Merge pull request #7 from vsilent/feature/detectors

Feature/detectors

Author: vsilent

.github/workflows/release.yml

@@ -36,12 +36,14 @@ jobs:
         run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Build release binary
+        env:
+          CARGO_TARGET_DIR: target-cross
         run: cross build --release --target ${{ matrix.target }}
 
       - name: Package
         run: |
           mkdir -p dist
-          cp target/${{ matrix.target }}/release/stackdog dist/stackdog
+          cp target-cross/${{ matrix.target }}/release/stackdog dist/stackdog
           cd dist
           tar czf ${{ matrix.artifact }}.tar.gz stackdog
           sha256sum ${{ matrix.artifact }}.tar.gz > ${{ matrix.artifact }}.tar.gz.sha256

.gitignore

@@ -33,8 +33,7 @@ Cargo.lock
 # End of https://www.gitignore.io/api/rust,code
 
 .idea
-<<<<<<< HEAD
-=======
 *.db
->>>>>>> testing
 docs/tasks/
+web/node_modules/
+web/dist/

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.2] - 2026-04-07
+
 ### Fixed
 
 - **CLI startup robustness** — `.env` loading is now non-fatal.
@@ -19,6 +21,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **Expanded detector framework** with additional log-driven detection coverage.
+  - Reverse shell, sensitive file access, cloud metadata / SSRF, exfiltration chain, and secret leakage detectors.
+  - file integrity monitoring with SQLite-backed baselines via `STACKDOG_FIM_PATHS`.
+  - configuration assessment via `STACKDOG_SCA_PATHS`.
+  - package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`.
+  - Docker posture audits for privileged mode, host namespaces, dangerous capabilities, Docker socket mounts, and writable sensitive mounts.
+
+- **Improved syslog ingestion**
+  - RFC3164 and RFC5424 parsing in file-based log ingestion for cleaner timestamps and normalized message bodies.
+
 #### Log Sniffing & Analysis (`stackdog sniff`)
 - **CLI Subcommands** — Multi-mode binary with `stackdog serve` and `stackdog sniff`
   - `--once` flag for single-pass mode
@@ -76,6 +88,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Refactored `main.rs` to dispatch `serve`/`sniff` subcommands via clap
 - Added `events`, `rules`, `alerting`, `models` modules to binary crate
 - Updated `.env.sample` with `STACKDOG_LOG_SOURCES`, `STACKDOG_AI_*` config vars
+- Version metadata updated to `0.2.2` across Cargo, the web package manifest, and current release documentation.
 
 ### Testing
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "stackdog"
-version = "0.2.1"
+version = "0.2.2"
 authors = ["Vasili Pascal <info@try.direct>"]
 edition = "2021"
 description = "Security platform for Docker containers and Linux servers"
@@ -49,6 +49,7 @@ bollard = "0.16"
 
 # HTTP client (for LLM API)
 reqwest = { version = "0.12", default-features = false, features = ["json", "blocking", "rustls-tls"] }
+sha2 = "0.10"
 
 # Compression
 zstd = "0.13"

DEVELOPMENT.md

@@ -1,7 +1,7 @@
 # Stackdog Security - Development Plan
 
-**Last Updated:** 2026-03-13  
-**Current Version:** 0.2.0  
+**Last Updated:** 2026-04-07  
+**Current Version:** 0.2.2  
 **Status:** Phase 2 In Progress
 
 ## Project Vision

README.md

@@ -1,6 +1,6 @@
 # Stackdog Security
 
-![Version](https://img.shields.io/badge/version-0.2.1-blue.svg)
+![Version](https://img.shields.io/badge/version-0.2.2-blue.svg)
 ![License](https://img.shields.io/badge/license-MIT-green.svg)
 ![Rust](https://img.shields.io/badge/rust-1.75+-orange.svg)
 ![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey.svg)
@@ -19,6 +19,7 @@
 
 - **📊 Real-time Monitoring** — eBPF-based syscall monitoring with minimal overhead (<5% CPU)
 - **🔍 Log Sniffing** — Discover, read, and AI-summarize logs from containers and system files
+- **🧭 Detector Framework** — Rust-native detector registry for web attack heuristics and outbound exfiltration indicators
 - **🤖 AI/ML Detection** — Candle-powered anomaly detection + OpenAI/Ollama log analysis
 - **🚨 Alert System** — Multi-channel notifications (Slack, email, webhook)
 - **🔒 Automated Response** — nftables/iptables firewall, container quarantine
@@ -52,7 +53,7 @@ curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh |
 
 Pin a specific version:
 ```bash
-curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.1
+curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.2
 ```
 
 If your repository has no published stable release yet, use `--version` explicitly.
@@ -179,6 +180,14 @@ cargo run -- sniff --consume --output ./log-archive
 cargo run -- sniff --sources "/var/log/myapp.log,/opt/service/logs"
 ```
 
+The built-in sniff pipeline now includes Rust-native detectors for:
+
+- web attack indicators such as SQL injection probes, path traversal probes, login brute force, and webshell-style requests
+- exfiltration-style indicators such as suspicious SMTP/attachment activity and large outbound transfer hints in logs
+- reverse shell behavior, sensitive file access, cloud metadata / SSRF access, exfiltration chains, and secret leakage in logs
+- Wazuh-inspired file integrity monitoring for explicit paths configured with `STACKDOG_FIM_PATHS=/etc/ssh/sshd_config,/app/.env`
+- Wazuh-inspired configuration assessment via `STACKDOG_SCA_PATHS`, package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`, Docker posture audits, and improved RFC3164/RFC5424 syslog parsing
+
 ### Use as Library
 
 Add to your `Cargo.toml`:

VERSION.md

@@ -1 +1 @@
-0.2.1
+0.2.2

docs/INDEX.md

@@ -1,7 +1,7 @@
 # Stackdog Security - Documentation Index
 
-**Version:** 0.2.0  
-**Last Updated:** 2026-03-13  
+**Version:** 0.2.2  
+**Last Updated:** 2026-04-07  
 
 ---
 

install.sh

@@ -3,7 +3,7 @@
 #
 # Usage:
 #   curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash
-#   curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.0
+#   curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.2
 #
 # Installs the stackdog binary to /usr/local/bin.
 # Requires: curl, tar, sha256sum (or shasum), Linux x86_64 or aarch64.
@@ -73,7 +73,7 @@ resolve_version() {
   fi
 
   if [ -z "$TAG" ]; then
-    error "Could not determine latest release. Create a GitHub release, or specify one with --version (e.g. --version v0.2.0)."
+    error "Could not determine latest release. Create a GitHub release, or specify one with --version (e.g. --version v0.2.2)."
   fi
 
   VERSION="$(echo "$TAG" | sed 's/^v//')"
@@ -136,7 +136,7 @@ main() {
         echo "Install stackdog binary to ${INSTALL_DIR}."
         echo ""
         echo "Options:"
-        echo "  --version VERSION   Install a specific version (e.g. v0.2.0)"
+        echo "  --version VERSION   Install a specific version (e.g. v0.2.2)"
         echo "  --help              Show this help"
         exit 0
         ;;

src/collectors/ebpf/loader.rs

@@ -4,6 +4,8 @@
 //!
 //! Note: This module is only available on Linux with the ebpf feature enabled
 
+#[cfg(all(target_os = "linux", feature = "ebpf"))]
+use anyhow::Context;
 use anyhow::Result;
 use std::collections::HashMap;