Massive v2 rewrite

config/behavioral-detection.toml.example

@@ -0,0 +1,197 @@
+# =============================================================================
+# BEHAVIORAL DETECTION CONFIGURATION - EXAMPLE
+# =============================================================================
+# Copy this file to behavioral-detection.toml and customize for your environment
+# =============================================================================
+
+[Core]
+# Enable or disable the behavioral detection engine
+Enabled = true
+
+# Operation mode: "detect" (log only) or "prevent" (actively block/rate limit)
+Mode = "prevent"
+
+# Default time window for metrics (milliseconds)
+DefaultTimeWindow = 300000  # 5 minutes
+
+# Maximum request history to keep per IP
+MaxHistoryPerIP = 1000
+
+# Database cleanup interval (milliseconds)
+CleanupInterval = 3600000  # 1 hour
+
+# =============================================================================
+# EXAMPLE DETECTION RULES
+# =============================================================================
+
+[[Rules]]
+Name = "404 Path Enumeration"
+Type = "enumeration"
+Severity = "medium"
+Description = "Detects rapid 404 responses indicating directory/file scanning"
+
+  [[Rules.Triggers]]
+  Metric = "status_code_count"
+  StatusCode = 404
+  Threshold = 15
+  TimeWindow = 60000  # 1 minute
+
+  [[Rules.Triggers]]  
+  Metric = "unique_paths_by_status"
+  StatusCode = 404
+  Threshold = 10
+  TimeWindow = 60000
+
+  [Rules.Action]
+  Score = 30
+  Tags = ["scanning", "enumeration", "reconnaissance"]
+  RateLimit = { Requests = 10, Window = 60000 }
+  Alert = false
+
+# Authentication bruteforce rule removed - not applicable for this security system
+
+[[Rules]]
+Name = "API Endpoint Enumeration"
+Type = "enumeration"
+Severity = "medium"
+Description = "Scanning for API endpoints"
+
+  [[Rules.Triggers]]
+  Metric = "unique_api_paths"
+  PathPrefix = "/api/"
+  Threshold = 20
+  TimeWindow = 60000
+  
+  [[Rules.Triggers]]
+  Metric = "mixed_http_methods"
+  PathPrefix = "/api/"
+  MinMethods = 3  # GET, POST, PUT, DELETE, etc.
+  TimeWindow = 60000
+
+  [Rules.Action]
+  Score = 25
+  Tags = ["api_abuse", "enumeration"]
+  RateLimit = { Requests = 20, Window = 60000 }
+
+[[Rules]]
+Name = "Velocity-Based Scanner"
+Type = "scanning"
+Severity = "medium"
+Description = "High-speed request patterns typical of automated scanners"
+
+  [[Rules.Triggers]]
+  Metric = "request_velocity"
+  RequestsPerSecond = 10
+  Duration = 5000  # Sustained for 5 seconds
+  
+  [[Rules.Triggers]]
+  Metric = "request_regularity"
+  MaxVariance = 0.1  # Very regular timing
+  MinRequests = 20
+
+  [Rules.Action]
+  Score = 35
+  Tags = ["automated_scanner", "bot"]
+  Challenge = true  # Show CAPTCHA or similar
+
+[[Rules]]
+Name = "Admin Interface Probing"
+Type = "reconnaissance"
+Severity = "medium"
+Description = "Attempts to find admin interfaces"
+
+  [[Rules.Triggers]]
+  Metric = "path_status_combo"
+  PathPattern = "^/(wp-)?admin|^/administrator|^/manage|^/cpanel|^/phpmyadmin"
+  StatusCodes = [200, 301, 302, 403, 404]
+  Threshold = 5
+  TimeWindow = 300000
+
+  [Rules.Action]
+  Score = 25
+  Tags = ["admin_probe", "reconnaissance"]
+  RateLimit = { Requests = 5, Window = 300000 }
+
+# =============================================================================
+# CORRELATION RULES EXAMPLES
+# =============================================================================
+
+[[Correlations]]
+Name = "Rotating User-Agent Attack"
+Description = "Same IP using multiple user agents rapidly"
+
+  [Correlations.Conditions]
+  Metric = "unique_user_agents_per_ip"
+  Threshold = 5
+  TimeWindow = 60000
+
+  [Correlations.Action]
+  Score = 20
+  Tags = ["evasion", "user_agent_rotation"]
+
+# =============================================================================
+# BEHAVIORAL THRESHOLDS
+# =============================================================================
+
+[Thresholds]
+# Minimum score to trigger any action
+MinActionScore = 20
+
+# Score thresholds for different severity levels
+LowSeverityThreshold = 20
+MediumSeverityThreshold = 40
+HighSeverityThreshold = 60
+CriticalSeverityThreshold = 80
+
+# =============================================================================
+# WHITELISTING
+# =============================================================================
+
+[Whitelist]
+# IPs that should never be blocked by behavioral rules
+TrustedIPs = [
+  "127.0.0.1",
+  "::1"
+  # Add your monitoring service IPs here
+]
+
+# User agents to treat with lower sensitivity
+TrustedUserAgents = [
+  "Googlebot",
+  "bingbot", 
+  "Slackbot",
+  "monitoring-bot"
+]
+
+# Paths where higher thresholds apply
+MonitoringPaths = [
+  "/health",
+  "/metrics", 
+  "/api/status",
+  "/.well-known/",
+  "/robots.txt",
+  "/sitemap.xml"
+]
+
+# =============================================================================
+# RESPONSE CUSTOMIZATION
+# =============================================================================
+
+[Responses]
+# Custom block message (can include HTML)
+BlockMessage = """
+<html>
+<head><title>Access Denied</title></head>
+<body>
+<h1>Access Denied</h1>
+<p>Your access has been restricted due to suspicious activity.</p>
+<p>If you believe this is an error, please contact support.</p>
+</body>
+</html>
+"""
+
+# Rate limit message
+RateLimitMessage = "Rate limit exceeded. Please slow down your requests."
+
+# Challenge page URL (for CAPTCHA/verification)
+ChallengePageURL = "/verify" 

config/ipfilter.toml.example

@@ -20,8 +20,8 @@ AccountID = ""
 # Can also be set via MAXMIND_LICENSE_KEY environment variable or .env file
 LicenseKey = ""
 
-# How often to check for database updates (in hours)
-DBUpdateIntervalHours = 12
+# How often to check for database updates (uses time.ts format: "24h", "5m", etc.)
+DBUpdateInterval = "12h"
 
 # -----------------------------------------------------------------------------
 # CACHING SETTINGS

config/proxy.toml.example

@@ -12,6 +12,9 @@
 # Enable or disable the proxy middleware
 Enabled = true
 
+# Maximum body size in MB (default: 10MB if not specified)
+MaxBodySizeMB = 10
+
 # -----------------------------------------------------------------------------
 # TIMEOUT SETTINGS
 # -----------------------------------------------------------------------------
@@ -27,6 +30,8 @@ UpstreamTimeoutMs = 30000
 # -----------------------------------------------------------------------------
 # Map hostnames to backend service URLs
 # Format: "hostname" = "backend_url"
+# Optional: AllowedMethods = ["GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "PATCH", "TRACE", "CONNECT"]
+# If AllowedMethods is not specified, defaults to ["GET", "HEAD", "POST", "PUT", "OPTIONS"]
 # -----------------------------------------------------------------------------
 
 [[Mapping]]
@@ -44,12 +49,20 @@ Target = "http://192.168.1.100:4533"
 Host = "git.example.com"
 Target = "http://192.168.1.100:3000"
 
-# [[Mapping]]
-# API service
-# Host = "api.example.com"
-# Target = "http://localhost:3001"
+[[Mapping]]
+# Gallery service with DELETE method enabled
+Host = "gallery.caileb.com"
+Target = "http://192.168.1.100:8080"
+AllowedMethods = ["GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS"]
 
 # [[Mapping]]
-# Admin panel
+# API service with specific methods
+# Host = "api.example.com"
+# Target = "http://localhost:3001"
+# AllowedMethods = ["GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "PATCH"]
+
+# [[Mapping]]
+# Admin panel (read-only)
 # Host = "admin.example.com"
-# Target = "http://localhost:3002" 
+# Target = "http://localhost:3002"
+# AllowedMethods = ["GET", "HEAD", "OPTIONS"] 

config/stats.toml.example

@@ -1,31 +0,0 @@
-# =============================================================================
-# STATS CONFIGURATION
-# =============================================================================
-# This configuration controls the statistics collection and visualization
-# middleware that tracks events and provides a web UI for viewing metrics.
-# =============================================================================
-
-# -----------------------------------------------------------------------------
-# CORE SETTINGS
-# -----------------------------------------------------------------------------
-[Core]
-# Enable or disable the stats plugin
-Enabled = true
-
-# -----------------------------------------------------------------------------
-# STORAGE SETTINGS
-# -----------------------------------------------------------------------------
-[Storage]
-# TTL for stats entries
-# Format: "30d", "24h", "1h", etc.
-StatsTTL = "30d"
-
-# -----------------------------------------------------------------------------
-# WEB UI SETTINGS
-# -----------------------------------------------------------------------------
-[WebUI]
-# Path for stats UI
-StatsUIPath = "/stats"
-
-# Path for stats API
-StatsAPIPath = "/stats/api"

config/threat-scoring.toml.example

@@ -0,0 +1,90 @@
+# =============================================================================
+# THREAT SCORING CONFIGURATION - EXAMPLE CONFIG
+# =============================================================================
+# Copy this file to threat-scoring.toml and customize for your environment
+# All included threat signals are fully implemented and tested
+
+[Core]
+# Enable or disable threat scoring entirely
+Enabled = true
+
+# Enable detailed logging of scoring decisions (for debugging)
+LogDetailedScores = false
+
+[Thresholds]
+# Score thresholds that determine the action taken for each request
+# Scores are calculated from 0-100+ based on various threat signals
+
+# Requests with scores <= AllowThreshold are allowed through immediately
+AllowThreshold = 15   # Conservative - allows more legitimate traffic
+
+# Requests with scores <= ChallengeThreshold receive a challenge (proof-of-work)
+ChallengeThreshold = 80   # Much higher - blocking is absolute last resort
+
+# Requests with scores > ChallengeThreshold are blocked
+BlockThreshold = 100  # Truly malicious content (javascript:, <script>, etc.)
+
+[Features]
+# Enable/disable specific threat analysis features
+EnableBotVerification = true   # Bot verification via DNS + IP ranges
+EnableGeoAnalysis = true       # Geographic analysis based on GeoIP data
+EnableBehaviorAnalysis = true  # Behavioral pattern analysis across requests
+EnableContentAnalysis = true   # Content/WAF analysis for malicious payloads
+
+# Signal weights for implemented threat detections
+[SignalWeights]
+
+# User-Agent Analysis
+[SignalWeights.ATTACK_TOOL_UA]
+weight = 30          # Risk score added for suspicious user agents
+confidence = 0.75    # Confidence in this signal (0.0-1.0)
+
+[SignalWeights.MISSING_UA]
+weight = 10          # Risk score for missing user agent
+confidence = 0.60    # Lower confidence for this signal
+
+# Web Application Firewall Signals
+[SignalWeights.SQL_INJECTION]
+weight = 80          # Very high risk - increased from 60
+confidence = 0.95    # High confidence in WAF detection
+
+[SignalWeights.XSS_ATTEMPT]
+weight = 85          # Extremely high risk - increased from 50
+confidence = 0.95    # Very high confidence - XSS is critical
+
+[SignalWeights.COMMAND_INJECTION]
+weight = 95          # Extreme risk - increased from 65
+confidence = 0.98    # Near certain malicious
+
+[SignalWeights.PATH_TRAVERSAL]
+weight = 70          # High risk - increased from 45
+confidence = 0.90    # High confidence
+
+# Enhanced Bot Scoring Configuration
+[EnhancedBotScoring]
+# Enhanced bot verification and scoring settings
+Enabled = true
+
+# Risk adjustment weights for verified bots (negative values reduce threat scores)
+[EnhancedBotScoring.Weights]
+baseVerificationWeight = 15      # Base weight for bot verification
+ipRangeWeight = 20              # Weight for IP range verification
+dnsWeight = 25                  # Weight for DNS verification
+combinedWeight = 35             # Weight when both DNS + IP match
+majorSearchEngineWeight = 10    # Additional weight for major search engines
+
+# Confidence thresholds for trust level determination
+[EnhancedBotScoring.Thresholds]
+verifiedLevel = 0.9    # Threshold for verified bot (90% confidence)
+highLevel = 0.8        # High confidence threshold  
+mediumLevel = 0.7      # Medium confidence threshold
+lowLevel = 0.5         # Low confidence threshold
+
+# Maximum risk reduction that can be applied (prevents abuse)
+maxRiskReduction = 50
+
+# Cache TTL Settings
+[Cache]
+BotVerificationTTL = "1h"      # How long to cache bot verification results
+IPScoreTTL = "30m"             # How long to cache IP threat scores
+SessionBehaviorTTL = "2h"      # How long to cache session behavior data 

config/waf.toml.example

@@ -0,0 +1,340 @@
+# =============================================================================
+# WEB APPLICATION FIREWALL (WAF) CONFIGURATION - EXAMPLE
+# =============================================================================
+# Copy this file to waf.toml and customize for your environment
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# CORE SETTINGS
+# -----------------------------------------------------------------------------
+[Core]
+# Enable or disable the WAF entirely
+Enabled = true
+
+# Log all WAF detections (even if not blocked)
+LogAllDetections = true
+
+# Maximum request body size to analyze (in bytes)
+MaxBodySize = 10485760  # 10MB
+
+# WAF operation mode: "detect" or "prevent"
+# detect = log only, prevent = actively block
+Mode = "prevent"
+
+# -----------------------------------------------------------------------------
+# DETECTION SETTINGS
+# -----------------------------------------------------------------------------
+[Detection]
+# Enable specific attack detection categories
+SQLInjection = true
+XSS = true
+CommandInjection = true
+PathTraversal = true
+LFI_RFI = true
+NoSQLInjection = true
+XXE = true
+LDAPInjection = true
+SSRF = true
+XMLRPCAttacks = true
+
+# Sensitivity levels: low, medium, high
+Sensitivity = "medium"
+
+# Paranoia level (1-4)
+ParanoiaLevel = 2
+
+# -----------------------------------------------------------------------------
+# SCORING CONFIGURATION
+# -----------------------------------------------------------------------------
+[Scoring]
+# Base scores for each attack type - significantly increased for aggressive detection
+SQLInjection = 80       # Increased from 35
+XSS = 90               # Increased from 30 - XSS is extremely dangerous
+CommandInjection = 100  # Increased from 40 - most dangerous
+PathTraversal = 70      # Increased from 25
+LFI_RFI = 80           # Increased from 35
+NoSQLInjection = 60     # Increased from 30
+XXE = 80               # Increased from 35
+LDAPInjection = 50      # Increased from 30
+SSRF = 75              # Increased from 35
+XMLRPCAttacks = 45      # Increased from 25
+
+# Score modifiers based on confidence
+HighConfidenceMultiplier = 1.2
+MediumConfidenceMultiplier = 1.0
+LowConfidenceMultiplier = 0.8
+
+# -----------------------------------------------------------------------------
+# RATE LIMITING
+# -----------------------------------------------------------------------------
+[RateLimit]
+# Maximum WAF detections per IP in the time window
+MaxDetectionsPerIP = 5    # More aggressive - reduced from 10
+
+# Time window for rate limiting (in seconds)
+TimeWindow = 600  # 10 minutes - increased window
+
+# Action when rate limit exceeded: "block" or "challenge"
+RateLimitAction = "block"   # Changed from challenge to block
+
+# Decay factor for repeated offenses
+DecayFactor = 0.8   # More aggressive decay
+
+# -----------------------------------------------------------------------------
+# ADVANCED DETECTION
+# -----------------------------------------------------------------------------
+[Advanced]
+# Enable machine learning-based detection
+MLDetection = false
+
+# Enable payload deobfuscation
+Deobfuscation = true
+MaxDeobfuscationLevels = 3
+
+# Enable response analysis (detect info leakage)
+ResponseAnalysis = true
+
+# Enable timing attack detection
+TimingAnalysis = false
+
+# -----------------------------------------------------------------------------
+# CUSTOM RULES EXAMPLES
+# -----------------------------------------------------------------------------
+
+[[CustomRules]]
+Name = "WordPress Admin Probe"
+Pattern = "(?i)/wp-admin/(admin-ajax\\.php|post\\.php)"
+Category = "reconnaissance"
+Score = 15
+Enabled = true
+Action = "log"
+Field = "uri_path"
+
+[[CustomRules]]
+Name = "Block Headless Browsers"
+Field = "user_agent"
+Pattern = "(?i)HeadlessChrome/"
+Category = "bad_bot"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Example of blocking specific paths on specific hosts
+[[CustomRules]]
+Name = "Block Setup Endpoint"
+Field = "uri_path"
+Pattern = "(?i)/setup"
+Category = "access_control"
+Score = 100
+Enabled = false  # Disabled by default
+Action = "block"
+Hosts = ["example.com"]
+
+# Example of chained conditions (both must match)
+[[CustomRules]]
+Name = "Chained Demo Rule"
+Category = "demo"
+Score = 25
+Enabled = false  # Disabled by default
+Action = "block"
+
+[[CustomRules.Conditions]]
+Field = "uri_query"
+Pattern = "(?i)debug=true"
+
+[[CustomRules.Conditions]]
+Field = "user_agent"
+Pattern = "(?i)curl"
+
+# Block javascript: protocol in any part of the URL - CRITICAL
+[[CustomRules]]
+Name = "Block JavaScript Protocol"
+Field = "uri"
+Pattern = "(?i)javascript:"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block dangerous data: URLs
+[[CustomRules]]
+Name = "Block Data URL XSS"
+Field = "uri"
+Pattern = "(?i)data:.*text/html"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block data: URLs with JavaScript
+[[CustomRules]]
+Name = "Block Data URL JavaScript"
+Field = "uri"
+Pattern = "(?i)data:.*javascript"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block vbscript: protocol
+[[CustomRules]]
+Name = "Block VBScript Protocol"
+Field = "uri"
+Pattern = "(?i)vbscript:"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block any script tags in URL parameters
+[[CustomRules]]
+Name = "Block Script Tags in Query"
+Field = "uri_query"
+Pattern = "(?i)<script"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block SQL injection keywords in query
+[[CustomRules]]
+Name = "Block SQL Keywords"
+Field = "uri_query"
+Pattern = "(?i)(union.*select|insert.*into|delete.*from|drop.*table)"
+Category = "sql_injection"
+Score = 100
+Enabled = true
+Action = "block"
+
+# -----------------------------------------------------------------------------
+# WHITELIST / EXCEPTIONS
+# -----------------------------------------------------------------------------
+[Exceptions]
+# Paths to exclude from WAF analysis
+ExcludedPaths = [
+  "/api/upload",
+  "/static/",
+  "/assets/",
+  "/health",
+  "/metrics"
+]
+
+# Parameter names to exclude from analysis
+ExcludedParameters = [
+  "utm_source",
+  "utm_medium",
+  "utm_campaign",
+  "ref",
+  "callback"
+]
+
+# Known good User-Agents to reduce false positives
+TrustedUserAgents = [
+  "GoogleBot",
+  "BingBot",
+  "monitoring-system"
+]
+
+# IP addresses to exclude from WAF analysis
+TrustedIPs = [
+  "127.0.0.1",
+  "::1"
+]
+
+# Content types to skip
+SkipContentTypes = [
+  "image/",
+  "video/",
+  "audio/",
+  "font/",
+  "application/pdf"
+]
+
+# -----------------------------------------------------------------------------
+# FALSE POSITIVE REDUCTION
+# -----------------------------------------------------------------------------
+[FalsePositive]
+# Common false positive patterns to ignore
+IgnorePatterns = [
+  # Legitimate base64 in JSON (e.g., image data)
+  "\"data:image\\/[^;]+;base64,",
+  # Markdown code blocks
+  "```[a-z]*\\n",
+  # Common API tokens (not actual secrets)
+  "token=[a-f0-9]{32}",
+  # Timestamps
+  "\\d{10,13}"
+]
+
+# Context-aware detection
+ContextualDetection = true
+
+# Authentication features removed - not applicable for this security system 
+
+# -----------------------------------------------------------------------------
+# BOT VERIFICATION
+# -----------------------------------------------------------------------------
+[BotVerification]
+# Enable comprehensive bot verification using IP ranges and DNS
+Enabled = true
+
+# Allow verified legitimate bots (Googlebot, Bingbot, etc.) to bypass WAF analysis
+# When true, verified bots get 90% threat score reduction
+AllowVerifiedBots = true
+
+# Block requests that claim to be bots but fail verification
+# When true, fake bot user agents get +50 threat score penalty
+BlockUnverifiedBots = true
+
+# Enable DNS verification (reverse DNS + forward DNS confirmation)
+EnableDNSVerification = true
+
+# Enable IP range verification using official bot IP ranges
+EnableIPRangeVerification = true
+
+# DNS lookup timeout
+DNSTimeout = "5s"
+
+# Minimum confidence score required to trust a bot (0.0-1.0)
+# Higher values = more strict verification
+MinimumConfidence = 0.8
+
+# Bot source definitions with user agent patterns and IP range sources
+[[BotVerification.BotSources]]
+name = "googlebot"
+userAgentPattern = "Googlebot/\\d+\\.\\d+"
+ipRangeURL = "https://developers.google.com/static/search/apis/ipranges/googlebot.json"
+dnsVerificationDomain = "googlebot.com"
+updateInterval = "24h"
+enabled = true
+
+[[BotVerification.BotSources]]
+name = "bingbot"
+userAgentPattern = "bingbot/\\d+\\.\\d+"
+ipRangeURL = "https://www.bing.com/toolbox/bingbot-ips.txt"
+dnsVerificationDomain = "search.msn.com"
+updateInterval = "24h"
+enabled = true
+
+[[BotVerification.BotSources]]
+name = "slurp"
+userAgentPattern = "Slurp"
+ipRangeURL = "https://help.yahoo.com/slurpbot-ips.txt"
+dnsVerificationDomain = "crawl.yahoo.net"
+updateInterval = "2d"
+enabled = false
+
+[[BotVerification.BotSources]]
+name = "duckduckbot"
+userAgentPattern = "DuckDuckBot/\\d+\\.\\d+"
+ipRangeURL = "https://duckduckgo.com/duckduckbot-ips.txt"
+updateInterval = "3d"
+enabled = false
+
+[[BotVerification.BotSources]]
+name = "facebookexternalhit"
+userAgentPattern = "facebookexternalhit/\\d+\\.\\d+"
+ipRangeURL = "https://developers.facebook.com/docs/sharing/webmasters/crawler-ips"
+dnsVerificationDomain = "facebook.com"
+updateInterval = "24h"
+enabled = false