{"id":21518561,"url":"https://github.com/simplify-framework/intrusion","last_synced_at":"2025-03-17T16:43:48.545Z","repository":{"id":57361507,"uuid":"450025834","full_name":"simplify-framework/intrusion","owner":"simplify-framework","description":"Simplify Intrusion Detection/Prevention for NodeJS","archived":false,"fork":false,"pushed_at":"2022-02-25T11:18:29.000Z","size":1324,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-25T19:47:52.470Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simplify-framework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-01-20T09:06:59.000Z","updated_at":"2022-01-23T19:56:46.000Z","dependencies_parsed_at":"2022-09-26T16:41:00.203Z","dependency_job_id":null,"html_url":"https://github.com/simplify-framework/intrusion","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":"simplify-framework/pets-project-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplify-framework%2Fintrusion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplify-framework%2Fintrusion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplify-framework%2Fintrusion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simplify-framework%2Fintrusion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simplify-framework","download_url":"https://codeload.github.com/simplify-framework/intrusion/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244072402,"owners_count":20393608,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T00:53:01.049Z","updated_at":"2025-03-17T16:43:48.519Z","avatar_url":"https://github.com/simplify-framework.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"### SimplifyFramework - IDS/IPS (Network/Module) : NodeJS version \u003e= 12.x\n\n![NPM Downloads](https://img.shields.io/npm/dw/simplify-intrusion)\n![Package Version](https://img.shields.io/github/package-json/v/simplify-framework/intrusion?color=green)\n\n- Host Intrusion Detection and Prevention\n  + Detect modules are loaded by require('module').\n  + Detect modules are compiled by module._compile('code').\n  + Block or allow some modules by names or by hashcodes.\n\n- Network Intrusion Detection and Prevention\n  + Detect HTTP/HTTPS/UDP/TCP outbound connection.\n  + Block or allow by domain names or IP addresses.\n  + Redirect the outbound connection to a honeypot.\n\n````diff\nWARNING: This library does not handle the require('net').Socket.connect() function.\n````\n### Node Environment Variables Setup\n\n- Set process.env.`IDS_ENABLE_METRIC_LOGGING`=true|`false` turns ON/OFF the AWS CloudWatch metric collector.\n- Set process.env.`IDS_ENABLE_MODULE_TRACKER`=true|`false` turns ON/OFF the Host Tracker (HIDS/HIPS).\n- Set process.env.`IDS_PRINT_OUTPUT_LOG`=true|`false` turns ON/OFF the console output logs (silent mode).\n\n### Setup your AWS environment or IAM Role in your Lambdas with this permission:\n\nThis library requires AWS IAM Role to allow publishing the CloudWatch Metrics to a custom namespace:\n\n```yaml\nPolicies:\n  - PolicyName: cloudwatch-metrics\n    PolicyDocument:\n      Statement:\n      - Effect: Allow\n        Action:\n        - cloudwatch:PutMetricData\n        Resource: \"*\"\n```\n\nThe metrics' namespace is set in the constructor at 2nd parameter: \n- new IDS({}, '`TestApp/IDS`' /* Custom Namespace */, '127.0.0.255'/* honeypot */, true /* enable metric logging */)\n\n\n### AWS/Lambda - Make a build then attach to a Lambda function by using command line\n\n- `simplify-intrusion --bucket=YOUR_BUCKET_NAME --layer-name=YOUR_IDS_LAYER_NAME make`\n- `simplify-intrusion --function-name=YOUR_TARGET_FUNCTION [--layer-version-arn=YOUR_LAYER_ARN] attach`\n\n### SDK/Library - Use the { IDS } module to detect the intrustion outbound network from your code:\n\n1. Load the library with IDS configuration:\n\n```Javascript\nvar { IDS } = require('simplify-intrusion')\nvar nodeFirewall = new IDS({\n    network: { allowDomainsOrHostIPs: [\n      /* a whitelist of domains or IPs that is allowed to access from your code, startsWith('string') rule */\n    ], blockDomainsOrHostIPs: [\n      /* the blacklist of domains or IPs you want to BLOCK them from your code, startsWith('string') rule */\n      /* example: ['*'] =\u003e block all outbound network connection from host, allowed all connections by default */\n    ] },\n    host: { allowModuleOrSHA256OfCode: [\n      /* a whitelist of module name or SHA-256('code') that will be embeded by using module._complie(), startsWith('string') rule */\n    ], blockModuleOrSHA256OfCode: [\n      /* the blacklist of module name or SHA-256('code') that contains the untrusted HASH of modules, startsWith('string') rule */\n      /* example: ['QsPV5N10sTZExAjkbZuQn5yEe0Jkpd4rHRnSxH9dF7Y=', 'buffer:4.9.2', 'request:2.88.'] */\n    ] }\n  },\n  'YourApp/IDS' /* log metrics to your custom CloudWatch NameSpace if the CloudWatch Metrics is enabled */,\n  'dev.null.org' /* if BLOCKED, reflect the requests to a honeypot server: dev.null.org */,\n  false /* true = set the CloudWatch Metrics is enabled */)\n```\n\n2. Write your code with all the require('...') after the line above.\n\n```Javascript\nvar http = require('http')\nvar https = require('https')\nvar { ClientRequest } = require('_http_client_')\nvar module = require('module')\n\n/*an example of your lambda code*/\nmodule.exports.handler = function(event, context, callback) {\n  //DO SOMETHING LIKE CALL EXTERNAL APIS\n  var r = https.request(\"https://google.com/api/...\", (res) =\u003e {\n      console.log(res)\n  })\n  r \u0026\u0026 r.end()\n}\n\n```\n\n3. Detaching the library when everything is done:\n\n```Javascript\nsomePromiseOrCallbackFunction().then(response =\u003e {\n  nodeFirewall.detach()\n  callback(null, response)\n})\n```\n\n### EXAMPLE - Running an example of intrusion code.\n\n1. Install Simplify Framework - Intrustion library\n- `npm install simplify-intrustion`\n\n2. Create example.js node application\n\n```JavaScript\nvar { IDS } = require('simplify-intrusion')\nvar nodeFirewall = new IDS({\n    network: { allowDomainsOrHostIPs: [], blockDomainsOrHostIPs: [] },\n    host: { allowModuleOrSHA256OfCode: ['OtbUd5po/kQtu2FweSNa42kOfFYZvlsFuen1xXeOPKs='], blockModuleOrSHA256OfCode: ['*'] }\n}, 'TestApp/IDS', 'dev.null.org')\n\nvar path = require('path')\nvar https = require('https')\n\nvar httpClient = require('_http_client')\n\neval('console.log(\"eval() is not allowed.\")')\nvar requireFromString = require('require-from-string')\nvar rq = requireFromString('module.exports = function(){console.log(\"require-from-string: OK\")}', 'Test')\ntypeof rq == 'function' \u0026\u0026 rq()\nvar res = new httpClient.ClientRequest(\"http://google.com\", { headers: { \"Content-Type\": \"application/json\" }, method: 'GET' }, (res) =\u003e {\n    var r = https.request(\"https://google.com\", (res) =\u003e {\n        nodeFirewall.detach()\n    })\n    r \u0026\u0026 r.end()\n})\nres \u0026\u0026 res.end()\n\n```\n\n3. Run `node example.js`\n\nExpected outcome:\n\n```bash\n$ node example.js\n\n  \u003e\u003e\u003e\u003e [Blocked] (function:eval) EXEC - console.log(\"eval() is not allowed.\")\nrequire-from-string: OK\n  \u003e\u003e\u003e\u003e [Warning] (_http_client) GET - http://google.com\n  \u003e\u003e\u003e\u003e [Allowed] (module:compile) Test - OtbUd5po/kQtu2FweSNa42kOfFYZvlsFuen1xXeOPKs=\n  \u003e\u003e\u003e\u003e [Warning] (https:request) GET - https://google.com/\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimplify-framework%2Fintrusion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimplify-framework%2Fintrusion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimplify-framework%2Fintrusion/lists"}