threatflux-string-analysis 0.1.1

Advanced string analysis and categorization library for security applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

# ThreatFlux String Analysis

A comprehensive Rust library for advanced string analysis and categorization, designed for security applications including malware analysis, threat hunting, and forensic investigations.

## Features

- **String Tracking**: Track string occurrences across multiple files with full context
- **Automatic Categorization**: Identify URLs, paths, commands, registry keys, and more
- **Entropy Analysis**: Detect potentially encoded or encrypted strings
- **Suspicious Pattern Detection**: Built-in patterns for malware and threat indicators
- **Statistical Analysis**: Generate insights about string distributions and relationships
- **Extensible Architecture**: Add custom patterns and categorization rules
- **High Performance**: Optimized for analyzing large volumes of strings
- **Serialization Support**: Full serde support for all data structures

## Quick Start

Add this to your `Cargo.toml`:

```toml
[dependencies]
threatflux-string-analysis = "0.1.0"
```

Basic usage:

```rust
use threatflux_string_analysis::{StringTracker, StringContext};

fn main() -> anyhow::Result<()> {
    let tracker = StringTracker::new();
    
    // Track a suspicious string
    tracker.track_string(
        "http://malware.com/beacon",
        "/path/to/file.exe",
        "file_hash_123",
        "my_scanner",
        StringContext::Url { protocol: Some("http".to_string()) }
    )?;
    
    // Get statistics
    let stats = tracker.get_statistics(None);
    println!("Suspicious strings: {}", stats.suspicious_strings.len());
    
    Ok(())
}
```

## Advanced Usage

### Custom Pattern Matching

```rust
use threatflux_string_analysis::{PatternDef, DefaultPatternProvider};

let mut provider = DefaultPatternProvider::empty();

// Add custom pattern for API keys
provider.add_pattern(PatternDef {
    name: "api_key".to_string(),
    regex: r"[A-Za-z0-9]{32,}".to_string(),
    category: "credential".to_string(),
    description: "Potential API key".to_string(),
    is_suspicious: true,
    severity: 7,
})?;
```

### Custom Categorization

```rust
use threatflux_string_analysis::{CategoryRule, StringCategory, DefaultCategorizer};

let mut categorizer = DefaultCategorizer::new();

categorizer.add_rule(CategoryRule {
    name: "custom_rule".to_string(),
    matcher: Box::new(|s| s.contains("custom_pattern")),
    category: StringCategory {
        name: "custom_category".to_string(),
        parent: None,
        description: "Custom category description".to_string(),
    },
    priority: 100,
})?;
```

### Filtering and Searching

```rust
use threatflux_string_analysis::StringFilter;

// Filter for high-entropy suspicious strings
let filter = StringFilter {
    suspicious_only: Some(true),
    min_entropy: Some(4.5),
    categories: Some(vec!["network".to_string(), "command".to_string()]),
    ..Default::default()
};

let filtered_stats = tracker.get_statistics(Some(&filter));
```

## Use Cases

### Malware Analysis
- Extract and categorize strings from binary files
- Identify C2 servers, encryption keys, and malicious commands
- Track string patterns across malware families

### Security Log Analysis
- Process security logs to identify IOCs
- Detect repeated attack patterns
- Correlate suspicious activities

### Threat Hunting
- Search for specific threat indicators
- Analyze string entropy for obfuscation detection
- Track evolution of threats over time

### Forensic Investigations
- Extract and analyze strings from memory dumps
- Categorize artifacts by type
- Build timelines of string occurrences

## Architecture

The library is built with a modular, trait-based architecture:

- **StringAnalyzer**: Core trait for analyzing strings
- **Categorizer**: Trait for categorizing strings
- **PatternProvider**: Trait for managing detection patterns
- **StringTracker**: Main tracking and analysis engine

This design allows for easy extension and customization for specific use cases.

## Examples

See the `examples/` directory for complete examples:

- `basic_usage.rs`: Introduction to the library
- `security_log_analysis.rs`: Analyzing security logs
- `custom_patterns.rs`: Creating domain-specific patterns

## Performance

The library is optimized for high-volume string analysis:

- Efficient string deduplication
- Configurable memory limits
- Fast pattern matching with compiled regexes
- Minimal allocations in hot paths

## Contributing

Contributions are welcome! Please feel free to submit issues and pull requests.

## License

This project is licensed under the MIT license.