# =============================================================================
# WEB APPLICATION FIREWALL (WAF) CONFIGURATION - EXAMPLE
# =============================================================================
# Copy this file to waf.toml and customize for your environment
# =============================================================================

# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the WAF entirely
Enabled = true

# Log all WAF detections (even if not blocked)
LogAllDetections = true

# Maximum request body size to analyze (in bytes)
MaxBodySize = 10485760  # 10MB

# WAF operation mode: "detect" or "prevent"
# detect = log only, prevent = actively block
Mode = "prevent"

# -----------------------------------------------------------------------------
# DETECTION SETTINGS
# -----------------------------------------------------------------------------
[Detection]
# Enable specific attack detection categories
SQLInjection = true
XSS = true
CommandInjection = true
PathTraversal = true
LFI_RFI = true
NoSQLInjection = true
XXE = true
LDAPInjection = true
SSRF = true
XMLRPCAttacks = true

# Sensitivity levels: low, medium, high
Sensitivity = "medium"

# Paranoia level (1-4)
ParanoiaLevel = 2

# -----------------------------------------------------------------------------
# SCORING CONFIGURATION
# -----------------------------------------------------------------------------
[Scoring]
# Base scores for each attack type - significantly increased for aggressive detection
SQLInjection = 80       # Increased from 35
XSS = 90               # Increased from 30 - XSS is extremely dangerous
CommandInjection = 100  # Increased from 40 - most dangerous
PathTraversal = 70      # Increased from 25
LFI_RFI = 80           # Increased from 35
NoSQLInjection = 60     # Increased from 30
XXE = 80               # Increased from 35
LDAPInjection = 50      # Increased from 30
SSRF = 75              # Increased from 35
XMLRPCAttacks = 45      # Increased from 25

# Score modifiers based on confidence
HighConfidenceMultiplier = 1.2
MediumConfidenceMultiplier = 1.0
LowConfidenceMultiplier = 0.8

# -----------------------------------------------------------------------------
# RATE LIMITING
# -----------------------------------------------------------------------------
[RateLimit]
# Maximum WAF detections per IP in the time window
MaxDetectionsPerIP = 5    # More aggressive - reduced from 10

# Time window for rate limiting (in seconds)
TimeWindow = 600  # 10 minutes - increased window

# Action when rate limit exceeded: "block" or "challenge"
RateLimitAction = "block"   # Changed from challenge to block

# Decay factor for repeated offenses
DecayFactor = 0.8   # More aggressive decay

# -----------------------------------------------------------------------------
# ADVANCED DETECTION
# -----------------------------------------------------------------------------
[Advanced]
# Enable machine learning-based detection
MLDetection = false

# Enable payload deobfuscation
Deobfuscation = true
MaxDeobfuscationLevels = 3

# Enable response analysis (detect info leakage)
ResponseAnalysis = true

# Enable timing attack detection
TimingAnalysis = false

# -----------------------------------------------------------------------------
# CUSTOM RULES EXAMPLES
# -----------------------------------------------------------------------------

[[CustomRules]]
Name = "WordPress Admin Probe"
Pattern = "(?i)/wp-admin/(admin-ajax\\.php|post\\.php)"
Category = "reconnaissance"
Score = 15
Enabled = true
Action = "log"
Field = "uri_path"

[[CustomRules]]
Name = "Block Headless Browsers"
Field = "user_agent"
Pattern = "(?i)HeadlessChrome/"
Category = "bad_bot"
Score = 100
Enabled = true
Action = "block"

# Example of blocking specific paths on specific hosts
[[CustomRules]]
Name = "Block Setup Endpoint"
Field = "uri_path"
Pattern = "(?i)/setup"
Category = "access_control"
Score = 100
Enabled = false  # Disabled by default
Action = "block"
Hosts = ["example.com"]

# Example of chained conditions (both must match)
[[CustomRules]]
Name = "Chained Demo Rule"
Category = "demo"
Score = 25
Enabled = false  # Disabled by default
Action = "block"

[[CustomRules.Conditions]]
Field = "uri_query"
Pattern = "(?i)debug=true"

[[CustomRules.Conditions]]
Field = "user_agent"
Pattern = "(?i)curl"

# Block javascript: protocol in any part of the URL - CRITICAL
[[CustomRules]]
Name = "Block JavaScript Protocol"
Field = "uri"
Pattern = "(?i)javascript:"
Category = "xss"
Score = 100
Enabled = true
Action = "block"

# Block dangerous data: URLs
[[CustomRules]]
Name = "Block Data URL XSS"
Field = "uri"
Pattern = "(?i)data:.*text/html"
Category = "xss"
Score = 100
Enabled = true
Action = "block"

# Block data: URLs with JavaScript
[[CustomRules]]
Name = "Block Data URL JavaScript"
Field = "uri"
Pattern = "(?i)data:.*javascript"
Category = "xss"
Score = 100
Enabled = true
Action = "block"

# Block vbscript: protocol
[[CustomRules]]
Name = "Block VBScript Protocol"
Field = "uri"
Pattern = "(?i)vbscript:"
Category = "xss"
Score = 100
Enabled = true
Action = "block"

# Block any script tags in URL parameters
[[CustomRules]]
Name = "Block Script Tags in Query"
Field = "uri_query"
Pattern = "(?i)<script"
Category = "xss"
Score = 100
Enabled = true
Action = "block"

# Block SQL injection keywords in query
[[CustomRules]]
Name = "Block SQL Keywords"
Field = "uri_query"
Pattern = "(?i)(union.*select|insert.*into|delete.*from|drop.*table)"
Category = "sql_injection"
Score = 100
Enabled = true
Action = "block"

# -----------------------------------------------------------------------------
# WHITELIST / EXCEPTIONS
# -----------------------------------------------------------------------------
[Exceptions]
# Paths to exclude from WAF analysis
ExcludedPaths = [
  "/api/upload",
  "/static/",
  "/assets/",
  "/health",
  "/metrics"
]

# Parameter names to exclude from analysis
ExcludedParameters = [
  "utm_source",
  "utm_medium",
  "utm_campaign",
  "ref",
  "callback"
]

# Known good User-Agents to reduce false positives
TrustedUserAgents = [
  "GoogleBot",
  "BingBot",
  "monitoring-system"
]

# IP addresses to exclude from WAF analysis
TrustedIPs = [
  "127.0.0.1",
  "::1"
]

# Content types to skip
SkipContentTypes = [
  "image/",
  "video/",
  "audio/",
  "font/",
  "application/pdf"
]

# -----------------------------------------------------------------------------
# FALSE POSITIVE REDUCTION
# -----------------------------------------------------------------------------
[FalsePositive]
# Common false positive patterns to ignore
IgnorePatterns = [
  # Legitimate base64 in JSON (e.g., image data)
  "\"data:image\\/[^;]+;base64,",
  # Markdown code blocks
  "```[a-z]*\\n",
  # Common API tokens (not actual secrets)
  "token=[a-f0-9]{32}",
  # Timestamps
  "\\d{10,13}"
]

# Context-aware detection
ContextualDetection = true

# Authentication features removed - not applicable for this security system 

# -----------------------------------------------------------------------------
# BOT VERIFICATION
# -----------------------------------------------------------------------------
[BotVerification]
# Enable comprehensive bot verification using IP ranges and DNS
Enabled = true

# Allow verified legitimate bots (Googlebot, Bingbot, etc.) to bypass WAF analysis
# When true, verified bots get 90% threat score reduction
AllowVerifiedBots = true

# Block requests that claim to be bots but fail verification
# When true, fake bot user agents get +50 threat score penalty
BlockUnverifiedBots = true

# Enable DNS verification (reverse DNS + forward DNS confirmation)
EnableDNSVerification = true

# Enable IP range verification using official bot IP ranges
EnableIPRangeVerification = true

# DNS lookup timeout
DNSTimeout = "5s"

# Minimum confidence score required to trust a bot (0.0-1.0)
# Higher values = more strict verification
MinimumConfidence = 0.8

# Bot source definitions with user agent patterns and IP range sources
[[BotVerification.BotSources]]
name = "googlebot"
userAgentPattern = "Googlebot/\\d+\\.\\d+"
ipRangeURL = "https://developers.google.com/static/search/apis/ipranges/googlebot.json"
dnsVerificationDomain = "googlebot.com"
updateInterval = "24h"
enabled = true

[[BotVerification.BotSources]]
name = "bingbot"
userAgentPattern = "bingbot/\\d+\\.\\d+"
ipRangeURL = "https://www.bing.com/toolbox/bingbot-ips.txt"
dnsVerificationDomain = "search.msn.com"
updateInterval = "24h"
enabled = true

[[BotVerification.BotSources]]
name = "slurp"
userAgentPattern = "Slurp"
ipRangeURL = "https://help.yahoo.com/slurpbot-ips.txt"
dnsVerificationDomain = "crawl.yahoo.net"
updateInterval = "2d"
enabled = false

[[BotVerification.BotSources]]
name = "duckduckbot"
userAgentPattern = "DuckDuckBot/\\d+\\.\\d+"
ipRangeURL = "https://duckduckgo.com/duckduckbot-ips.txt"
updateInterval = "3d"
enabled = false

[[BotVerification.BotSources]]
name = "facebookexternalhit"
userAgentPattern = "facebookexternalhit/\\d+\\.\\d+"
ipRangeURL = "https://developers.facebook.com/docs/sharing/webmasters/crawler-ips"
dnsVerificationDomain = "facebook.com"
updateInterval = "24h"
enabled = false