loghunter-cli 0.1.0.dev0__py3-none-any.whl

loghunter/common/paths.py

@@ -0,0 +1,105 @@
+"""Be-like-water target resolution shared by CLI, runner, and exporters.
+
+One function (``be_like_water``) decides whether a user-supplied target string
+points to a FILE or a DIRECTORY, via a gated ladder. The trailing-slash gate is
+evaluated BEFORE any disk check so an explicit trailing slash can never be
+overridden by what happens to exist on disk.
+
+A second helper (``resolve_path``) resolves a config-supplied path string
+against the LH_ROOT base. ``effective_root`` reads the active root from env or
+config. CLI-supplied paths never get root applied; only config-file values do.
+"""
+
+from __future__ import annotations
+
+import os
+from pathlib import Path
+from typing import Any, NamedTuple
+
+
+class ResolvedTarget(NamedTuple):
+    """Verdict from be_like_water: where to write, and whether it's a file or directory.
+
+    Attributes:
+        path: For FILE mode, the exact file path. For DIRECTORY mode, the
+            directory; caller auto-names inside it.
+        is_file: True for FILE, False for DIRECTORY.
+    """
+
+    path: Path
+    is_file: bool
+
+
+def be_like_water(target: str) -> ResolvedTarget:
+    """Resolve a target string to a (path, is_file) verdict via a gated ladder.
+
+    Gates evaluated in order — a winning gate decides without falling through:
+
+      Step 0 (gate): trailing slash -> DIRECTORY. No disk consult.
+                     Explicit user intent overrides anything that happens to
+                     exist on disk by that name.
+
+    For targets without a trailing slash, conform to disk first:
+
+      Step 1: exists and is_file() -> FILE (use as-is; overwrite silently at write).
+      Step 2: exists and is_dir()  -> DIRECTORY (auto-name inside).
+      Step 3: does not exist       -> FILE. Parent will be mkdir-p'd at write;
+                                      basename IS the filename whatever it looks like
+                                      (no suffix inspection).
+
+    Exotic fs objects (dangling symlinks, FIFOs, devices) fall through to step 3
+    and let the real open() surface the error via the CLI actionable-error
+    boundary. We do not special-case exotic fs objects.
+
+    Pure-ish: reads disk for exists/is_file/is_dir but does NOT create
+    directories. Callers mkdir at write time.
+
+    Args:
+        target: Raw path string, NOT a Path. Path normalizes trailing slashes
+            away, so the raw user intent must be preserved end-to-end.
+
+    Returns:
+        ResolvedTarget(path, is_file) — path is expanduser'd; caller decides
+        when to mkdir.
+    """
+    if target.endswith("/"):
+        return ResolvedTarget(Path(target).expanduser(), is_file=False)
+    p = Path(target).expanduser()
+    if p.is_file():
+        return ResolvedTarget(p, is_file=True)
+    if p.is_dir():
+        return ResolvedTarget(p, is_file=False)
+    return ResolvedTarget(p, is_file=True)
+
+
+def resolve_path(value: str | None, root: str) -> str | None:
+    """Resolve a config-supplied path value against the LH_ROOT base.
+
+    Returns a STRING (trailing slash preserved) or None — never a Path, so
+    output-dir callers can still hand the result to ``be_like_water`` without
+    Path() stripping the directory-intent slash.
+
+      None / ""        -> None              (key unset)
+      "/var/log/zeek"  -> as-is             (absolute: root ignored)
+      "~/x/exports"    -> expanduser(value) (~-anchored: root ignored)
+      "exports"        -> join(expanduser(root), value) if root else value
+
+    Pure path helper — no validation, no URL handling, no suffix sniffing.
+    Apply to CONFIG-supplied paths only; CLI-supplied paths take ``root=""``
+    so they get ``~``-expansion but resolve relative to CWD as shell semantics
+    demand.
+    """
+    if not value:
+        return None
+    if os.path.isabs(value):
+        return value
+    if value.startswith("~"):
+        return os.path.expanduser(value)
+    if root:
+        return os.path.join(os.path.expanduser(root), value)
+    return value
+
+
+def effective_root(config: dict[str, Any]) -> str:
+    """Return the active LH_ROOT — env wins, then config, then empty."""
+    return os.environ.get("LOGHUNTER_ROOT") or config.get("loghunter", {}).get("root", "")

loghunter/common/sources.py

@@ -0,0 +1,392 @@
+"""Single-ownership source resolution for LogHunter.
+
+Replaces a four-instance bug class:
+
+- ``runner.run`` + ``run_digest`` used to overload ``None`` to mean both
+  "no override" and "scoped out — don't load this." Result: CLI scoping was
+  silently undone when the runner config-filled a None back, so
+  ``loghunter syslog ./flat.log`` also loaded configured Zeek
+  ``syslog*.log*`` on a default install.
+- Analyze CLI, digest CLI, runner, and ``run_digest`` each carried their
+  own per-key config-fallback ladder, drifting in error strings and
+  semantics.
+- The detect-path positional→source router was implemented three times
+  (analyze, single-detector, and a "wrong-source" hint scold), with a
+  ``detector_name == "syslog"`` content-sniff special case while DNS
+  routed by filename ``fnmatch``.
+
+After this module:
+
+- One owner of source resolution. ``resolve_sources`` is the analyze
+  resolver; ``resolve_digest_source`` is the digest resolver.
+  ``_resolve_one`` is the ONLY site where a source-dir string becomes a
+  resolved ``Path`` — CLI seams pass raw strings (or ``None``) and the
+  runner threads them straight in.
+- ``None`` everywhere means strictly "no override." Scope is the only
+  scoping signal.
+- One generic content-sniff router, ``route_positional_source``.
+
+Layering: this module imports ``common.paths`` and ``common.loader``
+(content sniffing). It MUST NOT import from ``loghunter.detectors`` —
+``route_positional_source`` takes an already-imported detector module
+as a parameter; the CLI does the ``importlib`` work.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Sequence
+
+from loghunter.common.loader import sniff_format_detailed
+from loghunter.common.paths import effective_root, resolve_path
+
+_ALL_KEYS: tuple[str, ...] = (
+    "zeek_dir", "syslog_dir", "pihole_dir", "cloudtrail_dir",
+)
+
+
+def _present(value: object) -> bool:
+    """An override counts only when it carries a real value.
+
+    The CLI parser stores a bare ``--zeek-dir=`` (no value after the ``=``) as
+    the EMPTY STRING — not None, not rejected. ``None``-vs-``""`` is the same
+    falsy-vs-None ambiguity class the single-ownership refactor exists to kill:
+    treating ``""`` as "present" makes ``_resolve_one("", …)`` return None and
+    silently suppresses config fallback, so a configured ``[loghunter].zeek_dir``
+    is ignored when the operator passes a bare flag. Match the pre-refactor
+    truthiness semantics (``if cli_val:``) by promoting the boundary check
+    here: any falsy override (None, "", empty Path string) is "no override."
+
+    Used by the digest resolver, which stays scalar-shaped (digest is
+    card-per-file; multi-input union does not apply). The analyze resolver
+    uses ``_normalize_overrides`` instead, which handles scalar / list /
+    None uniformly under the same falsy-is-absent rule.
+    """
+    return bool(value)
+
+
+def _normalize_overrides(
+    value: str | Path | Sequence[str | Path] | None,
+) -> list[str | Path]:
+    """Normalize an override value to a list of truthy scalar inputs.
+
+    The widened contract for ``runner.run``'s four source-dir kwargs is
+    ``str | Path | Sequence[str | Path] | None``. This function is the SINGLE
+    rule:
+
+    - ``None`` → ``[]`` (absent — signal config fallback within scope)
+    - scalar truthy ``str`` / ``Path`` → ``[scalar]`` (one-element list — the
+      degenerate case that keeps programmatic scalar callers byte-identical)
+    - scalar falsy (``""`` / empty Path string) → ``[]`` (absent — same
+      ``_present`` semantics, just expressed at the list boundary)
+    - sequence → ``[v for v in value if v]`` — drop falsy members FIRST so
+      ``["", "/x"]`` and ``["/x"]`` are equivalent, PRESERVE order
+
+    Dedup is intentionally NOT here. Cross-input dedup by ``.resolve()``
+    happens at the loader file-union site (``_union_dedupe``), not at the
+    string layer; doing it here would collapse two CLI inputs whose strings
+    differ but resolve to the same file BEFORE the user sees them rendered
+    in ``_print_dry_run``.
+    """
+    if value is None:
+        return []
+    if isinstance(value, (str, Path)):
+        return [value] if value else []
+    return [v for v in value if v]
+
+
+@dataclass(frozen=True)
+class ResolvedSources:
+    """The four source-dir buckets, resolved once by ``resolve_sources``.
+
+    Each field is the LIST of resolved ``Path`` inputs the runner should
+    load from for that family — positionals contributed by the CLI,
+    explicit ``--<family>-dir`` flag values, and config fallback (within
+    scope). An EMPTY LIST means the source is neither overridden nor
+    configured, or is scoped out of the run.
+
+    Single-input shape is the degenerate one-element list: scalar
+    programmatic callers (``runner.run(zeek_dir="/x")``) flow through
+    ``_normalize_overrides`` and land here as ``[Path("/x")]`` —
+    byte-identical downstream behavior with the prior scalar shape.
+    """
+
+    zeek_dir: list[Path]
+    syslog_dir: list[Path]
+    pihole_dir: list[Path]
+    cloudtrail_dir: list[Path]
+
+
+@dataclass(frozen=True)
+class DigestSource:
+    """The single source chosen by ``resolve_digest_source`` for a digest schema.
+
+    Attributes:
+        source_key: One of ``zeek_dir`` / ``syslog_dir`` / ``pihole_dir`` /
+            ``cloudtrail_dir`` — the key ``run_digest`` looks up its
+            (pattern, empty_columns) mapping against.
+        directory: Resolved directory ``Path`` to load from.
+        feed: Schema-specific feed identifier — ``"zeek"`` / ``"pihole"`` /
+            ``"syslog"`` for the fidelity-aware schemas (dns, syslog), or
+            ``None`` for the single-source schemas (conn, cloudtrail).
+    """
+
+    source_key: str
+    directory: Path
+    feed: str | None
+
+
+def _resolve_one(
+    override: str | Path | None,
+    cfg_value: Any,
+    root: str,
+) -> Path | None:
+    """Single-key atom — the ONE site that converts a source-dir string to a Path.
+
+    A non-None ``override`` is treated as a CLI/explicit value and goes
+    through ``resolve_path(str(override), "")`` — shell semantics: ``~``
+    expansion, no LH_ROOT prefix (CLI-supplied paths resolve against CWD as
+    shells expect). A None ``override`` falls back to ``cfg_value`` resolved
+    via LH_ROOT (``resolve_path(cfg_value, root)``). Either branch returning
+    a falsy string yields ``None``.
+
+    ``str(override)`` so a ``Path`` override round-trips identically — only
+    the resulting absolute-or-relative string semantics matter to
+    ``resolve_path``.
+    """
+    if override is not None:
+        resolved = resolve_path(str(override), "")
+    else:
+        resolved = resolve_path(cfg_value, root)
+    return Path(resolved) if resolved else None
+
+
+def resolve_sources(
+    config: dict[str, Any],
+    *,
+    overrides: dict[str, str | Path | Sequence[str | Path] | None],
+    scope: frozenset[str] | None,
+) -> ResolvedSources:
+    """Resolve all four source dirs for an analyze run, list-shaped.
+
+    Per-key truth table (after ``_normalize_overrides`` → ``list[str | Path]``):
+
+    +------------------------+----------------------------------+--------------------------------------------------+
+    | override list          | scope                            | result                                           |
+    +========================+==================================+==================================================+
+    | non-empty              | any                              | ``[_resolve_one(o, None, root) for o in list]``  |
+    +------------------------+----------------------------------+--------------------------------------------------+
+    | empty                  | ``None`` or ``key in scope``     | ``[_resolve_one(None, cfg_value, root)]``        |
+    +------------------------+----------------------------------+--------------------------------------------------+
+    | empty                  | ``key not in scope``             | ``[]`` — NEVER config-filled                     |
+    +------------------------+----------------------------------+--------------------------------------------------+
+
+    An override outside ``scope`` still applies — that is the operator
+    widening the run deliberately.
+
+    Single-element override lists give byte-identical downstream behavior
+    with the prior scalar shape, so ``runner.run(zeek_dir="/x")`` callers
+    (~35 sites + ``tests/test_root_provenance.py``) remain unchanged at
+    their call site — the normalization layer accepts either form.
+
+    Config fallback resolves a single config string per key (config-supplied
+    list shapes are NOT a v1 feature — out of scope here; revisit when the
+    config surface advertises a list form). The resulting one-element
+    list keeps the bucket non-empty so the loader sees it as present.
+    """
+    cfg_lh = config.get("loghunter", {})
+    root = effective_root(config)
+    resolved: dict[str, list[Path]] = {}
+    for key in _ALL_KEYS:
+        override_list = _normalize_overrides(overrides.get(key))
+        if override_list:
+            resolved[key] = [
+                p for p in (_resolve_one(o, None, root) for o in override_list)
+                if p is not None
+            ]
+        elif scope is None or key in scope:
+            cfg_path = _resolve_one(None, cfg_lh.get(key), root)
+            resolved[key] = [cfg_path] if cfg_path is not None else []
+        else:
+            resolved[key] = []
+    return ResolvedSources(**resolved)
+
+
+# Per-schema candidate ladder + feed mapping for the digest resolver.
+# Order = preference: first non-None config value wins on fallback.
+_DIGEST_CANDIDATES: dict[str, tuple[str, ...]] = {
+    "conn":       ("zeek_dir",),
+    "dns":        ("zeek_dir", "pihole_dir"),
+    "syslog":     ("syslog_dir", "zeek_dir"),
+    "cloudtrail": ("cloudtrail_dir",),
+}
+
+_DIGEST_FEED: dict[tuple[str, str], str | None] = {
+    ("conn",       "zeek_dir"):       None,
+    ("dns",        "zeek_dir"):       "zeek",
+    ("dns",        "pihole_dir"):     "pihole",
+    ("syslog",    "syslog_dir"):      "syslog",
+    ("syslog",    "zeek_dir"):        "zeek",
+    ("cloudtrail", "cloudtrail_dir"): None,
+}
+
+# BYTE-PRESERVED error strings, lifted from the previous run_digest ladder
+# (runner.py:1302-1413 pre-refactor). The wrong-key message is templated;
+# the XOR and not-configured messages are static per schema.
+_DIGEST_XOR_MSG: dict[str, str] = {
+    "dns":    "digest dns: cannot use both --zeek-dir and --pihole-dir",
+    "syslog": "digest syslog: cannot use both zeek_dir and syslog_dir",
+}
+
+_DIGEST_NOT_CONFIGURED_MSG: dict[str, str] = {
+    "conn": (
+        "digest: zeek_dir not configured — pass a PATH or set "
+        "[loghunter].zeek_dir in your config"
+    ),
+    "dns": (
+        "digest dns: zeek_dir or pihole_dir not configured — "
+        "pass a PATH, --zeek-dir/--pihole-dir, or set one in config"
+    ),
+    "syslog": (
+        "digest syslog: no syslog source configured — pass a PATH, "
+        "--zeek-dir, or set [loghunter].syslog_dir / "
+        "[loghunter].zeek_dir in your config"
+    ),
+    "cloudtrail": (
+        "digest cloudtrail: cloudtrail_dir not configured — pass a PATH, "
+        "--cloudtrail-dir, or set [loghunter].cloudtrail_dir in your config"
+    ),
+}
+
+
+def _wrong_key_msg(schema: str, key: str) -> str:
+    """Templated wrong-source error message — byte-equal to the prior text."""
+    return f"digest {schema}: {key} is not valid for the {schema} schema"
+
+
+def resolve_digest_source(
+    config: dict[str, Any],
+    schema: str,
+    *,
+    overrides: dict[str, str | Path | None],
+) -> DigestSource:
+    """Resolve the SINGLE source for a digest schema.
+
+    Same ``None``-contract as ``resolve_sources``: an override is present
+    only when its value is non-None. Raises ordinary ``ValueError`` on:
+
+    - any non-None override OUTSIDE the schema's candidate set (wrong-key);
+    - more than one non-None override INSIDE the candidate set (XOR);
+    - no source resolved (not-configured).
+
+    Error strings are byte-preserved from the previous ``run_digest``
+    ladder so user-facing wording does not drift.
+    """
+    candidates = _DIGEST_CANDIDATES[schema]
+    candidate_set = set(candidates)
+    cfg_lh = config.get("loghunter", {})
+    root = effective_root(config)
+
+    for key in _ALL_KEYS:
+        if key in candidate_set:
+            continue
+        if _present(overrides.get(key)):
+            raise ValueError(_wrong_key_msg(schema, key))
+
+    present_overrides = [
+        k for k in candidates if _present(overrides.get(k))
+    ]
+    if len(present_overrides) > 1:
+        raise ValueError(_DIGEST_XOR_MSG[schema])
+
+    if present_overrides:
+        chosen: str | None = present_overrides[0]
+        directory = _resolve_one(overrides[chosen], None, root)
+    else:
+        chosen = None
+        directory = None
+        for k in candidates:
+            d = _resolve_one(None, cfg_lh.get(k), root)
+            if d is not None:
+                chosen = k
+                directory = d
+                break
+
+    if chosen is None or directory is None:
+        raise ValueError(_DIGEST_NOT_CONFIGURED_MSG[schema])
+
+    return DigestSource(
+        source_key=chosen,
+        directory=directory,
+        feed=_DIGEST_FEED[(schema, chosen)],
+    )
+
+
+def route_positional_source(
+    path: str | Path,
+    *,
+    detector_module: Any | None,
+) -> str:
+    """Decide which source-dir key a positional PATH routes to.
+
+    Generic — no detector-name special cases.
+
+    **Named-module mode** (``detector_module`` is an imported detector module):
+    ``REQUIRED_LOGS`` carriers (beacon, scan, duration, aws, …) route to
+    ``REQUIRED_LOGS[0]["source"]``. Two-source detectors (dns, syslog)
+    content-sniff the file and route to the matching ``OPTIONAL_LOGS`` source;
+    on miss, on a directory positional, or on a sniff ``OSError``, they fall
+    back to ``OPTIONAL_LOGS[0]["source"]`` — matching today's "directory
+    defaults to flat" / "unreadable degrades silently" conventions.
+    ``OPTIONAL_LOGS[0]`` reproduces both current defaults:
+    ``dns → zeek_dir`` and ``syslog → syslog_dir``.
+
+    **None mode** (``detector_module is None``): for detect=all / unknown
+    selectors. Content-sniff the positional and map ``origin → {origin}_dir``
+    (cloudtrail → cloudtrail_dir, syslog → syslog_dir, zeek → zeek_dir,
+    pihole → pihole_dir). Falls back to ``zeek_dir`` on a directory
+    positional, an unrecognized sniff, or a sniff ``OSError`` — preserving
+    today's analyze default for unrecognized inputs (the old hardcoded
+    ``routed_source = "zeek_dir"`` in cli.py). NOTE: ``common/sources.py``
+    MUST NOT import ``detectors/`` — the named-module branch still receives
+    the imported module from the CLI.
+    """
+    path_obj = Path(path).expanduser()
+
+    if detector_module is None:
+        if path_obj.is_dir():
+            return "zeek_dir"
+        try:
+            result = sniff_format_detailed(path_obj)
+        except OSError:
+            return "zeek_dir"
+        origin = result.origin
+        candidate = f"{origin}_dir" if origin else None
+        return candidate if candidate in _ALL_KEYS else "zeek_dir"
+
+    required = getattr(detector_module, "REQUIRED_LOGS", [])
+    if required:
+        # ``.get("source", "zeek_dir")`` instead of ``["source"]`` — defensive
+        # against a third-party / new detector whose REQUIRED_LOGS[0] omits
+        # the source key. The error-boundary rail says lower layers raise
+        # actionable exceptions, not bare KeyErrors. None of the six shipped
+        # detectors trip this, but the default keeps the router callable
+        # against malformed metadata.
+        return required[0].get("source", "zeek_dir")
+    optional = [
+        o.get("source", "zeek_dir")
+        for o in getattr(detector_module, "OPTIONAL_LOGS", [])
+    ]
+    default = optional[0] if optional else "zeek_dir"
+
+    if path_obj.is_dir():
+        return default
+    try:
+        result = sniff_format_detailed(path_obj)
+    except OSError:
+        return default
+
+    origin = result.origin
+    candidate = f"{origin}_dir" if origin else None
+    return candidate if candidate in optional else default

loghunter/data/allowlist/connections.txt

@@ -0,0 +1,50 @@
+# LogHunter — Flat Numeric Connection Allowlist
+# ─────────────────────────────────────────────────────────────────────────────
+#
+# Format: one rule per line, whitespace-separated tokens. Order doesn't matter.
+# # starts a comment (inline or full-line). Blank lines are ignored.
+#
+# Token types:
+#   IP address    exact host:          192.0.2.10
+#   CIDR range    subnet:              192.0.2.0/24
+#   Wildcard      any host:            *
+#   Port/proto    leading colon:       :443   :123/udp   :*/tcp
+#
+# A rule may contain zero, one, or two IP/CIDR/wildcard fields plus an
+# optional port/proto token. Rules with two IP fields match in either
+# direction — src→dst and dst→src are both covered by a single rule.
+#
+# Missing fields match anything: omission is permission.
+#
+# !! BARE IP WARNING !!
+# ─────────────────────────────────────────────────────────────────────────────
+# A rule containing only an IP address with no port token suppresses ALL
+# traffic involving that host across every detector. This is intentional and
+# powerful — one bare IP rule silently drops every flow involving that host
+# from all findings. Use scoped rules (with a port/proto token) unless you
+# explicitly mean to exclude a host entirely.
+# ─────────────────────────────────────────────────────────────────────────────
+#
+# Syntax examples (documentation only — not active rules):
+#
+#   Two specific hosts, port 22, TCP only:
+#     192.0.2.10  198.51.100.1  :22/tcp
+#
+#   Any flow involving 192.0.2.10 on port 22, any protocol:
+#     192.0.2.10  :22
+#
+#   Entire subnet on port 443, any protocol:
+#     192.0.2.0/24  :443
+#
+#   Any host, UDP port 123 (NTP):
+#     *  :123/udp
+#
+#   Port only — suppress this port for every host:
+#     :6556
+#
+#   Bare IP — suppresses ALL traffic involving this host (see warning above):
+#     192.0.2.33
+#
+# ─────────────────────────────────────────────────────────────────────────────
+# Add your rules below this line.
+# ─────────────────────────────────────────────────────────────────────────────

loghunter/data/allowlist/domains_devices.txt

@@ -0,0 +1,5 @@
+# Device domain allowlist — Apple TV, Hue, smart home, gaming consoles, etc.
+# One glob pattern per line. # for comments. Blank lines ignored.
+# Regex also supported: prefix with "re:"
+#
+# This file covers consumer device infrastructure seen in home networks.

loghunter/data/allowlist/domains_homelab.txt

@@ -0,0 +1,5 @@
+# Home lab domain allowlist — checkmk, Splunk, Pi-hole, Unbound, MRTG, etc.
+# One glob pattern per line. # for comments. Blank lines ignored.
+# Regex also supported: prefix with "re:"
+#
+# This file covers infrastructure commonly found in self-hosted environments.

loghunter/data/allowlist/domains_universal.txt

@@ -0,0 +1,125 @@
+# Universal domain allowlist — curated patterns for infrastructure seen universally
+# across home lab and self-hosted environments.
+#
+# Format: one pattern per line.  # inline or full-line comments.  Blank lines ignored.
+# Patterns prefixed with "re:" are treated as Python regex (re.search, case-insensitive).
+# Patterns without the prefix are matched as fnmatch globs.
+#
+# This file ships with LogHunter.  It covers reverse-DNS, NTP, CDN, cloud platforms,
+# public nameserver infrastructure, and common SaaS endpoints that appear in virtually
+# every environment.
+#
+# Site-specific known-good domains (your own infrastructure, local devices, internal
+# services) belong in ~/.loghunter/allowlist.d/domains_user.txt — not here.
+
+# Reverse DNS
+re:\.in-addr\.arpa$                                                         # reverse_dns
+re:\.ip6\.arpa$                                                             # ipv6_arpa
+
+# mDNS / link-local
+re:\.local$                                                                 # mdns_local
+re:^_                                                                       # mdns_service
+
+# UUID labels (e.g. device beacons)
+re:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}         # uuid
+
+# NTP
+re:pool\.ntp\.org$|\.ntp\.org$                                             # ntp
+
+# Akamai CDN
+re:\.akamai\.net$|\.akamaiedge\.net$|\.akamai\.com$|\.akamaihd\.net$|\.akadns\.net$|\.akamaized\.net$|\.akamaitechnologies\.com$  # akamai
+re:\.akam\.net$|\.edgekey\.net$                                           # akamai_delegation
+
+# Apple / iCloud
+re:\.apple\.com$|\.icloud\.com$|\.aaplimg\.com$|\.apple-dns\.net$         # apple_cdn
+
+# Amazon Web Services
+re:\.amazonaws\.com$|\.awsglobalaccelerator\.com$|\.cloudfront\.net$      # aws
+
+# Google
+re:\.googlevideo\.com$|\.googleapis\.com$|\.gstatic\.com$|\.googleusercontent\.com$|\.googledomains\.com$|\.google\.com$  # google
+
+# Microsoft Azure
+re:\.azurefd\.net$|\.azureedge\.net$|\.cloudapp\.azure\.com$|\.azurewebsites\.net$|\.trafficmanager\.net$|\.windows\.net$  # azure
+re:\.azure-dns\.com$                                                       # azure_dns
+
+# Sonos (connection-indexed hostnames)
+re:conn-i-[0-9a-f]+\..*\.sonos\.com$                                       # sonos_ws
+
+# Amazon / Alexa
+re:\.amazonvideo\.com$|\.amazon\.com$|\.amazonalexa\.com$|\.a2z\.com$     # amazon_video
+
+# Oracle Cloud
+re:\.oraclecloud\.com$|\.oracle\.com$                                      # oracle_idcs
+
+# Sonos
+re:\.sonos\.com$                                                            # sonos
+
+# Dropbox
+re:\.dropbox\.com$|\.dropbox-dns\.com$                                     # dropbox
+
+# Zoom
+re:\.zoom\.us$                                                              # zoom
+
+# Mozilla
+re:\.mozilla\.net$|\.mozilla\.org$|\.mozgcp\.net$                         # mozilla
+
+# Microsoft 365 / Windows
+re:\.microsoft\.com$|\.office\.com$|\.live\.com$|\.skype\.com$|\.msidentity\.com$  # microsoft
+re:\.windowsupdate\.com$                                                   # windows_update
+
+# Fastly CDN
+re:\.fastly\.net$|\.fastly-edge\.com$                                      # fastly
+
+# Piano / TinyPass (paywall SDK)
+re:\.tinypass\.com$                                                         # tinypass
+
+# Atlassian / Jira / Confluence
+re:\.atlassian\.com$|\.atlassian-dev\.net$|\.atl-paas\.net$               # atlassian
+
+# AWS Route 53 nameservers
+re:(^|\.)awsdns-\d+\.\w+(\.\w+)?$                                         # awsdns
+re:ns-\d+\.awsdns                                                           # aws_ns
+
+# AWS WAF
+re:(^|\.)awswaf\.com$                                                       # awswaf
+
+# OVH nameservers
+re:ns\d+\.ovh\.net$|dns\d+\.ovh\.net$                                     # ovh_ns
+
+# UltraDNS
+re:\.ultradns\.(net|com|org|info|co\.uk)$                                  # ultradns
+
+# NS1 nameservers
+re:\.nsone\.net$                                                            # nsone
+
+# Azure DNS nameservers
+re:ns\d+-\d+\.azure-dns\.(com|net|org|info)$                              # azure_ns
+
+# Backblaze B2
+re:pod-\d+-\d+-\d+\.backblaze\.com$|pod-\d{3}-\d{4}-\d{2}\.backblaze\.com$|ca\d+\.backblaze\.com$  # backblaze
+
+# Microsoft Edge CDN
+re:\.t-msedge\.net$|\.fb-t-msedge\.net$                                   # msedge
+re:\.(ax|bx|ln)-\d+\.(ax|bx|ln)(-dc)?-msedge\.net$                       # msedge_cdn
+
+# Generic nameserver hostname patterns (ns1., ns.*, awsdns-, etc.)
+re:^ns\d*[-\.]|\.awsdns-|\.ultradns\.|\.cloudns\.|\.constellix\.|\.digicertdns\.|\.domaincontrol\.  # nameservers
+
+# AWS networking diagnostic infrastructure
+re:\.prod\.diagnostic\.networking\.aws\.dev$                               # diagnostic_dns
+
+# Oracle DNS infrastructure
+re:\.dns\.oraclecloud\.net$                                                 # oracledns
+
+# SentinelOne EDR
+re:\.sentinelone\.net$                                                      # sentinelone
+
+# hCaptcha
+re:\.hcaptcha\.com$                                                         # hcaptcha
+
+# Sentry error tracking
+re:\.sentry\.io$                                                            # sentry
+
+# AT&T local
+re:\.attlocal\.net$                                                         # attlocal