Initial commit of massive v2 rewrite

config/threat-scoring.toml.example

@@ -0,0 +1,90 @@
+# =============================================================================
+# THREAT SCORING CONFIGURATION - EXAMPLE CONFIG
+# =============================================================================
+# Copy this file to threat-scoring.toml and customize for your environment
+# All included threat signals are fully implemented and tested
+
+[Core]
+# Enable or disable threat scoring entirely
+Enabled = true
+
+# Enable detailed logging of scoring decisions (for debugging)
+LogDetailedScores = false
+
+[Thresholds]
+# Score thresholds that determine the action taken for each request
+# Scores are calculated from 0-100+ based on various threat signals
+
+# Requests with scores <= AllowThreshold are allowed through immediately
+AllowThreshold = 15   # Conservative - allows more legitimate traffic
+
+# Requests with scores <= ChallengeThreshold receive a challenge (proof-of-work)
+ChallengeThreshold = 80   # Much higher - blocking is absolute last resort
+
+# Requests with scores > ChallengeThreshold are blocked
+BlockThreshold = 100  # Truly malicious content (javascript:, <script>, etc.)
+
+[Features]
+# Enable/disable specific threat analysis features
+EnableBotVerification = true   # Bot verification via DNS + IP ranges
+EnableGeoAnalysis = true       # Geographic analysis based on GeoIP data
+EnableBehaviorAnalysis = true  # Behavioral pattern analysis across requests
+EnableContentAnalysis = true   # Content/WAF analysis for malicious payloads
+
+# Signal weights for implemented threat detections
+[SignalWeights]
+
+# User-Agent Analysis
+[SignalWeights.ATTACK_TOOL_UA]
+weight = 30          # Risk score added for suspicious user agents
+confidence = 0.75    # Confidence in this signal (0.0-1.0)
+
+[SignalWeights.MISSING_UA]
+weight = 10          # Risk score for missing user agent
+confidence = 0.60    # Lower confidence for this signal
+
+# Web Application Firewall Signals
+[SignalWeights.SQL_INJECTION]
+weight = 80          # Very high risk - increased from 60
+confidence = 0.95    # High confidence in WAF detection
+
+[SignalWeights.XSS_ATTEMPT]
+weight = 85          # Extremely high risk - increased from 50
+confidence = 0.95    # Very high confidence - XSS is critical
+
+[SignalWeights.COMMAND_INJECTION]
+weight = 95          # Extreme risk - increased from 65
+confidence = 0.98    # Near certain malicious
+
+[SignalWeights.PATH_TRAVERSAL]
+weight = 70          # High risk - increased from 45
+confidence = 0.90    # High confidence
+
+# Enhanced Bot Scoring Configuration
+[EnhancedBotScoring]
+# Enhanced bot verification and scoring settings
+Enabled = true
+
+# Risk adjustment weights for verified bots (negative values reduce threat scores)
+[EnhancedBotScoring.Weights]
+baseVerificationWeight = 15      # Base weight for bot verification
+ipRangeWeight = 20              # Weight for IP range verification
+dnsWeight = 25                  # Weight for DNS verification
+combinedWeight = 35             # Weight when both DNS + IP match
+majorSearchEngineWeight = 10    # Additional weight for major search engines
+
+# Confidence thresholds for trust level determination
+[EnhancedBotScoring.Thresholds]
+verifiedLevel = 0.9    # Threshold for verified bot (90% confidence)
+highLevel = 0.8        # High confidence threshold  
+mediumLevel = 0.7      # Medium confidence threshold
+lowLevel = 0.5         # Low confidence threshold
+
+# Maximum risk reduction that can be applied (prevents abuse)
+maxRiskReduction = 50
+
+# Cache TTL Settings
+[Cache]
+BotVerificationTTL = "1h"      # How long to cache bot verification results
+IPScoreTTL = "30m"             # How long to cache IP threat scores
+SessionBehaviorTTL = "2h"      # How long to cache session behavior data