Skip to main content

secureops_core/
ioc.rs

1//! IOC database + integrity-baseline value types.
2//!
3//! Port of `IOCDatabase`, `HashBaseline` and `BaselineComparison` from
4//! `src/types.ts`. The loading/verification logic (signed feed, monotonicity,
5//! graceful fallback - PRODUCT.md B.8) lives in `secureops-intel`; these are
6//! just the on-disk shapes.
7
8use serde::{Deserialize, Serialize};
9use std::collections::HashMap;
10
11/// Bundled / fetched indicator database (`ioc/indicators.json`).
12#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
13pub struct IocDatabase {
14    pub version: String,
15    pub last_updated: String,
16    pub c2_ips: Vec<String>,
17    pub malicious_domains: Vec<String>,
18    /// hash -> human-readable label.
19    pub malicious_skill_hashes: HashMap<String, String>,
20    pub typosquat_patterns: Vec<String>,
21    pub dangerous_prerequisite_patterns: Vec<String>,
22    pub infostealer_artifacts: InfostealerArtifacts,
23}
24
25#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
26pub struct InfostealerArtifacts {
27    pub macos: Vec<String>,
28    pub linux: Vec<String>,
29}
30
31/// SHA-256 baseline of tracked files for drift/integrity checking.
32#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
33pub struct HashBaseline {
34    pub timestamp: String,
35    /// path -> hex SHA-256.
36    pub files: HashMap<String, String>,
37}
38
39/// Result of comparing a current scan against a stored baseline.
40#[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq)]
41pub struct BaselineComparison {
42    pub added: Vec<String>,
43    pub modified: Vec<String>,
44    pub removed: Vec<String>,
45}