trydirect
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 0 deletions b/‎README.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/database/connection.rs‎
Lines changed: 18 additions & 0 deletions b/‎src/database/connection.rs‎
Lines changed: 18 additions & 0 deletions
@@ -49,6 +49,7 @@ bollard = "0.16"
 
 # HTTP client (for LLM API)
 reqwest = { version = "0.12", default-features = false, features = ["json", "blocking", "rustls-tls"] }
+sha2 = "0.10"
 
 # Compression
 zstd = "0.13"
 
@@ -19,6 +19,7 @@
 
 - **📊 Real-time Monitoring** — eBPF-based syscall monitoring with minimal overhead (<5% CPU)
 - **🔍 Log Sniffing** — Discover, read, and AI-summarize logs from containers and system files
+- **🧭 Detector Framework** — Rust-native detector registry for web attack heuristics and outbound exfiltration indicators
 - **🤖 AI/ML Detection** — Candle-powered anomaly detection + OpenAI/Ollama log analysis
 - **🚨 Alert System** — Multi-channel notifications (Slack, email, webhook)
 - **🔒 Automated Response** — nftables/iptables firewall, container quarantine
@@ -179,6 +180,14 @@ cargo run -- sniff --consume --output ./log-archive
 cargo run -- sniff --sources "/var/log/myapp.log,/opt/service/logs"
 ```
 
+The built-in sniff pipeline now includes Rust-native detectors for:
+
+- web attack indicators such as SQL injection probes, path traversal probes, login brute force, and webshell-style requests
+- exfiltration-style indicators such as suspicious SMTP/attachment activity and large outbound transfer hints in logs
+- reverse shell behavior, sensitive file access, cloud metadata / SSRF access, exfiltration chains, and secret leakage in logs
+- Wazuh-inspired file integrity monitoring for explicit paths configured with `STACKDOG_FIM_PATHS=/etc/ssh/sshd_config,/app/.env`
+- Wazuh-inspired configuration assessment via `STACKDOG_SCA_PATHS`, package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`, Docker posture audits, and improved RFC3164/RFC5424 syslog parsing
+
 ### Use as Library
 
 Add to your `Cargo.toml`:
 
@@ -188,6 +188,24 @@ pub fn init_database(pool: &DbPool) -> Result<()> {
         [],
     );
 
+    conn.execute(
+        "CREATE TABLE IF NOT EXISTS file_integrity_baselines (
+            path TEXT PRIMARY KEY,
+            file_type TEXT NOT NULL,
+            sha256 TEXT NOT NULL,
+            size_bytes INTEGER NOT NULL,
+            readonly INTEGER NOT NULL,
+            modified_at INTEGER NOT NULL,
+            updated_at TEXT NOT NULL
+        )",
+        [],
+    )?;
+
+    let _ = conn.execute(
+        "CREATE INDEX IF NOT EXISTS idx_file_integrity_updated_at ON file_integrity_baselines(updated_at)",
+        [],
+    );
+
     conn.execute(
         "CREATE TABLE IF NOT EXISTS ip_offenses (
             id TEXT PRIMARY KEY,