# =============================================================================
# BEHAVIORAL DETECTION CONFIGURATION - EXAMPLE
# =============================================================================
# Copy this file to behavioral-detection.toml and customize for your environment
# =============================================================================

[Core]
# Enable or disable the behavioral detection engine
Enabled = true

# Operation mode: "detect" (log only) or "prevent" (actively block/rate limit)
Mode = "prevent"

# Default time window for metrics (milliseconds)
DefaultTimeWindow = 300000  # 5 minutes

# Maximum request history to keep per IP
MaxHistoryPerIP = 1000

# Database cleanup interval (milliseconds)
CleanupInterval = 3600000  # 1 hour

# =============================================================================
# EXAMPLE DETECTION RULES
# =============================================================================

[[Rules]]
Name = "404 Path Enumeration"
Type = "enumeration"
Severity = "medium"
Description = "Detects rapid 404 responses indicating directory/file scanning"

  [[Rules.Triggers]]
  Metric = "status_code_count"
  StatusCode = 404
  Threshold = 15
  TimeWindow = 60000  # 1 minute

  [[Rules.Triggers]]  
  Metric = "unique_paths_by_status"
  StatusCode = 404
  Threshold = 10
  TimeWindow = 60000

  [Rules.Action]
  Score = 30
  Tags = ["scanning", "enumeration", "reconnaissance"]
  RateLimit = { Requests = 10, Window = 60000 }
  Alert = false

# Authentication bruteforce rule removed - not applicable for this security system

[[Rules]]
Name = "API Endpoint Enumeration"
Type = "enumeration"
Severity = "medium"
Description = "Scanning for API endpoints"

  [[Rules.Triggers]]
  Metric = "unique_api_paths"
  PathPrefix = "/api/"
  Threshold = 20
  TimeWindow = 60000
  
  [[Rules.Triggers]]
  Metric = "mixed_http_methods"
  PathPrefix = "/api/"
  MinMethods = 3  # GET, POST, PUT, DELETE, etc.
  TimeWindow = 60000

  [Rules.Action]
  Score = 25
  Tags = ["api_abuse", "enumeration"]
  RateLimit = { Requests = 20, Window = 60000 }

[[Rules]]
Name = "Velocity-Based Scanner"
Type = "scanning"
Severity = "medium"
Description = "High-speed request patterns typical of automated scanners"

  [[Rules.Triggers]]
  Metric = "request_velocity"
  RequestsPerSecond = 10
  Duration = 5000  # Sustained for 5 seconds
  
  [[Rules.Triggers]]
  Metric = "request_regularity"
  MaxVariance = 0.1  # Very regular timing
  MinRequests = 20

  [Rules.Action]
  Score = 35
  Tags = ["automated_scanner", "bot"]
  Challenge = true  # Show CAPTCHA or similar

[[Rules]]
Name = "Admin Interface Probing"
Type = "reconnaissance"
Severity = "medium"
Description = "Attempts to find admin interfaces"

  [[Rules.Triggers]]
  Metric = "path_status_combo"
  PathPattern = "^/(wp-)?admin|^/administrator|^/manage|^/cpanel|^/phpmyadmin"
  StatusCodes = [200, 301, 302, 403, 404]
  Threshold = 5
  TimeWindow = 300000

  [Rules.Action]
  Score = 25
  Tags = ["admin_probe", "reconnaissance"]
  RateLimit = { Requests = 5, Window = 300000 }

# =============================================================================
# CORRELATION RULES EXAMPLES
# =============================================================================

[[Correlations]]
Name = "Rotating User-Agent Attack"
Description = "Same IP using multiple user agents rapidly"

  [Correlations.Conditions]
  Metric = "unique_user_agents_per_ip"
  Threshold = 5
  TimeWindow = 60000

  [Correlations.Action]
  Score = 20
  Tags = ["evasion", "user_agent_rotation"]

# =============================================================================
# BEHAVIORAL THRESHOLDS
# =============================================================================

[Thresholds]
# Minimum score to trigger any action
MinActionScore = 20

# Score thresholds for different severity levels
LowSeverityThreshold = 20
MediumSeverityThreshold = 40
HighSeverityThreshold = 60
CriticalSeverityThreshold = 80

# =============================================================================
# WHITELISTING
# =============================================================================

[Whitelist]
# IPs that should never be blocked by behavioral rules
TrustedIPs = [
  "127.0.0.1",
  "::1"
  # Add your monitoring service IPs here
]

# User agents to treat with lower sensitivity
TrustedUserAgents = [
  "Googlebot",
  "bingbot", 
  "Slackbot",
  "monitoring-bot"
]

# Paths where higher thresholds apply
MonitoringPaths = [
  "/health",
  "/metrics", 
  "/api/status",
  "/.well-known/",
  "/robots.txt",
  "/sitemap.xml"
]

# =============================================================================
# RESPONSE CUSTOMIZATION
# =============================================================================

[Responses]
# Custom block message (can include HTML)
BlockMessage = """
<html>
<head><title>Access Denied</title></head>
<body>
<h1>Access Denied</h1>
<p>Your access has been restricted due to suspicious activity.</p>
<p>If you believe this is an error, please contact support.</p>
</body>
</html>
"""

# Rate limit message
RateLimitMessage = "Rate limit exceeded. Please slow down your requests."

# Challenge page URL (for CAPTCHA/verification)
ChallengePageURL = "/verify"