Initial commit of massive v2 rewrite

2025-08-02 14:26:52 -05:00 · 2025-08-02 14:26:52 -05:00 · dc120fe78a
commit dc120fe78a
parent 1025f3b523
55 changed files with 21733 additions and 0 deletions
--- a/config/behavioral-detection.toml.example
+++ b/config/behavioral-detection.toml.example
@ -0,0 +1,197 @@
+# =============================================================================
+# BEHAVIORAL DETECTION CONFIGURATION - EXAMPLE
+# =============================================================================
+# Copy this file to behavioral-detection.toml and customize for your environment
+# =============================================================================
+
+[Core]
+# Enable or disable the behavioral detection engine
+Enabled = true
+
+# Operation mode: "detect" (log only) or "prevent" (actively block/rate limit)
+Mode = "prevent"
+
+# Default time window for metrics (milliseconds)
+DefaultTimeWindow = 300000  # 5 minutes
+
+# Maximum request history to keep per IP
+MaxHistoryPerIP = 1000
+
+# Database cleanup interval (milliseconds)
+CleanupInterval = 3600000  # 1 hour
+
+# =============================================================================
+# EXAMPLE DETECTION RULES
+# =============================================================================
+
+[[Rules]]
+Name = "404 Path Enumeration"
+Type = "enumeration"
+Severity = "medium"
+Description = "Detects rapid 404 responses indicating directory/file scanning"
+
+  [[Rules.Triggers]]
+  Metric = "status_code_count"
+  StatusCode = 404
+  Threshold = 15
+  TimeWindow = 60000  # 1 minute
+
+  [[Rules.Triggers]]  
+  Metric = "unique_paths_by_status"
+  StatusCode = 404
+  Threshold = 10
+  TimeWindow = 60000
+
+  [Rules.Action]
+  Score = 30
+  Tags = ["scanning", "enumeration", "reconnaissance"]
+  RateLimit = { Requests = 10, Window = 60000 }
+  Alert = false
+
+# Authentication bruteforce rule removed - not applicable for this security system
+
+[[Rules]]
+Name = "API Endpoint Enumeration"
+Type = "enumeration"
+Severity = "medium"
+Description = "Scanning for API endpoints"
+
+  [[Rules.Triggers]]
+  Metric = "unique_api_paths"
+  PathPrefix = "/api/"
+  Threshold = 20
+  TimeWindow = 60000
+  
+  [[Rules.Triggers]]
+  Metric = "mixed_http_methods"
+  PathPrefix = "/api/"
+  MinMethods = 3  # GET, POST, PUT, DELETE, etc.
+  TimeWindow = 60000
+
+  [Rules.Action]
+  Score = 25
+  Tags = ["api_abuse", "enumeration"]
+  RateLimit = { Requests = 20, Window = 60000 }
+
+[[Rules]]
+Name = "Velocity-Based Scanner"
+Type = "scanning"
+Severity = "medium"
+Description = "High-speed request patterns typical of automated scanners"
+
+  [[Rules.Triggers]]
+  Metric = "request_velocity"
+  RequestsPerSecond = 10
+  Duration = 5000  # Sustained for 5 seconds
+  
+  [[Rules.Triggers]]
+  Metric = "request_regularity"
+  MaxVariance = 0.1  # Very regular timing
+  MinRequests = 20
+
+  [Rules.Action]
+  Score = 35
+  Tags = ["automated_scanner", "bot"]
+  Challenge = true  # Show CAPTCHA or similar
+
+[[Rules]]
+Name = "Admin Interface Probing"
+Type = "reconnaissance"
+Severity = "medium"
+Description = "Attempts to find admin interfaces"
+
+  [[Rules.Triggers]]
+  Metric = "path_status_combo"
+  PathPattern = "^/(wp-)?admin|^/administrator|^/manage|^/cpanel|^/phpmyadmin"
+  StatusCodes = [200, 301, 302, 403, 404]
+  Threshold = 5
+  TimeWindow = 300000
+
+  [Rules.Action]
+  Score = 25
+  Tags = ["admin_probe", "reconnaissance"]
+  RateLimit = { Requests = 5, Window = 300000 }
+
+# =============================================================================
+# CORRELATION RULES EXAMPLES
+# =============================================================================
+
+[[Correlations]]
+Name = "Rotating User-Agent Attack"
+Description = "Same IP using multiple user agents rapidly"
+
+  [Correlations.Conditions]
+  Metric = "unique_user_agents_per_ip"
+  Threshold = 5
+  TimeWindow = 60000
+
+  [Correlations.Action]
+  Score = 20
+  Tags = ["evasion", "user_agent_rotation"]
+
+# =============================================================================
+# BEHAVIORAL THRESHOLDS
+# =============================================================================
+
+[Thresholds]
+# Minimum score to trigger any action
+MinActionScore = 20
+
+# Score thresholds for different severity levels
+LowSeverityThreshold = 20
+MediumSeverityThreshold = 40
+HighSeverityThreshold = 60
+CriticalSeverityThreshold = 80
+
+# =============================================================================
+# WHITELISTING
+# =============================================================================
+
+[Whitelist]
+# IPs that should never be blocked by behavioral rules
+TrustedIPs = [
+  "127.0.0.1",
+  "::1"
+  # Add your monitoring service IPs here
+]
+
+# User agents to treat with lower sensitivity
+TrustedUserAgents = [
+  "Googlebot",
+  "bingbot", 
+  "Slackbot",
+  "monitoring-bot"
+]
+
+# Paths where higher thresholds apply
+MonitoringPaths = [
+  "/health",
+  "/metrics", 
+  "/api/status",
+  "/.well-known/",
+  "/robots.txt",
+  "/sitemap.xml"
+]
+
+# =============================================================================
+# RESPONSE CUSTOMIZATION
+# =============================================================================
+
+[Responses]
+# Custom block message (can include HTML)
+BlockMessage = """
+<html>
+<head><title>Access Denied</title></head>
+<body>
+<h1>Access Denied</h1>
+<p>Your access has been restricted due to suspicious activity.</p>
+<p>If you believe this is an error, please contact support.</p>
+</body>
+</html>
+"""
+
+# Rate limit message
+RateLimitMessage = "Rate limit exceeded. Please slow down your requests."
+
+# Challenge page URL (for CAPTCHA/verification)
+ChallengePageURL = "/verify"