ferret-scan 1.0.0

package/dist/rules/correlationRules.js

@@ -0,0 +1,227 @@
+/**
+ * Correlation Security Rules - Multi-file attack pattern detection
+ * These rules detect sophisticated attacks that span multiple configuration files
+ */
+export const correlationRules = [
+    {
+        id: 'CORR-001',
+        name: 'Credential Harvesting + Network Transmission',
+        category: 'exfiltration',
+        severity: 'CRITICAL',
+        description: 'Detects credential access in one file combined with network transmission in another',
+        patterns: [],
+        fileTypes: ['md', 'sh', 'json', 'yaml', 'ts', 'js'],
+        components: ['skill', 'agent', 'hook', 'plugin', 'settings'],
+        remediation: 'Review credential access patterns and network communications. Ensure credentials are not being exfiltrated.',
+        references: [
+            'https://attack.mitre.org/tactics/TA0006/',
+            'https://attack.mitre.org/techniques/T1041/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-001-A',
+                description: 'Credential access followed by network transmission',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'SECRET|TOKEN|API_KEY|getenv|process\\.env',
+                    'fetch|axios|XMLHttpRequest|curl|wget|request'
+                ],
+                maxDistance: 3
+            }
+        ]
+    },
+    {
+        id: 'CORR-002',
+        name: 'Permission Escalation + Persistence',
+        category: 'persistence',
+        severity: 'HIGH',
+        description: 'Detects permission changes combined with persistence mechanisms',
+        patterns: [],
+        fileTypes: ['md', 'sh', 'json', 'yaml'],
+        components: ['hook', 'agent', 'settings'],
+        remediation: 'Review permission changes and startup hooks. Remove unauthorized persistence mechanisms.',
+        references: [
+            'https://attack.mitre.org/tactics/TA0004/',
+            'https://attack.mitre.org/tactics/TA0003/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-002-A',
+                description: 'Permission escalation with startup persistence',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'chmod|chown|setuid|sudo|defaultMode.*dontAsk',
+                    'startup|onload|autostart|service.*enable|systemctl.*enable'
+                ],
+                maxDistance: 2
+            }
+        ]
+    },
+    {
+        id: 'CORR-003',
+        name: 'Hook Backdoor + Skill Activation',
+        category: 'backdoors',
+        severity: 'HIGH',
+        description: 'Detects suspicious hooks combined with skill or agent activation patterns',
+        patterns: [],
+        fileTypes: ['md', 'sh', 'json'],
+        components: ['hook', 'skill', 'agent'],
+        remediation: 'Review hook and skill interactions. Remove unauthorized backdoor mechanisms.',
+        references: [
+            'https://attack.mitre.org/techniques/T1546/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-003-A',
+                description: 'Malicious hook triggering skill execution',
+                filePatterns: ['hook', 'skill', 'agent'],
+                contentPatterns: [
+                    'hook.*user-prompt|session.*start|pre.*submit',
+                    'skill.*activate|agent.*trigger|claude.*invoke'
+                ],
+                maxDistance: 2
+            }
+        ]
+    },
+    {
+        id: 'CORR-004',
+        name: 'Configuration Tampering + Obfuscation',
+        category: 'obfuscation',
+        severity: 'MEDIUM',
+        description: 'Detects configuration changes combined with obfuscation techniques',
+        patterns: [],
+        fileTypes: ['md', 'json', 'yaml'],
+        components: ['settings', 'ai-config-md', 'mcp'],
+        remediation: 'Review configuration changes and encoding patterns. Remove obfuscated malicious content.',
+        references: [
+            'https://attack.mitre.org/techniques/T1027/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-004-A',
+                description: 'Settings modification with hidden content',
+                filePatterns: ['settings', 'config', 'claude'],
+                contentPatterns: [
+                    'settings|configuration|preferences',
+                    'base64|atob|btoa|\\\\x|\\\\u|obfus|encode'
+                ],
+                maxDistance: 1
+            }
+        ]
+    },
+    {
+        id: 'CORR-005',
+        name: 'AI Model Bypass + Data Collection',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects AI model safeguard bypass combined with data collection patterns',
+        patterns: [],
+        fileTypes: ['md', 'json', 'yaml', 'ts', 'js'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Review AI model interactions and data handling. Remove bypass attempts and unauthorized data collection.',
+        references: [
+            'https://owasp.org/www-project-top-ten-for-large-language-model-applications/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-005-A',
+                description: 'AI safeguard bypass with data harvesting',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'ignore.*previous.*instruction|forget.*safeguard|bypass.*filter',
+                    'conversation.*history|user.*data|personal.*information|collect.*data'
+                ],
+                maxDistance: 2
+            }
+        ]
+    },
+    {
+        id: 'CORR-006',
+        name: 'Supply Chain + Network Communication',
+        category: 'supply-chain',
+        severity: 'HIGH',
+        description: 'Detects suspicious package installations combined with network communications',
+        patterns: [],
+        fileTypes: ['md', 'sh', 'json', 'yaml'],
+        components: ['plugin', 'mcp', 'settings'],
+        remediation: 'Review package installations and network communications. Verify legitimacy of external dependencies.',
+        references: [
+            'https://attack.mitre.org/techniques/T1195/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-006-A',
+                description: 'Package installation with network communication',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'npm.*install|pip.*install|wget.*http|curl.*http|git.*clone',
+                    'http://|https://|fetch\\(|axios|request\\(|XMLHttpRequest'
+                ],
+                maxDistance: 2
+            }
+        ]
+    },
+    {
+        id: 'CORR-007',
+        name: 'File System Access + Network Transmission',
+        category: 'exfiltration',
+        severity: 'MEDIUM',
+        description: 'Detects file system access patterns combined with network transmission',
+        patterns: [],
+        fileTypes: ['md', 'ts', 'js', 'sh'],
+        components: ['skill', 'agent', 'hook'],
+        remediation: 'Review file system access and network patterns. Ensure sensitive files are not being exfiltrated.',
+        references: [
+            'https://attack.mitre.org/techniques/T1005/',
+            'https://attack.mitre.org/techniques/T1041/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-007-A',
+                description: 'File access with network transmission',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'readFile|writeFile|fs\\.|glob|find.*-name',
+                    'fetch\\(|axios|post|put|XMLHttpRequest'
+                ],
+                maxDistance: 1
+            }
+        ]
+    },
+    {
+        id: 'CORR-008',
+        name: 'Authentication Bypass + Privilege Access',
+        category: 'permissions',
+        severity: 'CRITICAL',
+        description: 'Detects authentication bypass attempts combined with privileged operations',
+        patterns: [],
+        fileTypes: ['md', 'json', 'sh'],
+        components: ['settings', 'hook', 'plugin'],
+        remediation: 'Review authentication mechanisms and privileged operations. Strengthen access controls.',
+        references: [
+            'https://attack.mitre.org/techniques/T1078/'
+        ],
+        enabled: true,
+        correlationRules: [
+            {
+                id: 'CORR-008-A',
+                description: 'Authentication bypass with privileged access',
+                filePatterns: ['*'],
+                contentPatterns: [
+                    'auth.*bypass|no.*auth|skip.*login|admin.*access',
+                    'sudo|root|administrator|privileged|elevated'
+                ],
+                maxDistance: 2
+            }
+        ]
+    }
+];
+export default correlationRules;
+//# sourceMappingURL=correlationRules.js.map

package/dist/rules/credentials.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Credential Harvesting Detection Rules
+ * Detects attempts to collect API keys, tokens, or credentials
+ */
+import type { Rule } from '../types.js';
+export declare const credentialRules: Rule[];
+export default credentialRules;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/rules/credentials.js

@@ -0,0 +1,194 @@
+/**
+ * Credential Harvesting Detection Rules
+ * Detects attempts to collect API keys, tokens, or credentials
+ */
+export const credentialRules = [
+    {
+        id: 'CRED-001',
+        name: 'Environment Variable Credential Access',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects access to environment variables that commonly contain credentials',
+        patterns: [
+            /\$\{?[A-Z_]*(_KEY|_TOKEN|_SECRET|_PASSWORD|_CREDENTIAL)[}\s]/gi,
+            /process\.env\.(API|SECRET|TOKEN|KEY|PASSWORD|CREDENTIAL)/gi,
+            /\$\{?ANTHROPIC_API_KEY[}\s]/gi,
+            /\$\{?OPENAI_API_KEY[}\s]/gi,
+            /\$\{?AWS_SECRET_ACCESS_KEY[}\s]/gi,
+            /\$\{?GITHUB_TOKEN[}\s]/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md', 'json'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'settings', 'plugin'],
+        remediation: 'Never access or expose credential environment variables in configuration files.',
+        references: [
+            'https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_credentials',
+        ],
+        enabled: true,
+    },
+    {
+        id: 'CRED-002',
+        name: 'SSH Key Access',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects attempts to access SSH private keys',
+        patterns: [
+            /~\/\.ssh\/id_/gi,
+            /\/\.ssh\/id_(rsa|ed25519|ecdsa|dsa)/gi,
+            /cat\s+.*\.ssh\/id_/gi,
+            /read.*\.ssh\/id_/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Never access SSH private keys from configuration files.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'CRED-003',
+        name: 'AWS Credentials Access',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects attempts to access AWS credential files',
+        patterns: [
+            /\.aws\/credentials/gi,
+            /\.aws\/config/gi,
+            /cat\s+.*\.aws\/(credentials|config)/gi,
+            /AWS_ACCESS_KEY_ID/gi,
+            /AWS_SECRET_ACCESS_KEY/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md', 'json'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin', 'settings'],
+        remediation: 'Never access AWS credentials from configuration files.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'CRED-004',
+        name: 'Environment File Access',
+        category: 'credentials',
+        severity: 'HIGH',
+        description: 'Detects attempts to read .env or credential files',
+        patterns: [
+            /cat\s+.*\.(env|credentials|pem|key|crt)/gi,
+            /read.*\.(env|credentials)/gi,
+            /source\s+.*\.env/gi,
+            /\.\s+.*\.env/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Avoid reading .env or credential files in hooks and skills.',
+        references: [],
+        enabled: true,
+        // Filter out documentation about .env file handling
+        excludePatterns: [
+            /\.env\.example/gi, // References to example files
+            /\.env\s+(file\s+)?(configuration|handling|detection)/gi,
+            /if\s+.*\.env.*exists/gi, // Conditional checks in docs
+            /warns?\s+(if|when).*\.env/gi, // Warning descriptions
+        ],
+        excludeContext: [
+            /auto[- ]?detect/gi,
+            /environment\s+(from|detection|configuration)/gi,
+            /documentation|readme/gi,
+        ],
+    },
+    {
+        id: 'CRED-005',
+        name: 'Hardcoded API Keys',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects potentially hardcoded API keys or secrets',
+        patterns: [
+            /api[_-]?key\s*[:=]\s*["'][a-zA-Z0-9]{20,}/gi,
+            /secret[_-]?key\s*[:=]\s*["'][a-zA-Z0-9]{20,}/gi,
+            /password\s*[:=]\s*["'][^"']{8,}/gi,
+            /sk-[a-zA-Z0-9]{20,}/gi, // OpenAI API key pattern
+            /ghp_[a-zA-Z0-9]{36}/gi, // GitHub personal access token
+            /gho_[a-zA-Z0-9]{36}/gi, // GitHub OAuth token
+            /glpat-[a-zA-Z0-9\-_]{20,}/gi, // GitLab personal access token
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md', 'json', 'yaml', 'yml'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'settings', 'plugin', 'mcp'],
+        remediation: 'Never hardcode API keys or secrets. Use environment variables or secret management.',
+        references: [],
+        enabled: true,
+        // Filter out test passwords, validation messages, and placeholders
+        excludePatterns: [
+            /password\s*[:=]\s*["'](test|example|demo|sample|fake|dummy|placeholder)/gi,
+            /password\s*[:=]\s*["'].*required/gi, // "Password is required"
+            /password\s*[:=]\s*["'].*must\s+(be|have|contain)/gi, // Validation messages
+            /password\s*[:=]\s*["'].*at\s+least/gi, // "must be at least 8 chars"
+            /password\s*[:=]\s*["'].*characters?/gi, // Length validation messages
+            /password\s*[:=]\s*["'].*invalid/gi, // "Invalid password"
+            /password\s*[:=]\s*["'].*enter/gi, // "Please enter password"
+            /password\s*[:=]\s*["']your[_\s]?password/gi, // Placeholder text
+            /password\s*[:=]\s*["']<[^>]+>/gi, // Placeholder like <password>
+            /password\s*[:=]\s*["']\*{3,}/gi, // Masked passwords like ****
+            /password\s*[:=]\s*["']x{8,}/gi, // Placeholder like xxxxxxxx
+            /api[_-]?key\s*[:=]\s*["'](test|example|demo|your[_-]?api[_-]?key)/gi,
+            /secret[_-]?key\s*[:=]\s*["'](test|example|demo|your[_-]?secret)/gi,
+        ],
+        excludeContext: [
+            /\b(test|spec|mock|fixture|example|sample)\b/gi,
+            /validation\s+(message|error|text)/gi,
+            /error\s+message/gi,
+            /placeholder/gi,
+        ],
+    },
+    {
+        id: 'CRED-006',
+        name: 'Credential Harvesting Instructions',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects markdown instructions to collect or expose credentials',
+        patterns: [
+            /collect\s+.*(api[_-]?key|token|secret|password|credential)/gi,
+            /extract\s+.*(api[_-]?key|token|secret|password|credential)/gi,
+            /find\s+.*(api[_-]?key|token|secret|password|credential)/gi,
+            /show\s+(me\s+)?(the\s+)?(api[_-]?key|token|secret|password|credential)/gi,
+            /output\s+.*(api[_-]?key|token|secret|password|credential)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove instructions that direct credential collection or exposure.',
+        references: [],
+        enabled: true,
+        // Filter out UI elements, security scanning descriptions, and form field documentation
+        excludePatterns: [
+            /show\s+password\s+(toggle|field|input|icon|button)/gi,
+            /password\s+(toggle|field|input|visibility)/gi,
+            /find\s+(leaked|exposed).*credential/gi, // Security scanning descriptions
+            /token\s+(usage|count|limit)/gi, // Token metrics, not harvesting
+        ],
+        excludeContext: [
+            /\bUI\b|user\s+interface/gi,
+            /form\s+(field|element|input|design)/gi,
+            /toggle\s+(button|icon|visibility)/gi,
+            /security\s+(scan|audit|check|detection)/gi,
+            /secret\s+detection/gi,
+            /eye\s+icon/gi,
+            /input\s+(field|element)/gi,
+        ],
+    },
+    {
+        id: 'CRED-007',
+        name: 'Keychain/Keyring Access',
+        category: 'credentials',
+        severity: 'CRITICAL',
+        description: 'Detects attempts to access system keychains or password stores',
+        patterns: [
+            /security\s+find-generic-password/gi,
+            /security\s+find-internet-password/gi,
+            /keychain/gi,
+            /secret-tool/gi,
+            /pass\s+show/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Never access system keychains from configuration files.',
+        references: [],
+        enabled: true,
+    },
+];
+export default credentialRules;
+//# sourceMappingURL=credentials.js.map

package/dist/rules/exfiltration.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Data Exfiltration Detection Rules
+ * Detects attempts to send sensitive data to external servers
+ */
+import type { Rule } from '../types.js';
+export declare const exfiltrationRules: Rule[];
+export default exfiltrationRules;
+//# sourceMappingURL=exfiltration.d.ts.map

package/dist/rules/exfiltration.js

@@ -0,0 +1,139 @@
+/**
+ * Data Exfiltration Detection Rules
+ * Detects attempts to send sensitive data to external servers
+ */
+export const exfiltrationRules = [
+    {
+        id: 'EXFIL-001',
+        name: 'Network Exfiltration via curl',
+        category: 'exfiltration',
+        severity: 'CRITICAL',
+        description: 'Detects curl commands that may exfiltrate sensitive data including API keys, tokens, or environment variables',
+        patterns: [
+            /curl\s+.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)/gi,
+            /curl\s+.*-d\s+.*\$\(/gi,
+            /curl\s+.*--data.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET)/gi,
+            /curl\s+.*-X\s+POST.*\$\(/gi,
+            /curl\s+.*\$\(env\)/gi,
+            /curl\s+.*\$ENV/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove external data transmission commands. Never send environment variables or secrets to external endpoints.',
+        references: [
+            'https://owasp.org/www-community/attacks/Data_Exfiltration',
+        ],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-002',
+        name: 'Network Exfiltration via wget',
+        category: 'exfiltration',
+        severity: 'CRITICAL',
+        description: 'Detects wget commands that may exfiltrate sensitive data via POST requests',
+        patterns: [
+            /wget\s+.*--post-data.*\$\{?[A-Z_]*(KEY|TOKEN|SECRET|PASSWORD)/gi,
+            /wget\s+.*--post-file/gi,
+            /wget\s+.*-O\s*-.*\|/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove wget commands that transmit data externally.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-003',
+        name: 'Netcat Data Transmission',
+        category: 'exfiltration',
+        severity: 'CRITICAL',
+        description: 'Detects netcat (nc) commands that may establish reverse connections or transmit data',
+        patterns: [
+            /nc\s+.*-e\s+\/bin/gi,
+            /nc\s+.*\d+\.\d+\.\d+\.\d+\s+\d+/gi,
+            /netcat\s+.*-e/gi,
+            /ncat\s+.*-e/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove netcat commands. These are commonly used for data exfiltration and reverse shells.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-004',
+        name: 'Base64 Encoded Exfiltration',
+        category: 'exfiltration',
+        severity: 'HIGH',
+        description: 'Detects base64 encoding piped to network commands, a common exfiltration technique',
+        patterns: [
+            /base64\s+.*\|\s*curl/gi,
+            /base64\s+.*\|\s*wget/gi,
+            /\|\s*base64\s+.*\|\s*curl/gi,
+            /cat\s+.*\|\s*base64\s+.*\|\s*(curl|wget)/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove base64 encoding combined with network transmission.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-005',
+        name: 'Markdown Exfiltration Instructions',
+        category: 'exfiltration',
+        severity: 'CRITICAL',
+        description: 'Detects instructions in markdown files that direct Claude to exfiltrate data',
+        patterns: [
+            /send\s+.*\s+to\s+.*(webhook|endpoint|server|api|url)/gi,
+            /exfiltrate\s+.*(key|token|secret|credential|password|data)/gi,
+            /upload\s+.*(key|token|secret|credential|password)\s+to/gi,
+            /POST\s+.*containing\s+.*(environment|env|secret|key|token)/gi,
+            /transmit\s+.*(secret|key|token|credential)\s+to/gi,
+            /leak\s+.*(data|secret|key|token|credential)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove instructions that direct data to be sent to external endpoints.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-006',
+        name: 'DNS Exfiltration',
+        category: 'exfiltration',
+        severity: 'HIGH',
+        description: 'Detects potential DNS-based data exfiltration techniques',
+        patterns: [
+            /dig\s+.*\$\{?[A-Z_]/gi,
+            /nslookup\s+.*\$\{?[A-Z_]/gi,
+            /host\s+.*\$\{?[A-Z_]/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh'],
+        components: ['hook', 'plugin'],
+        remediation: 'Remove DNS lookups that include variable data. DNS can be used for data exfiltration.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'EXFIL-007',
+        name: 'Webhook Data Transmission',
+        category: 'exfiltration',
+        severity: 'HIGH',
+        description: 'Detects webhook URLs being used to transmit potentially sensitive data',
+        patterns: [
+            /WEBHOOK.*=.*http/gi,
+            /webhook.*url.*=.*http/gi,
+            /discord\.com\/api\/webhooks/gi,
+            /hooks\.slack\.com/gi,
+            /webhook\.site/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'json', 'md'],
+        components: ['hook', 'settings', 'skill', 'agent', 'ai-config-md'],
+        remediation: 'Review webhook usage. Ensure no sensitive data is being transmitted to external webhooks.',
+        references: [],
+        enabled: true,
+    },
+];
+export default exfiltrationRules;
+//# sourceMappingURL=exfiltration.js.map

package/dist/rules/index.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Rule Registry - Manages all security detection rules
+ */
+import type { Rule, ThreatCategory, Severity } from '../types.js';
+import { exfiltrationRules } from './exfiltration.js';
+import { credentialRules } from './credentials.js';
+import { injectionRules } from './injection.js';
+import { backdoorRules } from './backdoors.js';
+import { obfuscationRules } from './obfuscation.js';
+import { permissionRules } from './permissions.js';
+import { persistenceRules } from './persistence.js';
+import { supplyChainRules } from './supply-chain.js';
+import { aiSpecificRules } from './ai-specific.js';
+import { semanticRules } from './semanticRules.js';
+import { correlationRules } from './correlationRules.js';
+/**
+ * Get all rules
+ */
+export declare function getAllRules(): Rule[];
+/**
+ * Get rules filtered by categories
+ */
+export declare function getRulesByCategories(categories: ThreatCategory[]): Rule[];
+/**
+ * Get rules filtered by severity
+ */
+export declare function getRulesBySeverity(severities: Severity[]): Rule[];
+/**
+ * Get a specific rule by ID
+ */
+export declare function getRuleById(id: string): Rule | undefined;
+/**
+ * Get enabled rules only
+ */
+export declare function getEnabledRules(): Rule[];
+/**
+ * Get rules for scanning with filters applied
+ */
+export declare function getRulesForScan(categories: ThreatCategory[], severities: Severity[]): Rule[];
+/**
+ * Get rule statistics
+ */
+export declare function getRuleStats(): {
+    total: number;
+    enabled: number;
+    byCategory: Record<ThreatCategory, number>;
+    bySeverity: Record<Severity, number>;
+};
+export { exfiltrationRules, credentialRules, injectionRules, backdoorRules, obfuscationRules, permissionRules, persistenceRules, supplyChainRules, aiSpecificRules, semanticRules, correlationRules, };
+export default getAllRules;
+//# sourceMappingURL=index.d.ts.map