Massive v2 rewrite

2025-08-02 15:34:04 -05:00 · 2025-08-02 15:34:04 -05:00 · 5f1328f626
commit 5f1328f626
parent 1025f3b523
77 changed files with 28105 additions and 3542 deletions
--- a/config/waf.toml.example
+++ b/config/waf.toml.example
@ -0,0 +1,340 @@
+# =============================================================================
+# WEB APPLICATION FIREWALL (WAF) CONFIGURATION - EXAMPLE
+# =============================================================================
+# Copy this file to waf.toml and customize for your environment
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# CORE SETTINGS
+# -----------------------------------------------------------------------------
+[Core]
+# Enable or disable the WAF entirely
+Enabled = true
+
+# Log all WAF detections (even if not blocked)
+LogAllDetections = true
+
+# Maximum request body size to analyze (in bytes)
+MaxBodySize = 10485760  # 10MB
+
+# WAF operation mode: "detect" or "prevent"
+# detect = log only, prevent = actively block
+Mode = "prevent"
+
+# -----------------------------------------------------------------------------
+# DETECTION SETTINGS
+# -----------------------------------------------------------------------------
+[Detection]
+# Enable specific attack detection categories
+SQLInjection = true
+XSS = true
+CommandInjection = true
+PathTraversal = true
+LFI_RFI = true
+NoSQLInjection = true
+XXE = true
+LDAPInjection = true
+SSRF = true
+XMLRPCAttacks = true
+
+# Sensitivity levels: low, medium, high
+Sensitivity = "medium"
+
+# Paranoia level (1-4)
+ParanoiaLevel = 2
+
+# -----------------------------------------------------------------------------
+# SCORING CONFIGURATION
+# -----------------------------------------------------------------------------
+[Scoring]
+# Base scores for each attack type - significantly increased for aggressive detection
+SQLInjection = 80       # Increased from 35
+XSS = 90               # Increased from 30 - XSS is extremely dangerous
+CommandInjection = 100  # Increased from 40 - most dangerous
+PathTraversal = 70      # Increased from 25
+LFI_RFI = 80           # Increased from 35
+NoSQLInjection = 60     # Increased from 30
+XXE = 80               # Increased from 35
+LDAPInjection = 50      # Increased from 30
+SSRF = 75              # Increased from 35
+XMLRPCAttacks = 45      # Increased from 25
+
+# Score modifiers based on confidence
+HighConfidenceMultiplier = 1.2
+MediumConfidenceMultiplier = 1.0
+LowConfidenceMultiplier = 0.8
+
+# -----------------------------------------------------------------------------
+# RATE LIMITING
+# -----------------------------------------------------------------------------
+[RateLimit]
+# Maximum WAF detections per IP in the time window
+MaxDetectionsPerIP = 5    # More aggressive - reduced from 10
+
+# Time window for rate limiting (in seconds)
+TimeWindow = 600  # 10 minutes - increased window
+
+# Action when rate limit exceeded: "block" or "challenge"
+RateLimitAction = "block"   # Changed from challenge to block
+
+# Decay factor for repeated offenses
+DecayFactor = 0.8   # More aggressive decay
+
+# -----------------------------------------------------------------------------
+# ADVANCED DETECTION
+# -----------------------------------------------------------------------------
+[Advanced]
+# Enable machine learning-based detection
+MLDetection = false
+
+# Enable payload deobfuscation
+Deobfuscation = true
+MaxDeobfuscationLevels = 3
+
+# Enable response analysis (detect info leakage)
+ResponseAnalysis = true
+
+# Enable timing attack detection
+TimingAnalysis = false
+
+# -----------------------------------------------------------------------------
+# CUSTOM RULES EXAMPLES
+# -----------------------------------------------------------------------------
+
+[[CustomRules]]
+Name = "WordPress Admin Probe"
+Pattern = "(?i)/wp-admin/(admin-ajax\\.php|post\\.php)"
+Category = "reconnaissance"
+Score = 15
+Enabled = true
+Action = "log"
+Field = "uri_path"
+
+[[CustomRules]]
+Name = "Block Headless Browsers"
+Field = "user_agent"
+Pattern = "(?i)HeadlessChrome/"
+Category = "bad_bot"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Example of blocking specific paths on specific hosts
+[[CustomRules]]
+Name = "Block Setup Endpoint"
+Field = "uri_path"
+Pattern = "(?i)/setup"
+Category = "access_control"
+Score = 100
+Enabled = false  # Disabled by default
+Action = "block"
+Hosts = ["example.com"]
+
+# Example of chained conditions (both must match)
+[[CustomRules]]
+Name = "Chained Demo Rule"
+Category = "demo"
+Score = 25
+Enabled = false  # Disabled by default
+Action = "block"
+
+[[CustomRules.Conditions]]
+Field = "uri_query"
+Pattern = "(?i)debug=true"
+
+[[CustomRules.Conditions]]
+Field = "user_agent"
+Pattern = "(?i)curl"
+
+# Block javascript: protocol in any part of the URL - CRITICAL
+[[CustomRules]]
+Name = "Block JavaScript Protocol"
+Field = "uri"
+Pattern = "(?i)javascript:"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block dangerous data: URLs
+[[CustomRules]]
+Name = "Block Data URL XSS"
+Field = "uri"
+Pattern = "(?i)data:.*text/html"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block data: URLs with JavaScript
+[[CustomRules]]
+Name = "Block Data URL JavaScript"
+Field = "uri"
+Pattern = "(?i)data:.*javascript"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block vbscript: protocol
+[[CustomRules]]
+Name = "Block VBScript Protocol"
+Field = "uri"
+Pattern = "(?i)vbscript:"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block any script tags in URL parameters
+[[CustomRules]]
+Name = "Block Script Tags in Query"
+Field = "uri_query"
+Pattern = "(?i)<script"
+Category = "xss"
+Score = 100
+Enabled = true
+Action = "block"
+
+# Block SQL injection keywords in query
+[[CustomRules]]
+Name = "Block SQL Keywords"
+Field = "uri_query"
+Pattern = "(?i)(union.*select|insert.*into|delete.*from|drop.*table)"
+Category = "sql_injection"
+Score = 100
+Enabled = true
+Action = "block"
+
+# -----------------------------------------------------------------------------
+# WHITELIST / EXCEPTIONS
+# -----------------------------------------------------------------------------
+[Exceptions]
+# Paths to exclude from WAF analysis
+ExcludedPaths = [
+  "/api/upload",
+  "/static/",
+  "/assets/",
+  "/health",
+  "/metrics"
+]
+
+# Parameter names to exclude from analysis
+ExcludedParameters = [
+  "utm_source",
+  "utm_medium",
+  "utm_campaign",
+  "ref",
+  "callback"
+]
+
+# Known good User-Agents to reduce false positives
+TrustedUserAgents = [
+  "GoogleBot",
+  "BingBot",
+  "monitoring-system"
+]
+
+# IP addresses to exclude from WAF analysis
+TrustedIPs = [
+  "127.0.0.1",
+  "::1"
+]
+
+# Content types to skip
+SkipContentTypes = [
+  "image/",
+  "video/",
+  "audio/",
+  "font/",
+  "application/pdf"
+]
+
+# -----------------------------------------------------------------------------
+# FALSE POSITIVE REDUCTION
+# -----------------------------------------------------------------------------
+[FalsePositive]
+# Common false positive patterns to ignore
+IgnorePatterns = [
+  # Legitimate base64 in JSON (e.g., image data)
+  "\"data:image\\/[^;]+;base64,",
+  # Markdown code blocks
+  "```[a-z]*\\n",
+  # Common API tokens (not actual secrets)
+  "token=[a-f0-9]{32}",
+  # Timestamps
+  "\\d{10,13}"
+]
+
+# Context-aware detection
+ContextualDetection = true
+
+# Authentication features removed - not applicable for this security system 
+
+# -----------------------------------------------------------------------------
+# BOT VERIFICATION
+# -----------------------------------------------------------------------------
+[BotVerification]
+# Enable comprehensive bot verification using IP ranges and DNS
+Enabled = true
+
+# Allow verified legitimate bots (Googlebot, Bingbot, etc.) to bypass WAF analysis
+# When true, verified bots get 90% threat score reduction
+AllowVerifiedBots = true
+
+# Block requests that claim to be bots but fail verification
+# When true, fake bot user agents get +50 threat score penalty
+BlockUnverifiedBots = true
+
+# Enable DNS verification (reverse DNS + forward DNS confirmation)
+EnableDNSVerification = true
+
+# Enable IP range verification using official bot IP ranges
+EnableIPRangeVerification = true
+
+# DNS lookup timeout
+DNSTimeout = "5s"
+
+# Minimum confidence score required to trust a bot (0.0-1.0)
+# Higher values = more strict verification
+MinimumConfidence = 0.8
+
+# Bot source definitions with user agent patterns and IP range sources
+[[BotVerification.BotSources]]
+name = "googlebot"
+userAgentPattern = "Googlebot/\\d+\\.\\d+"
+ipRangeURL = "https://developers.google.com/static/search/apis/ipranges/googlebot.json"
+dnsVerificationDomain = "googlebot.com"
+updateInterval = "24h"
+enabled = true
+
+[[BotVerification.BotSources]]
+name = "bingbot"
+userAgentPattern = "bingbot/\\d+\\.\\d+"
+ipRangeURL = "https://www.bing.com/toolbox/bingbot-ips.txt"
+dnsVerificationDomain = "search.msn.com"
+updateInterval = "24h"
+enabled = true
+
+[[BotVerification.BotSources]]
+name = "slurp"
+userAgentPattern = "Slurp"
+ipRangeURL = "https://help.yahoo.com/slurpbot-ips.txt"
+dnsVerificationDomain = "crawl.yahoo.net"
+updateInterval = "2d"
+enabled = false
+
+[[BotVerification.BotSources]]
+name = "duckduckbot"
+userAgentPattern = "DuckDuckBot/\\d+\\.\\d+"
+ipRangeURL = "https://duckduckgo.com/duckduckbot-ips.txt"
+updateInterval = "3d"
+enabled = false
+
+[[BotVerification.BotSources]]
+name = "facebookexternalhit"
+userAgentPattern = "facebookexternalhit/\\d+\\.\\d+"
+ipRangeURL = "https://developers.facebook.com/docs/sharing/webmasters/crawler-ips"
+dnsVerificationDomain = "facebook.com"
+updateInterval = "24h"
+enabled = false