Metadata-Version: 2.4
Name: hivebee-ids
Version: 0.1.0
Summary: Deception-based intrusion detection for Linux
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: flask>=3.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0
Requires-Dist: anthropic>=0.25
Requires-Dist: requests>=2.31

# 🐝 HiveBee IDS

A lightweight, deception-based intrusion detection system for Linux.
HiveBee deploys honeyfiles — fake credential files — and alerts you the moment anyone touches them.

## How it works

1. **Install** — HiveBee scans your system and deploys realistic-looking honeyfiles (fake passwords, SSH keys, AWS credentials)
2. **Monitor** — Uses Linux `auditd` to watch every file access in real time
3. **Alert** — The moment a honeyfile is touched, you get a desktop notification, email alert, and dashboard update
4. **Dashboard** — Live web UI shows every alert with risk scores, timestamps, and process info

## Requirements

- Linux (Kali, Ubuntu, Debian)
- Python 3.8+
- `auditd` installed (`sudo apt install auditd`)

## Install
```bash
pip install hivebee-ids
```

Or from source:
```bash
git clone https://github.com/YOUR_USERNAME/hivebee-ids.git
cd hivebee-ids
pip install -e .
```

## Usage
```bash
# Deploy honeyfiles
hivebee install

# Start monitoring + dashboard
sudo hivebee start

# Check alert counts
hivebee status

# Stop monitoring
sudo hivebee stop

# Remove all honeyfiles
sudo hivebee uninstall
```

## Dashboard

Open `http://127.0.0.1:5000` after running `hivebee start`.

- Live alert feed (polls every 5 seconds)
- Risk scores 0–10
- Colour-coded badges: CRITICAL / HIGH / MEDIUM / LOW
- One-click log clear

## Risk Scoring

| Factor | Points |
|---|---|
| root access | +4 |
| credential filename | +2 |
| unknown process | +3 |
| SSH key filename | +2 |

Scores 7–10 = CRITICAL. Alerts fire instantly.

## Config

Edit `config/default_config.yaml` to enable email alerts, change ports, or add an AI API key for smarter honeyfile generation.

## License

MIT

