HIDS/HIPS Architecture Implementation

.gitignore

@@ -67,3 +67,5 @@ desktop/tauri/src-tauri/intel/
 windows_kext/test/_testcert/
 windows_kext/test/_out/
 windows_kext/test/_delme/
+portmaster-ui/node_modules/
+portmaster-ui/dist/

portmaster-ui/.gitignore

@@ -0,0 +1,2 @@
+node_modules/
+dist/

portmaster-ui/index.html

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Portmaster HIDS UI</title>
+  </head>
+  <body>
+    <div id="app"></div>
+    <script type="module" src="/src/main.js"></script>
+  </body>
+</html>

portmaster-ui/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "portmaster-ui-vue",
+  "version": "1.0.0",
+  "description": "Portmaster UI Transformation - HIDS/HIPS",
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "vue": "^3.2.47"
+  },
+  "devDependencies": {
+    "@vitejs/plugin-vue": "^4.0.0",
+    "vite": "^4.0.0"
+  }
+}

portmaster-ui/src/App.vue

@@ -0,0 +1,41 @@
+<template>
+  <div class="app-container">
+    <h1>Portmaster HIDS Interface</h1>
+    <WarningCard
+      v-for="alert in alerts"
+      :key="alert.pid"
+      :processName="alert.binaryPath"
+      :pid="alert.pid"
+      :score="alert.score"
+    />
+  </div>
+</template>
+
+<script>
+import WarningCard from './components/WarningCard.vue';
+
+export default {
+  name: 'App',
+  components: {
+    WarningCard
+  },
+  data() {
+    return {
+      alerts: []
+    }
+  },
+  mounted() {
+    // Dummy initial state to show UI, typically this would connect via WebSocket
+    this.alerts = [
+      { pid: 1042, binaryPath: "/usr/bin/curl", score: 0.85 }
+    ];
+  }
+}
+</script>
+
+<style>
+.app-container {
+  font-family: Arial, sans-serif;
+  padding: 20px;
+}
+</style>

portmaster-ui/src/components/WarningCard.vue

@@ -0,0 +1,102 @@
+<template>
+  <div class="warning-card">
+    <div class="header">
+      <span class="icon">⚠️</span>
+      <h2>Suspicious Activity Detected</h2>
+    </div>
+    <div class="content">
+      <p><strong>{{ processName }}</strong> is exhibiting suspicious behavior.</p>
+      <p>PID: {{ pid }} | Anomaly Score: {{ score }}</p>
+    </div>
+    <div class="actions">
+      <button @click="quarantineApp" :disabled="quarantined">
+        {{ quarantined ? 'App Quarantined' : 'Quarantine App' }}
+      </button>
+    </div>
+    <div v-if="error" class="error">
+      {{ error }}
+    </div>
+  </div>
+</template>
+
+<script>
+export default {
+  name: 'WarningCard',
+  props: {
+    processName: String,
+    pid: Number,
+    score: Number
+  },
+  data() {
+    return {
+      quarantined: false,
+      error: null
+    }
+  },
+  methods: {
+    async quarantineApp() {
+      try {
+        const formData = new FormData();
+        // Since the UI doesn't inherently have the profile ID linked, we simulate passing it.
+        // In full impl, this would resolve the PID -> Profile ID. For now we pass the binary path as fallback.
+        formData.append('profile', this.processName);
+
+        const res = await fetch('http://127.0.0.1:817/api/v1/hids/quarantine', {
+          method: 'POST',
+          body: formData
+        });
+
+        if (res.ok) {
+          this.quarantined = true;
+          this.error = null;
+        } else {
+          throw new Error("Failed to quarantine");
+        }
+      } catch (err) {
+        this.error = "Error attempting to quarantine application: " + err.message;
+      }
+    }
+  }
+}
+</script>
+
+<style scoped>
+.warning-card {
+  border: 2px solid #e74c3c;
+  border-radius: 8px;
+  padding: 16px;
+  margin: 16px 0;
+  background-color: #fdf2f0;
+}
+.header {
+  display: flex;
+  align-items: center;
+  color: #c0392b;
+}
+.header h2 {
+  margin: 0 0 0 10px;
+}
+.icon {
+  font-size: 24px;
+}
+.content p {
+  margin: 8px 0;
+}
+.actions button {
+  background-color: #e74c3c;
+  color: white;
+  border: none;
+  padding: 10px 16px;
+  border-radius: 4px;
+  cursor: pointer;
+  font-weight: bold;
+}
+.actions button:disabled {
+  background-color: #95a5a6;
+  cursor: not-allowed;
+}
+.error {
+  color: red;
+  margin-top: 10px;
+}
+</style>

portmaster-ui/src/main.js

@@ -0,0 +1,4 @@
+import { createApp } from 'vue'
+import App from './App.vue'
+
+createApp(App).mount('#app')

portmaster-ui/vite.config.js

@@ -0,0 +1,7 @@
+import { defineConfig } from 'vite'
+import vue from '@vitejs/plugin-vue'
+
+// https://vitejs.dev/config/
+export default defineConfig({
+  plugins: [vue()],
+})

service/network/api.go

@@ -16,6 +16,8 @@ import (
 	"github.com/safing/portmaster/service/process"
 	"github.com/safing/portmaster/service/resolver"
 	"github.com/safing/portmaster/service/status"
+	"github.com/safing/portmaster/base/log"
+	"github.com/safing/portmaster/service/profile"
 )
 
 func registerAPIEndpoints() error {
@@ -61,9 +63,79 @@ func registerAPIEndpoints() error {
 		return err
 	}
 
+	// HIDS/HIPS Endpoints
+	if err := api.RegisterEndpoint(api.Endpoint{
+		Path:        "hids/alert",
+		Write:       api.PermitUser,
+		StructFunc:  handleHidsAlert,
+		Name:        "HIDS Anomaly Alert",
+		Description: "Receives anomaly alerts from the ML sidecar.",
+		Parameters: []api.Parameter{
+			{Method: http.MethodPost, Field: "pid", Description: "The Process ID."},
+			{Method: http.MethodPost, Field: "binaryPath", Description: "Path to binary."},
+			{Method: http.MethodPost, Field: "destIP", Description: "Destination IP."},
+			{Method: http.MethodPost, Field: "score", Description: "Anomaly Score."},
+		},
+	}); err != nil {
+		return err
+	}
+
+	if err := api.RegisterEndpoint(api.Endpoint{
+		Path:        "hids/quarantine",
+		Write:       api.PermitUser,
+		StructFunc:  handleHidsQuarantine,
+		Name:        "Quarantine App",
+		Description: "Quarantines a specific profile by forcing the block default action.",
+		Parameters: []api.Parameter{
+			{Method: http.MethodPost, Field: "profile", Description: "The Profile ID to quarantine."},
+		},
+	}); err != nil {
+		return err
+	}
+
 	return nil
 }
 
+func handleHidsAlert(ar *api.Request) (i interface{}, err error) {
+	pid := ar.Request.FormValue("pid")
+	binaryPath := ar.Request.FormValue("binaryPath")
+	score := ar.Request.FormValue("score")
+
+	// This would typically broadcast an event or update an alert state table for the UI to consume.
+	// For this transformation, we simply log it loudly.
+	log.Warningf("HIDS ALERT: Suspicious activity detected for PID %s (%s) with score %s", pid, binaryPath, score)
+	return map[string]string{"status": "alert_received"}, nil
+}
+
+func handleHidsQuarantine(ar *api.Request) (i interface{}, err error) {
+	profileID := ar.Request.FormValue("profile")
+	if profileID == "" {
+		return nil, fmt.Errorf("missing profile parameter")
+	}
+
+	// Fetch profile using profile.GetLocalProfile
+	// Since we only have the profile ID from the frontend, we use nil matching data.
+	// Profile source is expected to be local.
+	prof, err := profile.GetLocalProfile(profileID, nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get profile: %v", err)
+	}
+	if prof == nil {
+		return nil, fmt.Errorf("profile not found")
+	}
+
+	// Force default action to block in the configuration tree
+	config.PutValueIntoHierarchicalConfig(prof.Config, "filter/defaultAction", "block")
+
+	err = prof.Save()
+	if err != nil {
+		return nil, fmt.Errorf("failed to save quarantined profile: %v", err)
+	}
+
+	log.Warningf("HIDS: Quarantined profile %s", profileID)
+	return map[string]string{"status": "quarantined", "profile": profileID}, nil
+}
+
 // debugInfo returns the debugging information for support requests.
 func debugInfo(ar *api.Request) (data []byte, err error) {
 	// Create debug information helper.

service/network/connection.go

@@ -839,6 +839,9 @@ func (conn *Connection) delete() {
 
 	conn.Meta().Delete()
 
+	// Stream connection telemetry to HIDS sidecar before finalization
+	sendTelemetry(conn)
+
 	// Notify database controller if data is complete and thus connection was previously exposed.
 	if conn.DataIsComplete() {
 		dbController.PushUpdate(conn)

service/network/telemetry.go

@@ -0,0 +1,65 @@
+package network
+
+import (
+	"encoding/json"
+	"net"
+
+	"github.com/safing/portmaster/base/log"
+)
+
+// ConnectionTelemetry holds the mapped features to be passed
+// to the external HIDS/HIPS Python sidecar logic via Unix socket.
+type ConnectionTelemetry struct {
+	PID           int    `json:"pid"`
+	BinaryPath    string `json:"binaryPath"`
+	DestIP        string `json:"destIP"`
+	BytesSent     uint64 `json:"bytesSent"`
+	BytesReceived uint64 `json:"bytesReceived"`
+	Started       int64  `json:"started"`
+	Ended         int64  `json:"ended"`
+}
+
+// sendTelemetry extracts required telemetry fields from a finalized connection
+// and writes them over a non-blocking UDS connection to /tmp/portmaster_telemetry.sock
+func sendTelemetry(conn *Connection) {
+	if conn == nil {
+		return
+	}
+
+	ipStr := ""
+	if conn.Entity != nil {
+		ipStr = conn.Entity.IP.String()
+	}
+
+	telemetry := ConnectionTelemetry{
+		PID:           conn.PID,
+		BinaryPath:    conn.ProcessContext.BinaryPath,
+		DestIP:        ipStr,
+		BytesSent:     conn.BytesSent,
+		BytesReceived: conn.BytesReceived,
+		Started:       conn.Started,
+		Ended:         conn.Ended,
+	}
+
+	data, err := json.Marshal(telemetry)
+	if err != nil {
+		log.Errorf("telemetry: failed to marshal connection telemetry: %s", err)
+		return
+	}
+
+	// Dispatch non-blocking dial and send to prevent slowing down packet filter
+	go func(payload []byte) {
+		socketConn, err := net.Dial("unix", "/tmp/portmaster_telemetry.sock")
+		if err != nil {
+			// Fail silently or log minimally; do not block Core service.
+			// The python sidecar might not be running yet or at all.
+			return
+		}
+		defer socketConn.Close()
+
+		_, err = socketConn.Write(append(payload, '\n'))
+		if err != nil {
+			log.Errorf("telemetry: failed to write to socket: %s", err)
+		}
+	}(data)
+}