Skip to content

feat(scanner): add WebSocket-based attack detection rules#44

Open
apex-cl wants to merge 2 commits intocounterspec:mainfrom
apex-cl:feature/websocket-scanner-rules
Open

feat(scanner): add WebSocket-based attack detection rules#44
apex-cl wants to merge 2 commits intocounterspec:mainfrom
apex-cl:feature/websocket-scanner-rules

Conversation

@apex-cl
Copy link
Copy Markdown

@apex-cl apex-cl commented Apr 5, 2026

Summary

Implements WebSocket-based attack detection rules for the ISNAD Scanner.

Resolves Issue #3: Scanner rule for malicious WebSocket handlers

New Detection Rules

WS_SUSPICIOUS_CONNECT (critical)

  • Detects WebSocket connections to untrusted endpoints (potential C2)
  • Excludes safe: GitHub, OpenAI, Anthropic, Discord, Slack, Telegram, localhost

WS_DATA_EXFIL (critical)

  • Detects sending credentials over WebSocket: process.env, tokens, secrets, passwords, API keys

WS_REVERSE_SHELL (critical)

  • Detects WebSocket + child_process combination for reverse shells
  • Covers all variants: WebSocket-first, child_process-first, mixed order

WS_PERSISTENT_C2 (high)

  • Detects reconnection loops (setInterval/setTimeout patterns)
  • Identifies persistent C2 beaconing behavior

WS_COMMAND_EXEC (critical)

  • Detects eval/exec/Function/spawn in WebSocket message handlers
  • Catches remote code execution via bidirectional WebSocket channels

Tests

Comprehensive test suite (ws-detection.test.ts) covering:

  • 14 unit tests across all 5 rule categories
  • True positive detection
  • False negative prevention (safe WebSocket usage allowed)
  • 2 integration tests with realistic attack scenarios

All tests use the existing analyzeContent() engine — no new dependencies.

Checklist

  • Detect WebSocket connections to suspicious endpoints
  • Detect data exfiltration over WebSocket channels
  • Detect reverse shell patterns via WebSocket
  • At least 5 test cases (14 tests provided)
  • Tests passing
  • Scanner builds successfully

apex-cl added 2 commits April 5, 2026 08:30
@apex-cl
feat: GitLab CI integration with SARIF output for Security Dashboard
bd9e94f 
Adds GitLab CI/CD pipeline integration for the ISNAD Scanner with SARIF
(Static Analysis Results Interchange Format) output compatible with
GitLab Security Dashboard and GitHub Code Scanning.

Changes:
- Add SARIF export module (scanner/src/sarif.ts)
  - analysisResultToSarif() converts scan results to SARIF 2.1.0 format
  - Maps severity levels: critical/high->error, medium->warning, low->note
  - Includes artifact locations, line numbers, code snippets, and rules

- Extend CLI with --sarif-output flag (scanner/src/cli.ts)
  - batch command now supports --sarif-output <path> option
  - Combines results from multiple files into a single SARIF report
  - Report appears in GitLab MR widget under Security tab

- Add .gitlab-ci.yml template
  - Ready-to-use pipeline with configurable SCAN_TARGETS and SCAN_FAIL_LEVEL
  - SARIF artifact uploaded for GitLab SAST reports
  - Runs on push, MR, and scheduled pipelines

- Add .gitlab-ci-templates.yml with advanced templates
  - Auto-issue creation on critical findings via GitLab API

- Add documentation (docs/GITLAB_CI.md)
  - Quick start guide, configuration reference, and pipeline examples

- Add unit tests for SARIF export (scanner/tests/sarif.test.ts)
  - Tests rule generation, severity mapping, and JSON serialization

Fixes: counterspec#5
@apex-cl
feat(scanner): add WebSocket-based attack detection rules
3743d79 
Adds comprehensive scanner rules for detecting malicious WebSocket
patterns commonly used in supply chain attacks and C2 communication.

New patterns:
- WS_SUSPICIOUS_CONNECT: Detects WebSocket connections to untrusted
  endpoints (potential C2 channels). Excludes known safe domains
  (GitHub, OpenAI, Discord, Slack, Telegram) and localhost.

- WS_DATA_EXFIL: Detects sensitive data exfiltration over WebSocket
  channels including credentials, tokens, passwords, API keys,
  and environment variables.

- WS_REVERSE_SHELL: Detects reverse shell patterns via WebSocket
  combining WebSocket with child_process module for remote code
  execution.

- WS_PERSISTENT_C2: Detects persistent C2 communication channels
  via WebSocket reconnection loops (setInterval, setTimeout patterns).

- WS_COMMAND_EXEC: Detects receiving and executing commands from
  a WebSocket server (eval, exec, Function in message handlers).

All patterns include unit tests covering:
- True positive detection of attack patterns
- False positive prevention for legitimate WebSocket usage
- Integration tests with realistic attack scenarios

Resolves: counterspec#3
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 5, 2026

@apex-cl is attempting to deploy a commit to the Rapi's projects Team on Vercel.

A member of the Team first needs to authorize it.

@apex-cl apex-cl mentioned this pull request Apr 5, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scanner rule for malicious WebSocket handlers

1 participant

@apex-cl