Security Tools in Lateralus
Security tools are fundamentally about data processing pipelines. You capture packets, parse protocols, filter anomalies, correlate events, and generate reports. Every step transforms data and passes it forward. That's exactly what the pipeline operator was built for.
Port Scanner
A basic port scanner in Lateralus reads like a description of what it does:
fn scan_ports(target: String, range: Range<u16>) -> Vec<PortResult> {
range
|> map(|port| spawn probe(target, port))
|> await collect()
|> filter(|r| r.status == Open)
|> map(|r| {
let service = r.port |> identify_service()
let banner = r |> grab_banner()
PortResult { port: r.port, service, banner }
})
|> sort_by(|r| r.port)
}Each scan runs concurrently via spawn. Results flow through filter, enrichment, and sorting — all in one pipeline.
Packet Analysis
Packet parsing benefits enormously from pattern matching. Protocol headers are union types — an Ethernet frame contains either an IPv4 packet, IPv6 packet, ARP reply, or something else:
fn analyze_packet(raw: Bytes) -> Analysis {
raw
|> parse_ethernet()
|> match {
Ethernet { payload: IPv4(pkt), .. } =>
pkt |> analyze_ipv4(),
Ethernet { payload: IPv6(pkt), .. } =>
pkt |> analyze_ipv6(),
Ethernet { payload: ARP(arp), .. } =>
arp |> check_arp_spoof(),
_ => Analysis::unknown(),
}
}
fn analyze_ipv4(pkt: IPv4Packet) -> Analysis {
match pkt.protocol {
TCP(seg) => seg |> detect_syn_flood() |> check_payload(),
UDP(dgm) => dgm |> detect_dns_tunnel(),
ICMP(msg) => msg |> detect_ping_sweep(),
_ => Analysis::benign(),
}
}Log Correlation
Security monitoring means correlating events across multiple log sources. Pipelines make the correlation chain explicit:
fn detect_lateral_movement(logs: Vec<LogSource>) -> Vec<Alert> {
logs
|> flat_map(|src| src |> parse_entries())
|> filter(|e| e.event_type == Authentication)
|> group_by(|e| e.source_ip)
|> filter_entries(|ip, events| {
let hosts = events |> map(|e| e.target) |> unique() |> len()
let window = events |> time_window()
hosts > 5 && window < minutes(10)
})
|> map(|ip, events| Alert {
severity: Critical,
kind: LateralMovement,
source: ip,
evidence: events,
})
}The algorithm is the code: parse → filter authentication events → group by source → detect rapid multi-host access → generate alerts.
Vulnerability Scanner
Combining async pipelines with pattern matching creates scanners that are both fast and readable:
fn scan_web_app(base_url: String) -> Report {
base_url
|> crawl_urls()
|> map(|url| spawn {
let xss = url |> test_xss()
let sqli = url |> test_sqli()
let ssrf = url |> test_ssrf()
(url, xss, sqli, ssrf)
})
|> await collect()
|> filter(|r| r |> has_findings())
|> sort_by(|r| r |> severity(), descending)
|> Report::generate()
}Why Pipelines for Security
Three properties make pipelines ideal for security tools:
- Auditability. Each step in a pipeline is visible and independent. Peer reviewers can trace exactly what the tool does.
- Composability. Security analysis chains together — parse, enrich, correlate, alert. Each step is a function that can be tested alone.
- Concurrency. Scanning is inherently parallel.
spawnin a pipeline runs probes concurrently without callback complexity.
Security tools should be as auditable as the systems they protect. Pipelines make the logic transparent.