args.domain;
+        const subdomains = args.subdomains ?? [];
+        const resolver = createResolver(ctx.config.customResolver);
+        const targets = [domain, ...subdomains.map((s) => `${s}.${domain}`)];
+        const base64Pattern = /^[A-Za-z0-9+/]{40,}={0,2}$/;
+        const hexPattern = /^[a-fA-F0-9]{32,}$/;
+        const binaryMarkers = ["\x00", "\x01", "\xff", "\\x00", "\\x01", "\\xff"];
+        const results = await Promise.all(targets.map(async (target) => {
+            try {
+                const txtRecords = await resolver.resolveTxt(target);
+                const flatRecords = txtRecords.map((chunks) => chunks.join(""));
+                const analysis = flatRecords.map((value) => {
+                    const entropy = shannonEntropy(value);
+                    const flags = [];
+                    if (base64Pattern.test(value.trim())) {
+                        flags.push("Matches base64-encoded payload pattern");
+                    }
+                    if (hexPattern.test(value.trim())) {
+                        flags.push("Matches hex-encoded data pattern");
+                    }
+                    if (binaryMarkers.some((marker) => value.includes(marker))) {
+                        flags.push("Contains binary data markers");
+                    }
+                    if (entropy >= TUNNEL_THRESHOLDS.highEntropy) {
+                        flags.push(`High entropy (${Math.round(entropy * 1000) / 1000}) suggests encoded/encrypted data`);
+                    }
+                    return {
+                        value: value.length > 120 ? value.substring(0, 120) + "..." : value,
+                        length: value.length,
+                        entropy: Math.round(entropy * 1000) / 1000,
+                        entropyClassification: classifyEntropy(entropy),
+                        isSuspicious: flags.length > 0,
+                        flags,
+                    };
+                });
+                return {
+                    target,
+                    recordCount: flatRecords.length,
+                    analysis,
+                    hasSuspiciousPayloads: analysis.some((a) => a.isSuspicious),
+                };
+            }
+            catch {
+                return {
+                    target,
+                    recordCount: 0,
+                    analysis: [],
+                    hasSuspiciousPayloads: false,
+                    error: "Failed to resolve TXT records (NXDOMAIN or timeout)",
+                };
+            }
+        }));
+        const suspicious = results.filter((r) => r.hasSuspiciousPayloads);
+        return json({
+            summary: {
+                targetsChecked: targets.length,
+                targetsWithTxt: results.filter((r) => r.recordCount > 0).length,
+                suspiciousTargets: suspicious.length,
+            },
+            results,
+            flagged: suspicious,
+        });
+    },
+};
+// ─── Tool 4: Record Type Anomaly Detection ───
+const tunnelRecordAnomaly = {
+    name: "tunnel_record_anomaly",
+    description: "Analyzes DNS queries for record type abuse patterns commonly used in tunneling. Detects indicators of NULL, TXT, CNAME, and MX record abuse, plus anomalous query patterns consistent with data exfiltration.",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to analyze for record type anomaly patterns"),
+    },
+    execute: async (args) => {
+        const queries = args.queries;
+        if (!queries.length) {
+            return text("No queries provided for record anomaly analysis.");
+        }
+        // Analyze structural patterns that imply record type abuse
+        const patterns = {
+            txtAbuse: 0,
+            cnameAbuse: 0,
+            nullAbuse: 0,
+            mxAbuse: 0,
+            aRecordAbuse: 0,
+        };
+        const perQuery = queries.map((query) => {
+            const subLabels = extractSubdomainLabels(query);
+            const combined = subLabels.join("");
+            const flags = [];
+            // Long base64-like labels => likely TXT record tunnel
+            if (/^[A-Za-z0-9+/=]{30,}\./.test(query)) {
+                flags.push("Base64-encoded label pattern (TXT record abuse indicator)");
+                patterns.txtAbuse++;
+            }
+            // Very long hex-only labels => likely NULL record or TXT abuse
+            if (/^[a-f0-9]{40,}\./.test(query)) {
+                flags.push("Long hex-encoded label (NULL/TXT record abuse indicator)");
+                patterns.nullAbuse++;
+            }
+            // Multiple encoded subdomains chained => CNAME abuse
+            if (subLabels.length >= 3 &&
+                subLabels.every((l) => l.length >= 10 && shannonEntropy(l) >= TUNNEL_THRESHOLDS.normalEntropy)) {
+                flags.push("Multiple high-entropy labels chained (CNAME tunneling indicator)");
+                patterns.cnameAbuse++;
+            }
+            // Short hex labels with consistent length => A/AAAA record beacon
+            if (subLabels.length >= 1 &&
+                subLabels[0].length >= 8 &&
+                subLabels[0].length <= 32 &&
+                /^[a-f0-9]+$/.test(subLabels[0])) {
+                flags.push("Short hex-encoded label (A/AAAA beacon indicator)");
+                patterns.aRecordAbuse++;
+            }
+            // High entropy combined with unusual domain depth => MX abuse pattern
+            if (combined.length > 0 && shannonEntropy(combined) >= TUNNEL_THRESHOLDS.highEntropy && subLabels.length >= 2) {
+                flags.push("High entropy with deep subdomain nesting (MX/record abuse indicator)");
+                patterns.mxAbuse++;
+            }
+            return {
+                query: query.length > 80 ? query.substring(0, 80) + "..." : query,
+                subdomainLabelCount: subLabels.length,
+                isSuspicious: flags.length > 0,
+                flags,
+            };
+        });
+        const totalFlagged = perQuery.filter((r) => r.isSuspicious).length;
+        // Determine dominant abuse pattern
+        const dominantPattern = Object.entries(patterns).sort((a, b) => b[1] - a[1])[0];
+        return json({
+            summary: {
+                totalQueries: queries.length,
+                flaggedQueries: totalFlagged,
+                flagRate: Math.round((totalFlagged / queries.length) * 100 * 10) / 10 + "%",
+                dominantPattern: dominantPattern[1] > 0
+                    ? { type: dominantPattern[0], count: dominantPattern[1] }
+                    : null,
+                patternCounts: patterns,
+            },
+            results: perQuery,
+            flagged: perQuery.filter((r) => r.isSuspicious),
+        });
+    },
+};
+// ─── Tool 5: Tool Signature Matching ───
+const tunnelToolSignatures = {
+    name: "tunnel_tool_signatures",
+    description: "Matches DNS query patterns against known tunneling tool signatures (iodine, dns2tcp, dnscat2, Cobalt Strike, Sliver C2, DNSStager, etc.). Returns matched tools with descriptions and indicators.",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to match against tunneling tool signatures"),
+    },
+    execute: async (args) => {
+        const queries = args.queries;
+        if (!queries.length) {
+            return text("No queries provided for signature matching.");
+        }
+        const matchedTools = new Map();
+        const perQuery = queries.map((query) => {
+            const matches = [];
+            for (const sig of TUNNEL_SIGNATURES) {
+                if (sig.pattern.test(query)) {
+                    matches.push({
+                        tool: sig.tool,
+                        description: sig.description,
+                        indicators: sig.indicators,
+                    });
+                    const existing = matchedTools.get(sig.tool);
+                    if (existing) {
+                        existing.count++;
+                        if (existing.examples.length < 3) {
+                            existing.examples.push(query.length > 60 ? query.substring(0, 60) + "..." : query);
+                        }
+                    }
+                    else {
+                        matchedTools.set(sig.tool, {
+                            count: 1,
+                            description: sig.description,
+                            indicators: sig.indicators,
+                            examples: [query.length > 60 ? query.substring(0, 60) + "..." : query],
+                        });
+                    }
+                }
+            }
+            return {
+                query: query.length > 80 ? query.substring(0, 80) + "..." : query,
+                matchCount: matches.length,
+                matchedTools: matches.map((m) => m.tool),
+                matches,
+            };
+        });
+        const toolSummary = Array.from(matchedTools.entries())
+            .map(([tool, data]) => ({
+            tool,
+            matchCount: data.count,
+            description: data.description,
+            indicators: data.indicators,
+            examples: data.examples,
+        }))
+            .sort((a, b) => b.matchCount - a.matchCount);
+        const queriesWithMatches = perQuery.filter((r) => r.matchCount > 0);
+        return json({
+            summary: {
+                totalQueries: queries.length,
+                queriesMatched: queriesWithMatches.length,
+                uniqueToolsDetected: toolSummary.length,
+                signaturesChecked: TUNNEL_SIGNATURES.length,
+            },
+            detectedTools: toolSummary,
+            results: perQuery,
+            flagged: queriesWithMatches,
+        });
+    },
+};
+// ─── Tool 6: Covert Channel Detection ───
+const tunnelCovertChannel = {
+    name: "tunnel_covert_channel",
+    description: "Detects covert DNS channels through timing analysis (beaconing detection when timestamps are provided) and label pattern analysis (incrementing counters, session IDs, sequential encoding).",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to analyze for covert channel patterns"),
+        timestamps: z
+            .array(z.number())
+            .optional()
+            .describe("Optional array of Unix timestamps (milliseconds) corresponding to each query for timing/beaconing analysis"),
+    },
+    execute: async (args) => {
+        const queries = args.queries;
+        const timestamps = args.timestamps;
+        if (!queries.length) {
+            return text("No queries provided for covert channel analysis.");
+        }
+        // ── Timing Analysis ──
+        let timingAnalysis = { hasTimestamps: false };
+        if (timestamps && timestamps.length >= 2 && timestamps.length === queries.length) {
+            const sorted = [...timestamps].sort((a, b) => a - b);
+            const intervals = [];
+            for (let i = 1; i < sorted.length; i++) {
+                intervals.push(sorted[i] - sorted[i - 1]);
+            }
+            const mean = intervals.reduce((sum, v) => sum + v, 0) / intervals.length;
+            const variance = intervals.reduce((sum, v) => sum + (v - mean) ** 2, 0) / intervals.length;
+            const stdDev = Math.sqrt(variance);
+            const cv = mean > 0 ? stdDev / mean : 0;
+            const isBeaconing = cv < TUNNEL_THRESHOLDS.beaconVariance;
+            timingAnalysis = {
+                hasTimestamps: true,
+                intervals: intervals.length <= 20 ? intervals : intervals.slice(0, 20),
+                meanInterval: Math.round(mean),
+                stdDeviation: Math.round(stdDev * 100) / 100,
+                coefficientOfVariation: Math.round(cv * 10000) / 10000,
+                isBeaconing,
+                beaconIntervalMs: isBeaconing ? Math.round(mean) : undefined,
+            };
+        }
+        // ── Label Pattern Analysis ──
+        const labelPatterns = queries.map((query) => {
+            const subLabels = extractSubdomainLabels(query);
+            const flags = [];
+            if (subLabels.length === 0) {
+                return { query, subLabels: [], flags, isSuspicious: false };
+            }
+            const firstLabel = subLabels[0];
+            // Check for incrementing counters (e.g., "001", "002", ... or "a1", "a2")
+            const counterMatch = firstLabel.match(/^(.+?)(\d+)$/);
+            if (counterMatch) {
+                flags.push(`Possible counter/sequence ID: prefix="${counterMatch[1]}", seq=${counterMatch[2]}`);
+            }
+            // Check for hex-encoded session ID patterns
+            if (/^[a-f0-9]{8,16}$/.test(firstLabel)) {
+                flags.push("Hex-encoded session ID pattern in first label");
+            }
+            // Check for base32-encoded patterns (often used for session management)
+            if (/^[a-z2-7]{16,}$/.test(firstLabel)) {
+                flags.push("Base32-encoded pattern detected (common in tunnel session management)");
+            }
+            // Check for consistent label structure across subdomains (encoding pattern)
+            if (subLabels.length >= 2) {
+                const lengths = subLabels.map((l) => l.length);
+                const allSameLength = lengths.every((l) => l === lengths[0]);
+                if (allSameLength && lengths[0] >= 10) {
+                    flags.push(`All ${subLabels.length} subdomain labels have uniform length (${lengths[0]}) — encoding indicator`);
+                }
+            }
+            return {
+                query: query.length > 80 ? query.substring(0, 80) + "..." : query,
+                subLabels,
+                flags,
+                isSuspicious: flags.length > 0,
+            };
+        });
+        // ── Sequential Label Detection ──
+        // Check if first labels across queries are incrementing
+        let sequentialAnalysis = { isSequential: false };
+        if (queries.length >= 3) {
+            const firstLabels = queries
+                .map((q) => extractSubdomainLabels(q))
+                .filter((labels) => labels.length > 0)
+                .map((labels) => labels[0]);
+            if (firstLabels.length >= 3) {
+                // Check for numeric incrementing
+                const numericParts = firstLabels
+                    .map((l) => {
+                    const match = l.match(/(\d+)$/);
+                    return match ? parseInt(match[1], 10) : null;
+                })
+                    .filter((n) => n !== null);
+                if (numericParts.length >= 3) {
+                    let incrementing = 0;
+                    for (let i = 1; i < numericParts.length; i++) {
+                        if (numericParts[i] === numericParts[i - 1] + 1)
+                            incrementing++;
+                    }
+                    const seqRatio = incrementing / (numericParts.length - 1);
+                    if (seqRatio >= 0.7) {
+                        sequentialAnalysis = {
+                            isSequential: true,
+                            detail: `${Math.round(seqRatio * 100)}% of labels show sequential incrementing (${incrementing}/${numericParts.length - 1} pairs)`,
+                        };
+                    }
+                }
+            }
+        }
+        const flaggedQueries = labelPatterns.filter((r) => r.isSuspicious);
+        return json({
+            summary: {
+                totalQueries: queries.length,
+                flaggedByPattern: flaggedQueries.length,
+                isBeaconing: timingAnalysis.isBeaconing ?? false,
+                hasSequentialLabels: sequentialAnalysis.isSequential,
+            },
+            timingAnalysis,
+            sequentialAnalysis,
+            labelPatterns,
+            flagged: flaggedQueries,
+        });
+    },
+};
+// ─── Tool 7: Full Tunnel Scan ───
+const tunnelFullScan = {
+    name: "tunnel_full_scan",
+    description: "Comprehensive DNS tunneling detection that runs all 6 individual tunnel checks (entropy, length, TXT payload, record anomaly, tool signatures, covert channel), aggregates findings, and returns an overall tunnel probability score (0-100).",
+    schema: {
+        queries: z
+            .array(z.string())
+            .describe("List of DNS query names (FQDNs) to run the complete tunneling detection suite against"),
+        timestamps: z
+            .array(z.number())
+            .optional()
+            .describe("Optional array of Unix timestamps (milliseconds) for each query, used in beaconing/covert channel detection"),
+    },
+    execute: async (args, ctx) => {
+        const queries = args.queries;
+        const timestamps = args.timestamps;
+        if (!queries.length) {
+            return text("No queries provided for full tunnel scan.");
+        }
+        // Run all checks internally
+        const entropyResult = await tunnelEntropyAnalysis.execute({ queries }, ctx);
+        const lengthResult = await tunnelQueryLength.execute({ queries }, ctx);
+        const anomalyResult = await tunnelRecordAnomaly.execute({ queries }, ctx);
+        const sigResult = await tunnelToolSignatures.execute({ queries }, ctx);
+        const covertResult = await tunnelCovertChannel.execute({ queries, ...(timestamps ? { timestamps } : {}) }, ctx);
+        // Parse results from JSON text output
+        const parseResult = (result) => {
+            try {
+                return JSON.parse(result.content[0].text);
+            }
+            catch {
+                return {};
+            }
+        };
+        const entropy = parseResult(entropyResult);
+        const length = parseResult(lengthResult);
+        const anomaly = parseResult(anomalyResult);
+        const signatures = parseResult(sigResult);
+        const covert = parseResult(covertResult);
+        // ── Scoring ──
+        let score = 0;
+        const detectedTechniques = [];
+        const matchedTools = [];
+        // Entropy scoring (0-25 points)
+        const entropySummary = entropy.summary;
+        if (entropySummary) {
+            const tunnelRatio = (entropySummary.likelyTunnelCount ?? 0) / queries.length;
+            const suspiciousRatio = (entropySummary.suspiciousCount ?? 0) / queries.length;
+            score += Math.min(25, Math.round(tunnelRatio * 25 + suspiciousRatio * 10));
+            if (tunnelRatio > 0.3)
+                detectedTechniques.push("High-entropy encoded subdomains");
+        }
+        // Length scoring (0-20 points)
+        const lengthSummary = length.summary;
+        if (lengthSummary) {
+            const flaggedRatio = (lengthSummary.flaggedCount ?? 0) / queries.length;
+            score += Math.min(20, Math.round(flaggedRatio * 20));
+            if (flaggedRatio > 0.3)
+                detectedTechniques.push("Abnormal query/label lengths");
+        }
+        // Record anomaly scoring (0-15 points)
+        const anomalySummary = anomaly.summary;
+        if (anomalySummary) {
+            const flaggedQueries = anomalySummary.flaggedQueries ?? 0;
+            const flaggedRatio = flaggedQueries / queries.length;
+            score += Math.min(15, Math.round(flaggedRatio * 15));
+            if (flaggedRatio > 0.3)
+                detectedTechniques.push("Record type abuse patterns");
+        }
+        // Signature scoring (0-20 points)
+        const sigSummary = signatures.summary;
+        const detectedToolsList = signatures.detectedTools;
+        if (sigSummary) {
+            const matchedRatio = (sigSummary.queriesMatched ?? 0) / queries.length;
+            const toolCount = sigSummary.uniqueToolsDetected ?? 0;
+            score += Math.min(20, Math.round(matchedRatio * 15 + Math.min(toolCount, 3) * 2));
+            if (detectedToolsList) {
+                for (const t of detectedToolsList) {
+                    matchedTools.push(t.tool);
+                }
+            }
+            if (matchedRatio > 0.2)
+                detectedTechniques.push("Known tunneling tool signatures matched");
+        }
+        // Covert channel scoring (0-20 points)
+        const covertSummary = covert.summary;
+        if (covertSummary) {
+            const isBeaconing = covertSummary.isBeaconing ?? false;
+            const hasSequential = covertSummary.hasSequentialLabels ?? false;
+            const patternFlagged = covertSummary.flaggedByPattern ?? 0;
+            const patternRatio = patternFlagged / queries.length;
+            if (isBeaconing) {
+                score += 12;
+                detectedTechniques.push("Beaconing behavior detected (regular timing intervals)");
+            }
+            if (hasSequential) {
+                score += 5;
+                detectedTechniques.push("Sequential label incrementing detected");
+            }
+            score += Math.min(3, Math.round(patternRatio * 3));
+        }
+        // Clamp score to 0-100
+        score = Math.max(0, Math.min(100, score));
+        // Risk classification
+        let riskLevel;
+        if (score >= 80)
+            riskLevel = "critical";
+        else if (score >= 60)
+            riskLevel = "high";
+        else if (score >= 35)
+            riskLevel = "medium";
+        else if (score >= 15)
+            riskLevel = "low";
+        else
+            riskLevel = "none";
+        // Per-query breakdown
+        const perQuery = queries.map((query, i) => {
+            const subLabels = extractSubdomainLabels(query);
+            const combined = subLabels.join("");
+            const combinedEntropy = combined.length > 0 ? shannonEntropy(combined) : 0;
+            const totalLength = query.replace(/\.$/, "").length;
+            const labels = query.replace(/\.$/, "").split(".");
+            const sigMatches = TUNNEL_SIGNATURES
+                .filter((sig) => sig.pattern.test(query))
+                .map((sig) => sig.tool);
+            const queryFlags = [];
+            if (combinedEntropy >= TUNNEL_THRESHOLDS.highEntropy)
+                queryFlags.push("high-entropy");
+            if (subLabels.some((l) => l.length > TUNNEL_THRESHOLDS.maxLabelLength))
+                queryFlags.push("long-labels");
+            if (totalLength > TUNNEL_THRESHOLDS.maxTotalLength)
+                queryFlags.push("long-query");
+            if (labels.length > TUNNEL_THRESHOLDS.maxLabelCount)
+                queryFlags.push("many-labels");
+            if (sigMatches.length > 0)
+                queryFlags.push("signature-match");
+            return {
+                query: query.length > 80 ? query.substring(0, 80) + "..." : query,
+                entropy: Math.round(combinedEntropy * 1000) / 1000,
+                totalLength,
+                labelCount: labels.length,
+                signatureMatches: sigMatches,
+                flags: queryFlags,
+            };
+        });
+        return json({
+            tunnelProbability: score,
+            riskLevel,
+            detectedTechniques,
+            matchedTools,
+            summary: {
+                totalQueries: queries.length,
+                entropy: entropySummary
+                    ? {
+                        normal: entropySummary.normalCount ?? 0,
+                        suspicious: entropySummary.suspiciousCount ?? 0,
+                        likelyTunnel: entropySummary.likelyTunnelCount ?? 0,
+                    }
+                    : null,
+                length: lengthSummary
+                    ? { flagged: lengthSummary.flaggedCount ?? 0 }
+                    : null,
+                anomaly: anomalySummary
+                    ? { flagged: anomalySummary.flaggedQueries ?? 0 }
+                    : null,
+                signatures: sigSummary
+                    ? {
+                        matched: sigSummary.queriesMatched ?? 0,
+                        uniqueTools: sigSummary.uniqueToolsDetected ?? 0,
+                    }
+                    : null,
+                covert: covertSummary
+                    ? {
+                        beaconing: covertSummary.isBeaconing ?? false,
+                        sequential: covertSummary.hasSequentialLabels ?? false,
+                        flaggedByPattern: covertSummary.flaggedByPattern ?? 0,
+                    }
+                    : null,
+            },
+            perQueryBreakdown: perQuery,
+        });
+    },
+};
+// ─── Export ───
+export const tunnelTools = [
+    tunnelEntropyAnalysis,
+    tunnelQueryLength,
+    tunnelTxtPayload,
+    tunnelRecordAnomaly,
+    tunnelToolSignatures,
+    tunnelCovertChannel,
+    tunnelFullScan,
+];
+//# sourceMappingURL=index.js.map