pktscope-core 0.2.0

Core engine for pktscope: live/offline capture, protocol decoders, flow tracking, filters, and egress monitoring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

//! Alert types for the five egress signals. The detection engine
//! (learning-window lifecycle + detectors) is added in a later milestone; this
//! module defines the shared `Alert` / `AlertKind` / `Severity` types used by
//! the store, IPC, and the engine.

pub mod baseline;
pub mod detectors;

pub use detectors::{AlertConfig, AlertEngine, EvalOutcome, FlowEvent};

use serde::{Deserialize, Serialize};
use serde_json::Value;

/// The five egress alert signals.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AlertKind {
    /// Signal 1: a process contacted a destination org/domain it never has.
    NewProcessDest,
    /// Signal 2: a binary made its first-ever outbound connection.
    NewProcessEgress,
    /// Signal 3: first contact with a host in a new country or AS.
    NewGeo,
    /// Signal 4: outbound volume far above a process's baseline.
    VolumeSpike,
    /// Signal 5: a process's binary identity changed since baseline.
    IdentityChange,
}

impl AlertKind {
    pub fn as_db(self) -> &'static str {
        match self {
            AlertKind::NewProcessDest => "new_process_dest",
            AlertKind::NewProcessEgress => "new_process_egress",
            AlertKind::NewGeo => "new_geo",
            AlertKind::VolumeSpike => "volume_spike",
            AlertKind::IdentityChange => "identity_change",
        }
    }

    pub fn from_db(s: &str) -> Option<Self> {
        Some(match s {
            "new_process_dest" => AlertKind::NewProcessDest,
            "new_process_egress" => AlertKind::NewProcessEgress,
            "new_geo" => AlertKind::NewGeo,
            "volume_spike" => AlertKind::VolumeSpike,
            "identity_change" => AlertKind::IdentityChange,
            _ => return None,
        })
    }

    /// Human-readable label (mirrors Little Snitch's naming where applicable).
    pub fn label(self) -> &'static str {
        match self {
            AlertKind::NewProcessDest => "New process → destination",
            AlertKind::NewProcessEgress => "New process phoning home",
            AlertKind::NewGeo => "New country / ASN",
            AlertKind::VolumeSpike => "Volume / exfil spike",
            AlertKind::IdentityChange => "Program modification",
        }
    }
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Severity {
    Info,
    Notice,
    Warning,
    Critical,
}

impl Severity {
    pub fn as_db(self) -> &'static str {
        match self {
            Severity::Info => "info",
            Severity::Notice => "notice",
            Severity::Warning => "warning",
            Severity::Critical => "critical",
        }
    }

    pub fn from_db(s: &str) -> Option<Self> {
        Some(match s {
            "info" => Severity::Info,
            "notice" => Severity::Notice,
            "warning" => Severity::Warning,
            "critical" => Severity::Critical,
            _ => return None,
        })
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Alert {
    pub id: Option<i64>,
    pub kind: AlertKind,
    pub severity: Severity,
    /// Unix milliseconds.
    pub ts: i64,
    pub process_id: Option<i64>,
    pub dest_id: Option<i64>,
    /// Stable per `(kind, key)` — drives cooldown deduplication.
    pub dedup_key: String,
    pub title: String,
    /// Structured details (pid, exe, dest, asn, bytes, old/new identity, …).
    pub detail: Value,
}