# =============================================================================
# THREAT SCORING CONFIGURATION - EXAMPLE CONFIG
# =============================================================================
# Copy this file to threat-scoring.toml and customize for your environment
# All included threat signals are fully implemented and tested

[Core]
# Enable or disable threat scoring entirely
Enabled = true

# Enable detailed logging of scoring decisions (for debugging)
LogDetailedScores = false

[Thresholds]
# Score thresholds that determine the action taken for each request
# Scores are calculated from 0-100+ based on various threat signals

# Requests with scores <= AllowThreshold are allowed through immediately
AllowThreshold = 15   # Conservative - allows more legitimate traffic

# Requests with scores <= ChallengeThreshold receive a challenge (proof-of-work)
ChallengeThreshold = 80   # Much higher - blocking is absolute last resort

# Requests with scores > ChallengeThreshold are blocked
BlockThreshold = 100  # Truly malicious content (javascript:, <script>, etc.)

[Features]
# Enable/disable specific threat analysis features
EnableBotVerification = true   # Bot verification via DNS + IP ranges
EnableGeoAnalysis = true       # Geographic analysis based on GeoIP data
EnableBehaviorAnalysis = true  # Behavioral pattern analysis across requests
EnableContentAnalysis = true   # Content/WAF analysis for malicious payloads

# Signal weights for implemented threat detections
[SignalWeights]

# User-Agent Analysis
[SignalWeights.ATTACK_TOOL_UA]
weight = 30          # Risk score added for suspicious user agents
confidence = 0.75    # Confidence in this signal (0.0-1.0)

[SignalWeights.MISSING_UA]
weight = 10          # Risk score for missing user agent
confidence = 0.60    # Lower confidence for this signal

# Web Application Firewall Signals
[SignalWeights.SQL_INJECTION]
weight = 80          # Very high risk - increased from 60
confidence = 0.95    # High confidence in WAF detection

[SignalWeights.XSS_ATTEMPT]
weight = 85          # Extremely high risk - increased from 50
confidence = 0.95    # Very high confidence - XSS is critical

[SignalWeights.COMMAND_INJECTION]
weight = 95          # Extreme risk - increased from 65
confidence = 0.98    # Near certain malicious

[SignalWeights.PATH_TRAVERSAL]
weight = 70          # High risk - increased from 45
confidence = 0.90    # High confidence

# Enhanced Bot Scoring Configuration
[EnhancedBotScoring]
# Enhanced bot verification and scoring settings
Enabled = true

# Risk adjustment weights for verified bots (negative values reduce threat scores)
[EnhancedBotScoring.Weights]
baseVerificationWeight = 15      # Base weight for bot verification
ipRangeWeight = 20              # Weight for IP range verification
dnsWeight = 25                  # Weight for DNS verification
combinedWeight = 35             # Weight when both DNS + IP match
majorSearchEngineWeight = 10    # Additional weight for major search engines

# Confidence thresholds for trust level determination
[EnhancedBotScoring.Thresholds]
verifiedLevel = 0.9    # Threshold for verified bot (90% confidence)
highLevel = 0.8        # High confidence threshold  
mediumLevel = 0.7      # Medium confidence threshold
lowLevel = 0.5         # Low confidence threshold

# Maximum risk reduction that can be applied (prevents abuse)
maxRiskReduction = 50

# Cache TTL Settings
[Cache]
BotVerificationTTL = "1h"      # How long to cache bot verification results
IPScoreTTL = "30m"             # How long to cache IP threat scores
SessionBehaviorTTL = "2h"      # How long to cache session behavior data