honeyweb-core 1.0.2 → 2.0.0

package/ai/gemini.js

@@ -0,0 +1,52 @@
+// honeyweb-core/ai/gemini.js
+// Google Gemini API client (extracted from main index.js)
+
+const { GoogleGenerativeAI } = require('@google/generative-ai');
+
+class GeminiClient {
+    constructor(config) {
+        this.enabled = config.enabled && config.apiKey;
+        this.timeout = config.timeout || 10000;
+
+        if (this.enabled) {
+            this.genAI = new GoogleGenerativeAI(config.apiKey);
+            this.model = this.genAI.getGenerativeModel({ model: config.model || 'gemini-2.0-flash-exp' });
+        }
+    }
+
+    /**
+     * Generate AI analysis
+     * @param {string} prompt - Analysis prompt
+     * @returns {Promise<string>} - AI response
+     */
+    async analyze(prompt) {
+        if (!this.enabled) {
+            return null;
+        }
+
+        try {
+            const result = await Promise.race([
+                this.model.generateContent(prompt),
+                new Promise((_, reject) =>
+                    setTimeout(() => reject(new Error('AI request timeout')), this.timeout)
+                )
+            ]);
+
+            const response = await result.response;
+            return response.text();
+        } catch (err) {
+            console.error('[Gemini] AI analysis failed:', err.message);
+            return null;
+        }
+    }
+
+    /**
+     * Check if AI is enabled
+     * @returns {boolean}
+     */
+    isEnabled() {
+        return this.enabled;
+    }
+}
+
+module.exports = GeminiClient;

package/ai/index.js

@@ -0,0 +1,49 @@
+// honeyweb-core/ai/index.js
+// AI orchestrator
+
+const GeminiClient = require('./gemini');
+const { generateThreatAnalysisPrompt, generateTrapAnalysisPrompt } = require('./prompt-templates');
+
+class AIAnalyzer {
+    constructor(config) {
+        this.client = new GeminiClient(config);
+    }
+
+    /**
+     * Analyze threat with AI
+     * @param {Object} data - Threat data
+     * @returns {Promise<string|null>} - AI analysis report
+     */
+    async analyzeThreat(data) {
+        if (!this.client.isEnabled()) {
+            return null;
+        }
+
+        const prompt = generateThreatAnalysisPrompt(data);
+        return await this.client.analyze(prompt);
+    }
+
+    /**
+     * Analyze trap trigger with AI
+     * @param {Object} data - Trap trigger data
+     * @returns {Promise<string|null>} - AI analysis report
+     */
+    async analyzeTrap(data) {
+        if (!this.client.isEnabled()) {
+            return null;
+        }
+
+        const prompt = generateTrapAnalysisPrompt(data);
+        return await this.client.analyze(prompt);
+    }
+
+    /**
+     * Check if AI is enabled
+     * @returns {boolean}
+     */
+    isEnabled() {
+        return this.client.isEnabled();
+    }
+}
+
+module.exports = AIAnalyzer;

package/ai/prompt-templates.js

@@ -0,0 +1,64 @@
+// honeyweb-core/ai/prompt-templates.js
+// AI prompt templates for threat analysis
+
+/**
+ * Generate threat analysis prompt
+ * @param {Object} data - Threat data
+ * @returns {string} - Formatted prompt
+ */
+function generateThreatAnalysisPrompt(data) {
+    const { ip, path, threats, userAgent, referer, method, timestamp } = data;
+
+    return `You are a cybersecurity analyst. Analyze this suspicious web request and provide a concise threat assessment.
+
+**Request Details:**
+- IP Address: ${ip}
+- Path: ${path}
+- Method: ${method}
+- User-Agent: ${userAgent || 'Not provided'}
+- Referer: ${referer || 'Not provided'}
+- Timestamp: ${new Date(timestamp).toISOString()}
+
+**Detected Threats:**
+${threats.map(t => `- ${t}`).join('\n')}
+
+**Analysis Required:**
+1. What type of attack is this likely to be?
+2. What is the attacker's probable intent?
+3. What vulnerabilities are they trying to exploit?
+4. Recommended defensive actions?
+
+Provide a brief, actionable report (3-4 sentences).`;
+}
+
+/**
+ * Generate trap trigger analysis prompt
+ * @param {Object} data - Trap trigger data
+ * @returns {string} - Formatted prompt
+ */
+function generateTrapAnalysisPrompt(data) {
+    const { ip, path, userAgent, timestamp } = data;
+
+    return `A honeypot trap was triggered. Analyze this bot behavior:
+
+**Bot Details:**
+- IP Address: ${ip}
+- Trap Path: ${path}
+- User-Agent: ${userAgent || 'Not provided'}
+- Timestamp: ${new Date(timestamp).toISOString()}
+
+**Context:**
+The bot accessed an invisible honeypot link that legitimate users cannot see. This indicates automated crawling behavior.
+
+**Analysis Required:**
+1. What type of bot is this (scraper, vulnerability scanner, etc.)?
+2. What is the bot's likely purpose?
+3. Is this a sophisticated or basic bot?
+
+Provide a brief assessment (2-3 sentences).`;
+}
+
+module.exports = {
+    generateThreatAnalysisPrompt,
+    generateTrapAnalysisPrompt
+};

package/config/defaults.js

@@ -0,0 +1,79 @@
+// honeyweb-core/config/defaults.js
+// Default configuration values extracted from hardcoded constants
+
+module.exports = {
+    // AI Configuration
+    ai: {
+        enabled: true,
+        apiKey: process.env.HONEYWEB_API_KEY || '',
+        model: 'gemini-2.0-flash-exp',
+        timeout: 10000
+    },
+
+    // Detection Configuration
+    detection: {
+        patterns: {
+            enabled: true,
+            sqli: true,
+            xss: true
+        },
+        behavioral: {
+            enabled: false, // Phase 2 feature
+            suspicionThreshold: 50,
+            trackTiming: true,
+            trackNavigation: true
+        },
+        whitelist: {
+            enabled: false, // Phase 2 feature
+            verifyDNS: true,
+            cacheTTL: 86400000, // 24 hours
+            bots: ['Googlebot', 'Bingbot', 'Slackbot', 'facebookexternalhit']
+        }
+    },
+
+    // Rate Limiting
+    rateLimit: {
+        enabled: true,
+        window: 10000, // 10 seconds
+        maxRequests: 50,
+        cleanupInterval: 60000 // Auto-cleanup every 60s
+    },
+
+    // Storage Configuration
+    storage: {
+        type: 'json', // 'json' or 'memory'
+        path: './blocked-ips.json',
+        async: true,
+        cache: true,
+        banDuration: 86400000, // 24 hours
+        autoCleanup: true
+    },
+
+    // Trap Configuration
+    traps: {
+        paths: [
+            '/admin-backup-v2',
+            '/wp-login-hidden',
+            '/db-dump-2024',
+            '/auth/root-access',
+            '/sys/config-safe'
+        ],
+        injection: {
+            enabled: true,
+            invisibleLinks: true
+        }
+    },
+
+    // Dashboard Configuration
+    dashboard: {
+        enabled: true,
+        path: '/honeyweb-status',
+        secret: process.env.HONEYWEB_DASHBOARD_SECRET || 'admin123'
+    },
+
+    // Logging Configuration
+    logging: {
+        level: 'info', // 'debug', 'info', 'warn', 'error'
+        format: 'pretty' // 'pretty' or 'json'
+    }
+};

package/config/index.js

@@ -0,0 +1,83 @@
+// honeyweb-core/config/index.js
+// Configuration loader with validation
+
+const defaults = require('./defaults');
+const { validateConfig } = require('./schema');
+const path = require('path');
+const fs = require('fs');
+
+/**
+ * Deep merge two objects
+ */
+function deepMerge(target, source) {
+    const output = { ...target };
+
+    if (isObject(target) && isObject(source)) {
+        Object.keys(source).forEach(key => {
+            if (isObject(source[key])) {
+                if (!(key in target)) {
+                    output[key] = source[key];
+                } else {
+                    output[key] = deepMerge(target[key], source[key]);
+                }
+            } else {
+                output[key] = source[key];
+            }
+        });
+    }
+
+    return output;
+}
+
+function isObject(item) {
+    return item && typeof item === 'object' && !Array.isArray(item);
+}
+
+/**
+ * Load configuration from multiple sources
+ * Priority: userConfig > configFile > envVars > defaults
+ *
+ * @param {Object} userConfig - Configuration passed programmatically
+ * @returns {Object} - Merged and validated configuration
+ */
+function loadConfig(userConfig = {}) {
+    let config = { ...defaults };
+
+    // 1. Try to load from config file (honeyweb.config.js)
+    const configPath = path.join(process.cwd(), 'honeyweb.config.js');
+    if (fs.existsSync(configPath)) {
+        try {
+            const fileConfig = require(configPath);
+            config = deepMerge(config, fileConfig);
+        } catch (err) {
+            console.warn('[HoneyWeb] Warning: Failed to load honeyweb.config.js:', err.message);
+        }
+    }
+
+    // 2. Override with environment variables
+    if (process.env.HONEYWEB_API_KEY) {
+        config.ai.apiKey = process.env.HONEYWEB_API_KEY;
+    }
+    if (process.env.HONEYWEB_DASHBOARD_SECRET) {
+        config.dashboard.secret = process.env.HONEYWEB_DASHBOARD_SECRET;
+    }
+    if (process.env.HONEYWEB_LOG_LEVEL) {
+        config.logging.level = process.env.HONEYWEB_LOG_LEVEL;
+    }
+    if (process.env.HONEYWEB_STORAGE_PATH) {
+        config.storage.path = process.env.HONEYWEB_STORAGE_PATH;
+    }
+
+    // 3. Override with user-provided config (highest priority)
+    config = deepMerge(config, userConfig);
+
+    // 4. Validate configuration
+    const validation = validateConfig(config);
+    if (!validation.valid) {
+        throw new Error(`[HoneyWeb] Invalid configuration:\n${validation.errors.join('\n')}`);
+    }
+
+    return config;
+}
+
+module.exports = { loadConfig };

package/config/schema.js

@@ -0,0 +1,72 @@
+// honeyweb-core/config/schema.js
+// Configuration validation schema
+
+/**
+ * Validates configuration object
+ * @param {Object} config - Configuration to validate
+ * @returns {Object} - { valid: boolean, errors: string[] }
+ */
+function validateConfig(config) {
+    const errors = [];
+
+    // Validate AI config
+    if (config.ai) {
+        // Note: API key is optional - AI will be disabled at runtime if missing
+        if (config.ai.timeout && (typeof config.ai.timeout !== 'number' || config.ai.timeout < 0)) {
+            errors.push('AI timeout must be a positive number');
+        }
+    }
+
+    // Validate rate limit config
+    if (config.rateLimit) {
+        if (config.rateLimit.window && (typeof config.rateLimit.window !== 'number' || config.rateLimit.window <= 0)) {
+            errors.push('Rate limit window must be a positive number');
+        }
+        if (config.rateLimit.maxRequests && (typeof config.rateLimit.maxRequests !== 'number' || config.rateLimit.maxRequests <= 0)) {
+            errors.push('Rate limit maxRequests must be a positive number');
+        }
+    }
+
+    // Validate storage config
+    if (config.storage) {
+        if (config.storage.type && !['json', 'memory'].includes(config.storage.type)) {
+            errors.push('Storage type must be "json" or "memory"');
+        }
+        if (config.storage.type === 'json' && !config.storage.path) {
+            errors.push('Storage path is required for JSON storage');
+        }
+    }
+
+    // Validate traps config
+    if (config.traps && config.traps.paths) {
+        if (!Array.isArray(config.traps.paths)) {
+            errors.push('Trap paths must be an array');
+        } else if (config.traps.paths.length === 0) {
+            errors.push('At least one trap path is required');
+        }
+    }
+
+    // Validate dashboard config
+    if (config.dashboard) {
+        if (config.dashboard.enabled && !config.dashboard.path) {
+            errors.push('Dashboard path is required when dashboard is enabled');
+        }
+    }
+
+    // Validate logging config
+    if (config.logging) {
+        if (config.logging.level && !['debug', 'info', 'warn', 'error'].includes(config.logging.level)) {
+            errors.push('Logging level must be one of: debug, info, warn, error');
+        }
+        if (config.logging.format && !['pretty', 'json'].includes(config.logging.format)) {
+            errors.push('Logging format must be "pretty" or "json"');
+        }
+    }
+
+    return {
+        valid: errors.length === 0,
+        errors
+    };
+}
+
+module.exports = { validateConfig };

package/detection/behavioral.js

@@ -0,0 +1,186 @@
+// honeyweb-core/detection/behavioral.js
+// Behavioral analysis to detect bot-like patterns
+
+class BehavioralAnalyzer {
+    constructor(config) {
+        this.enabled = config.enabled !== false;
+        this.suspicionThreshold = config.suspicionThreshold || 50;
+        this.trackTiming = config.trackTiming !== false;
+        this.trackNavigation = config.trackNavigation !== false;
+
+        // Track sessions per IP
+        this.sessions = new Map(); // ip -> { requests: [], pages: [], firstSeen: timestamp }
+
+        // Auto-cleanup old sessions every 5 minutes
+        this.cleanupInterval = setInterval(() => {
+            this._cleanupOldSessions();
+        }, 300000);
+    }
+
+    /**
+     * Analyze request for bot-like behavior
+     * @param {Object} req - Express request object
+     * @param {string} ip - Client IP address
+     * @returns {Object} - { suspicious: boolean, suspicionScore: number, reasons: string[] }
+     */
+    analyze(req, ip) {
+        if (!this.enabled) {
+            return { suspicious: false, suspicionScore: 0, reasons: [] };
+        }
+
+        const now = Date.now();
+        const reasons = [];
+        let suspicionScore = 0;
+
+        // Get or create session
+        let session = this.sessions.get(ip);
+        if (!session) {
+            session = {
+                requests: [],
+                pages: [],
+                firstSeen: now
+            };
+            this.sessions.set(ip, session);
+        }
+
+        // 1. TIMING ANALYSIS
+        if (this.trackTiming && session.requests.length > 0) {
+            const lastRequest = session.requests[session.requests.length - 1];
+            const timeSinceLastRequest = now - lastRequest;
+
+            // Too fast (< 100ms between requests)
+            if (timeSinceLastRequest < 100) {
+                reasons.push('Requests too fast (< 100ms interval)');
+                suspicionScore += 30;
+            }
+
+            // Check for consistent timing (bot pattern)
+            if (session.requests.length >= 5) {
+                const intervals = [];
+                for (let i = 1; i < session.requests.length; i++) {
+                    intervals.push(session.requests[i] - session.requests[i - 1]);
+                }
+
+                // Calculate variance
+                const avgInterval = intervals.reduce((a, b) => a + b, 0) / intervals.length;
+                const variance = intervals.reduce((sum, interval) => {
+                    return sum + Math.pow(interval - avgInterval, 2);
+                }, 0) / intervals.length;
+
+                // Low variance = consistent timing = bot
+                if (variance < 1000 && avgInterval < 2000) {
+                    reasons.push('Consistent request timing (bot pattern)');
+                    suspicionScore += 25;
+                }
+            }
+        }
+
+        // 2. NAVIGATION ANALYSIS
+        if (this.trackNavigation) {
+            const path = req.path;
+
+            // Detect direct deep link access (skipping homepage)
+            if (session.pages.length === 0 && path !== '/' && !path.startsWith('/public')) {
+                reasons.push('Direct deep link access (skipped homepage)');
+                suspicionScore += 15;
+            }
+
+            // Detect breadth-first crawling (accessing many different paths quickly)
+            const uniquePaths = new Set(session.pages);
+            if (uniquePaths.size > 10 && (now - session.firstSeen) < 10000) {
+                reasons.push('Breadth-first crawling detected');
+                suspicionScore += 20;
+            }
+
+            session.pages.push(path);
+        }
+
+        // 3. SESSION ANALYSIS
+        const sessionDuration = now - session.firstSeen;
+        const requestCount = session.requests.length;
+
+        // Short session with many requests (scraping)
+        if (sessionDuration < 5000 && requestCount > 10) {
+            reasons.push('High request rate in short session');
+            suspicionScore += 20;
+        }
+
+        // Very long session with consistent activity (persistent bot)
+        if (sessionDuration > 300000 && requestCount > 100) {
+            reasons.push('Persistent automated activity');
+            suspicionScore += 15;
+        }
+
+        // Record this request
+        session.requests.push(now);
+
+        // Keep only last 20 requests to prevent memory bloat
+        if (session.requests.length > 20) {
+            session.requests = session.requests.slice(-20);
+        }
+        if (session.pages.length > 50) {
+            session.pages = session.pages.slice(-50);
+        }
+
+        // Cap score at 100
+        suspicionScore = Math.min(100, suspicionScore);
+
+        return {
+            suspicious: suspicionScore >= this.suspicionThreshold,
+            suspicionScore,
+            reasons
+        };
+    }
+
+    /**
+     * Clean up old sessions (> 1 hour)
+     * @private
+     */
+    _cleanupOldSessions() {
+        const now = Date.now();
+        const maxAge = 3600000; // 1 hour
+
+        for (const [ip, session] of this.sessions.entries()) {
+            if (now - session.firstSeen > maxAge) {
+                this.sessions.delete(ip);
+            }
+        }
+    }
+
+    /**
+     * Get statistics
+     * @returns {Object}
+     */
+    getStats() {
+        return {
+            activeSessions: this.sessions.size,
+            enabled: this.enabled
+        };
+    }
+
+    /**
+     * Reset session for an IP
+     * @param {string} ip
+     */
+    resetSession(ip) {
+        this.sessions.delete(ip);
+    }
+
+    /**
+     * Clear all sessions
+     */
+    clear() {
+        this.sessions.clear();
+    }
+
+    /**
+     * Cleanup and stop timers
+     */
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+        }
+    }
+}
+
+module.exports = BehavioralAnalyzer;