souleyez 2.16.0__py3-none-any.whl → 2.26.0__py3-none-any.whl

souleyez/plugins/nuclei.py

@@ -207,19 +207,51 @@ class NucleiPlugin(PluginBase):
                 return True
         return False
 
-    def build_command(self, target: str, args: List[str] = None, label: str = "", log_path: str = None):
-        """Build nuclei command for background execution with PID tracking."""
-        # For URLs, validate them. For bare IPs/domains, let Nuclei auto-detect protocols
+    def _normalize_target(self, target: str, args: List[str] = None, log_path: str = None) -> str:
+        """
+        Normalize target for Nuclei scanning.
+
+        - URLs are validated and passed through
+        - Bare IPs/domains get http:// prepended for web scanning
+
+        This fixes the issue where nmap chains pass bare IPs but Nuclei
+        needs URLs to properly scan web services.
+        """
+        import re
+
+        # Already a URL - validate and return
         if target.startswith(('http://', 'https://')):
             try:
-                target = validate_url(target)
+                return validate_url(target)
             except ValidationError as e:
                 if log_path:
                     with open(log_path, 'w') as f:
                         f.write(f"ERROR: Invalid URL: {e}\n")
                 return None
 
+        # Bare IP or domain - prepend http:// for web scanning
+        # This is needed because Nuclei web templates require a URL
+        ip_pattern = r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?$'
+        domain_pattern = r'^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$'
+
+        if re.match(ip_pattern, target) or re.match(domain_pattern, target):
+            # Log the conversion
+            if log_path:
+                with open(log_path, 'a') as f:
+                    f.write(f"NOTE: Converting bare target '{target}' to 'http://{target}' for web scanning\n")
+            return f"http://{target}"
+
+        # Unknown format - return as-is
+        return target
+
+    def build_command(self, target: str, args: List[str] = None, label: str = "", log_path: str = None):
+        """Build nuclei command for background execution with PID tracking."""
         args = args or []
+
+        # Normalize target (convert bare IPs to URLs)
+        target = self._normalize_target(target, args, log_path)
+        if target is None:
+            return None
         args = [arg.replace("<target>", target) for arg in args]
 
         cmd = ["nuclei", "-target", target]
@@ -252,21 +284,13 @@ class NucleiPlugin(PluginBase):
 
     def run(self, target: str, args: List[str] = None, label: str = "", log_path: str = None) -> int:
         """Execute nuclei scan and write JSON output to log_path."""
-
-        # For URLs, validate them. For bare IPs/domains, let Nuclei auto-detect protocols
-        if target.startswith(('http://', 'https://')):
-            try:
-                target = validate_url(target)
-            except ValidationError as e:
-                if log_path:
-                    with open(log_path, 'w') as f:
-                        f.write(f"ERROR: Invalid URL: {e}\n")
-                    return 1
-                raise ValueError(f"Invalid URL: {e}")
-        # Otherwise keep target as-is (IP or domain) for Nuclei auto-detect protocols
-
         args = args or []
 
+        # Normalize target (convert bare IPs to URLs)
+        target = self._normalize_target(target, args, log_path)
+        if target is None:
+            return 1
+
         # Replace <target> placeholder
         args = [arg.replace("<target>", target) for arg in args]
 

souleyez/ui/interactive.py

@@ -130,6 +130,63 @@ def render_standard_header(title: str, width: int = None) -> None:
     click.echo()
 
 
+def parse_syslog_description(desc: str) -> str:
+    """
+    Extract meaningful message from syslog-formatted descriptions.
+
+    Syslog format: <timestamp> <host> [timestamp] <program>[pid]: <message>
+    Example input: "Jan  8 07:00:05 192.168.1.111 Jan  8 07:00:05 eyez CRON[537281]: pam_unix(cron:session): session closed for user yoda"
+    Example output: "CRON: pam_unix(cron:session): session closed for user yoda"
+    """
+    import re
+
+    if not desc:
+        return 'No description'
+
+    # Try to find the actual message after common syslog patterns
+    # Pattern 1: Look for process name with PID followed by colon (e.g., "CRON[537281]:")
+    pid_match = re.search(r'([A-Za-z_][A-Za-z0-9_-]*)\[(\d+)\]:\s*(.+)$', desc)
+    if pid_match:
+        process_name = pid_match.group(1)
+        message = pid_match.group(3)
+        return f"{process_name}: {message}"
+
+    # Pattern 2: Look for systemd-style messages (e.g., "systemd[1]: Started...")
+    systemd_match = re.search(r'(systemd(?:-[a-z]+)?)\[?\d*\]?:\s*(.+)$', desc, re.IGNORECASE)
+    if systemd_match:
+        return f"{systemd_match.group(1)}: {systemd_match.group(2)}"
+
+    # Pattern 3: Look for kernel messages
+    kernel_match = re.search(r'kernel:\s*(.+)$', desc)
+    if kernel_match:
+        return f"kernel: {kernel_match.group(1)}"
+
+    # Pattern 4: Generic - find content after last colon that has substance
+    colon_parts = desc.split(': ')
+    if len(colon_parts) > 1:
+        # Get the meaningful part (usually after the first "process:" pattern)
+        for i, part in enumerate(colon_parts):
+            # Skip parts that look like timestamps or IPs
+            if not re.match(r'^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec|\d{1,3}\.\d{1,3}|\d{4}-\d{2})', part):
+                # Found something meaningful - join from here
+                meaningful = ': '.join(colon_parts[i:])
+                if len(meaningful) > 10:  # Ensure it's substantial
+                    return meaningful
+
+    # Pattern 5: Strip leading timestamp patterns
+    # Remove patterns like "Jan  8 07:00:05 192.168.1.111 Jan  8 07:00:05 hostname"
+    stripped = re.sub(
+        r'^(?:[A-Z][a-z]{2}\s+\d+\s+\d{2}:\d{2}:\d{2}\s+\S+\s*)+',
+        '', desc
+    ).strip()
+
+    if stripped and len(stripped) > 5:
+        return stripped
+
+    # Fallback: return original if no patterns matched
+    return desc
+
+
 def _show_upgrade_prompt(feature_name: str):
     """Show upgrade prompt when FREE user tries to access Pro feature."""
     from rich.panel import Panel
@@ -5345,7 +5402,7 @@ def view_job_detail(job_id: int):
 
         # Check if tool has a parser - if yes, hide raw logs by default
         tool = job.get('tool', '')
-        has_parser = tool in ['dnsrecon', 'nmap', 'nuclei', 'nikto', 'dalfox', 'theharvester', 'sqlmap', 'ffuf', 'gobuster', 'wpscan', 'crackmapexec', 'hydra', 'whois', 'smbmap', 'enum4linux', 'msf_auxiliary', 'searchsploit']
+        has_parser = tool in ['dnsrecon', 'nmap', 'ard', 'nuclei', 'nikto', 'dalfox', 'theharvester', 'sqlmap', 'ffuf', 'gobuster', 'wpscan', 'crackmapexec', 'hydra', 'whois', 'smbmap', 'enum4linux', 'msf_auxiliary', 'searchsploit']
 
         # Show log file if exists
         log_path = job.get('log')
@@ -5941,7 +5998,9 @@ def view_job_detail(job_id: int):
                 pass
 
         # Parse and display Nmap results if available (only when not showing raw logs)
-        if not show_raw_logs and job.get('tool') == 'nmap' and job.get('status') in ['done', 'completed'] and log_path and os.path.exists(log_path):
+        # ARD plugin uses nmap under the hood, so include it here
+        nmap_based_tools = ['nmap', 'ard']
+        if not show_raw_logs and job.get('tool') in nmap_based_tools and job.get('status') in ['done', 'completed'] and log_path and os.path.exists(log_path):
             try:
                 from souleyez.parsers.nmap_parser import parse_nmap_output
                 with open(log_path, 'r', encoding='utf-8', errors='replace') as f:
@@ -8898,7 +8957,8 @@ def _view_wazuh_alerts(engagement_id: int):
                 icon = get_level_icon(level)
                 rule_id = str(alert.get('rule_id', 'N/A'))[:10]
                 agent_name = alert.get('agent_name', 'N/A')[:15]
-                desc = (alert.get('description') or 'No description')[:45]
+                raw_desc = alert.get('description') or 'No description'
+                desc = parse_syslog_description(raw_desc)[:45]
                 ts = alert.get('timestamp', 'N/A')
                 if hasattr(ts, 'strftime'):
                     ts = ts.strftime('%Y-%m-%d %H:%M:%S')
@@ -9075,7 +9135,8 @@ def _view_alert_detail(alert: dict):
 
     # Get values from normalized format first, then fall back to raw_data
     rule_id = alert.get('rule_id') or rule.get('id', 'N/A')
-    description = alert.get('description') or rule.get('description', 'N/A')
+    raw_description = alert.get('description') or rule.get('description', 'N/A')
+    description = parse_syslog_description(raw_description)
     level = alert.get('level', 0) or rule.get('level', 0)
     severity = alert.get('severity', 'info')
 
@@ -9694,9 +9755,19 @@ def _view_all_job_alerts(item: dict):
                 return f"{icon} {severity[:6].upper()}"
         elif key == 'rule_id':
             if is_wazuh_style:
-                return str(alert.get('rule', {}).get('id', 'N/A'))
+                # Wazuh: show first rule group (more descriptive) or rule ID
+                rule_data = alert.get('rule', {})
+                groups = rule_data.get('groups', [])
+                if groups:
+                    # Get most specific group (often last is most specific)
+                    return str(groups[-1])[:12]
+                return str(rule_data.get('id', 'N/A'))[:12]
             else:
-                return str(alert.get('rule_id', alert.get('id', 'N/A')))[:15]
+                # Splunk: show MITRE tactic if available, else sourcetype
+                mitre_tactics = alert.get('mitre_tactics', [])
+                if mitre_tactics:
+                    return str(mitre_tactics[0])[:12]
+                return str(alert.get('rule_id', 'N/A'))[:12]
         elif key == 'agent_name':
             if is_wazuh_style:
                 return alert.get('agent', {}).get('name', 'N/A')
@@ -9704,9 +9775,17 @@ def _view_all_job_alerts(item: dict):
                 return str(alert.get('source_ip', alert.get('host', 'N/A')))[:15]
         elif key == 'description':
             if is_wazuh_style:
-                return alert.get('rule', {}).get('description', 'No description')[:45]
+                # Wazuh: use rule description, or rule groups if more descriptive
+                rule_data = alert.get('rule', {})
+                desc = rule_data.get('description', '')
+                if not desc:
+                    groups = rule_data.get('groups', [])
+                    if groups:
+                        desc = ', '.join(groups[:2])
+                return str(desc)[:45] if desc else 'No description'
             else:
-                desc = alert.get('rule_name', alert.get('description', 'No description'))
+                # Splunk: prefer actual description (log content) over rule_name
+                desc = alert.get('description', '') or alert.get('rule_name', '')
                 return str(desc)[:45] if desc else 'No description'
         elif key == 'timestamp':
             ts = alert.get('timestamp', 'N/A')
@@ -9718,9 +9797,9 @@ def _view_all_job_alerts(item: dict):
     columns = [
         {'name': '#', 'width': 5, 'key': '_idx'},
         {'name': 'Level', 'width': 10, 'key': 'level_display'},
-        {'name': 'Rule', 'width': 8, 'key': 'rule_id'},
+        {'name': 'Type', 'width': 14, 'key': 'rule_id'},
         {'name': 'Agent', 'width': 15, 'key': 'agent_name'},
-        {'name': 'Description', 'width': 45, 'key': 'description'},
+        {'name': 'Description', 'width': 42, 'key': 'description'},
         {'name': 'Time', 'width': 20, 'key': 'timestamp'},
     ]
 
@@ -15772,6 +15851,37 @@ def view_findings(engagement_id: int):
             summary_parts.append(f"Filters: {', '.join(active_filters)}")
 
         click.echo("  " + "  |  ".join(summary_parts))
+
+        # Show tool distribution legend
+        if findings:
+            tool_counts = {}
+            for f in findings:
+                tool = f.get('tool') or 'unknown'
+                tool_counts[tool] = tool_counts.get(tool, 0) + 1
+
+            # Sort by count (descending) and format
+            sorted_tools = sorted(tool_counts.items(), key=lambda x: x[1], reverse=True)
+            tool_parts = [f"{tool}({count})" for tool, count in sorted_tools]
+
+            # Display on one or more lines if needed
+            tool_legend = "  Tools: " + " | ".join(tool_parts)
+            if len(tool_legend) > width - 4:
+                # Wrap to multiple lines if too long
+                lines = []
+                current_line = "  Tools: "
+                for i, part in enumerate(tool_parts):
+                    test_line = current_line + part + (" | " if i < len(tool_parts) - 1 else "")
+                    if len(test_line) > width - 4 and current_line != "  Tools: ":
+                        lines.append(current_line.rstrip(" | "))
+                        current_line = "         " + part + (" | " if i < len(tool_parts) - 1 else "")
+                    else:
+                        current_line = test_line
+                lines.append(current_line.rstrip(" | "))
+                for line in lines:
+                    click.echo(click.style(line, fg='cyan'))
+            else:
+                click.echo(click.style(tool_legend, fg='cyan'))
+
         click.echo()
 
         if not findings:
@@ -29508,11 +29618,11 @@ def _check_msfdb_ready() -> bool:
         click.echo("  The Metasploit database needs to be initialized for full functionality.")
         click.echo("  Without it, you won't be able to store hosts, credentials, or loot.")
         click.echo()
-        if click.confirm("  Initialize database now? (runs: msfdb init)", default=True):
+        if click.confirm("  Initialize database now? (runs: sudo msfdb init)", default=True):
             click.echo()
-            click.echo(click.style("  Running msfdb init...", fg='cyan'))
+            click.echo(click.style("  Running sudo msfdb init...", fg='cyan'))
             try:
-                result = subprocess.run(['msfdb', 'init'], capture_output=False, text=True)
+                result = subprocess.run(['sudo', 'msfdb', 'init'], capture_output=False, text=True)
                 if result.returncode == 0:
                     click.echo(click.style("  Database initialized successfully!", fg='green'))
                     click.echo()
@@ -31347,13 +31457,13 @@ def run_interactive_menu():
     click.echo("└" + "─" * (width - 2) + "┘")
     click.echo("\n")
     
-    # ASCII Art Banner - SOULEYEZ
-    click.echo(click.style("   ███████╗ ██████╗ ██╗   ██╗██╗     ███████╗██╗   ██╗███████╗███████╗", fg='bright_cyan', bold=True))
-    click.echo(click.style("   ██╔════╝██╔═══██╗██║   ██║██║     ██╔════╝╚██╗ ██╔╝██╔════╝╚══███╔╝", fg='bright_cyan', bold=True))
-    click.echo(click.style("   ███████╗██║   ██║██║   ██║██║     █████╗   ╚████╔╝ █████╗    ███╔╝ ", fg='bright_cyan', bold=True))
-    click.echo(click.style("   ╚════██║██║   ██║██║   ██║██║     ██╔══╝    ╚██╔╝  ██╔══╝   ███╔╝  ", fg='bright_cyan', bold=True))
-    click.echo(click.style("   ███████║╚██████╔╝╚██████╔╝███████╗███████╗   ██║   ███████╗███████╗", fg='bright_cyan', bold=True))
-    click.echo(click.style("   ╚══════╝ ╚═════╝  ╚═════╝ ╚══════╝╚══════╝   ╚═╝   ╚══════╝╚══════╝", fg='bright_cyan', bold=True))
+    # ASCII Art Banner - SOULEYEZ with all-seeing eye on the right
+    click.echo(click.style("   ███████╗ ██████╗ ██╗   ██╗██╗     ███████╗██╗   ██╗███████╗███████╗", fg='bright_cyan', bold=True) + click.style("        ▄██▄", fg='bright_blue', bold=True))
+    click.echo(click.style("   ██╔════╝██╔═══██╗██║   ██║██║     ██╔════╝╚██╗ ██╔╝██╔════╝╚══███╔╝", fg='bright_cyan', bold=True) + click.style("      ▄█▀  ▀█▄", fg='bright_blue', bold=True))
+    click.echo(click.style("   ███████╗██║   ██║██║   ██║██║     █████╗   ╚████╔╝ █████╗    ███╔╝ ", fg='bright_cyan', bold=True) + click.style("     █   ◉   █", fg='bright_blue', bold=True))
+    click.echo(click.style("   ╚════██║██║   ██║██║   ██║██║     ██╔══╝    ╚██╔╝  ██╔══╝   ███╔╝  ", fg='bright_cyan', bold=True) + click.style("     █  ═══  █", fg='bright_blue', bold=True))
+    click.echo(click.style("   ███████║╚██████╔╝╚██████╔╝███████╗███████╗   ██║   ███████╗███████╗", fg='bright_cyan', bold=True) + click.style("      ▀█▄  ▄█▀", fg='bright_blue', bold=True))
+    click.echo(click.style("   ╚══════╝ ╚═════╝  ╚═════╝ ╚══════╝╚══════╝   ╚═╝   ╚══════╝╚══════╝", fg='bright_cyan', bold=True) + click.style("        ▀██▀", fg='bright_blue', bold=True))
     click.echo()
 
     # Tagline and description