Skip to main content

synapse_pingora/correlation/detectors/
mod.rs

1//! Campaign Detection Strategies
2//!
3//! This module defines the Detector trait and implements concrete detectors
4//! for identifying coordinated attack campaigns.
5
6use crate::correlation::{CampaignUpdate, FingerprintIndex};
7use std::net::IpAddr;
8
9/// Result type for detector operations
10pub type DetectorResult<T> = Result<T, DetectorError>;
11
12/// Errors that can occur during detection
13#[derive(Debug, Clone)]
14pub enum DetectorError {
15    /// Index not available or corrupted
16    IndexUnavailable(String),
17    /// Detection logic failure
18    DetectionFailed(String),
19    /// Rate limited to prevent CPU exhaustion
20    RateLimited,
21}
22
23impl std::fmt::Display for DetectorError {
24    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
25        match self {
26            DetectorError::IndexUnavailable(msg) => write!(f, "Index unavailable: {}", msg),
27            DetectorError::DetectionFailed(msg) => write!(f, "Detection failed: {}", msg),
28            DetectorError::RateLimited => write!(f, "Detection rate limited"),
29        }
30    }
31}
32
33impl std::error::Error for DetectorError {}
34
35/// Trait for campaign detection strategies
36///
37/// Each detector analyzes the fingerprint index to identify patterns
38/// that suggest coordinated attack campaigns.
39pub trait Detector: Send + Sync {
40    /// Unique identifier for this detector
41    fn name(&self) -> &'static str;
42
43    /// Run detection analysis on the current index state
44    /// Returns campaign updates to be applied to the store
45    fn analyze(&self, index: &FingerprintIndex) -> DetectorResult<Vec<CampaignUpdate>>;
46
47    /// Check if a specific IP should trigger immediate analysis
48    /// Used for event-driven detection on new requests
49    fn should_trigger(&self, ip: &IpAddr, index: &FingerprintIndex) -> bool;
50
51    /// Minimum interval between full scans (milliseconds)
52    fn scan_interval_ms(&self) -> u64 {
53        5000 // Default: 5 seconds
54    }
55}
56
57pub mod attack_sequence;
58pub mod auth_token;
59pub mod behavioral_similarity;
60pub mod common;
61pub mod graph;
62pub mod ja4_rotation;
63pub mod network_proximity;
64pub mod shared_fingerprint;
65pub mod timing_correlation;
66
67pub use attack_sequence::{AttackPayload, AttackSequenceConfig, AttackSequenceDetector};
68pub use auth_token::{AuthTokenConfig, AuthTokenDetector, TokenFingerprint};
69pub use behavioral_similarity::{BehaviorPattern, BehavioralConfig, BehavioralSimilarityDetector};
70pub use common::TimeWindowedIndex;
71pub use graph::{GraphConfig, GraphDetector};
72pub use ja4_rotation::{Ja4RotationDetector, Ja4RotationStats, RotationConfig};
73pub use network_proximity::{NetworkProximityConfig, NetworkProximityDetector};
74pub use shared_fingerprint::SharedFingerprintDetector;
75pub use timing_correlation::{TimingConfig, TimingCorrelationDetector};