197 lines
No EOL
5.2 KiB
Text
197 lines
No EOL
5.2 KiB
Text
# =============================================================================
|
|
# BEHAVIORAL DETECTION CONFIGURATION - EXAMPLE
|
|
# =============================================================================
|
|
# Copy this file to behavioral-detection.toml and customize for your environment
|
|
# =============================================================================
|
|
|
|
[Core]
|
|
# Enable or disable the behavioral detection engine
|
|
Enabled = true
|
|
|
|
# Operation mode: "detect" (log only) or "prevent" (actively block/rate limit)
|
|
Mode = "prevent"
|
|
|
|
# Default time window for metrics (milliseconds)
|
|
DefaultTimeWindow = 300000 # 5 minutes
|
|
|
|
# Maximum request history to keep per IP
|
|
MaxHistoryPerIP = 1000
|
|
|
|
# Database cleanup interval (milliseconds)
|
|
CleanupInterval = 3600000 # 1 hour
|
|
|
|
# =============================================================================
|
|
# EXAMPLE DETECTION RULES
|
|
# =============================================================================
|
|
|
|
[[Rules]]
|
|
Name = "404 Path Enumeration"
|
|
Type = "enumeration"
|
|
Severity = "medium"
|
|
Description = "Detects rapid 404 responses indicating directory/file scanning"
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "status_code_count"
|
|
StatusCode = 404
|
|
Threshold = 15
|
|
TimeWindow = 60000 # 1 minute
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "unique_paths_by_status"
|
|
StatusCode = 404
|
|
Threshold = 10
|
|
TimeWindow = 60000
|
|
|
|
[Rules.Action]
|
|
Score = 30
|
|
Tags = ["scanning", "enumeration", "reconnaissance"]
|
|
RateLimit = { Requests = 10, Window = 60000 }
|
|
Alert = false
|
|
|
|
# Authentication bruteforce rule removed - not applicable for this security system
|
|
|
|
[[Rules]]
|
|
Name = "API Endpoint Enumeration"
|
|
Type = "enumeration"
|
|
Severity = "medium"
|
|
Description = "Scanning for API endpoints"
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "unique_api_paths"
|
|
PathPrefix = "/api/"
|
|
Threshold = 20
|
|
TimeWindow = 60000
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "mixed_http_methods"
|
|
PathPrefix = "/api/"
|
|
MinMethods = 3 # GET, POST, PUT, DELETE, etc.
|
|
TimeWindow = 60000
|
|
|
|
[Rules.Action]
|
|
Score = 25
|
|
Tags = ["api_abuse", "enumeration"]
|
|
RateLimit = { Requests = 20, Window = 60000 }
|
|
|
|
[[Rules]]
|
|
Name = "Velocity-Based Scanner"
|
|
Type = "scanning"
|
|
Severity = "medium"
|
|
Description = "High-speed request patterns typical of automated scanners"
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "request_velocity"
|
|
RequestsPerSecond = 10
|
|
Duration = 5000 # Sustained for 5 seconds
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "request_regularity"
|
|
MaxVariance = 0.1 # Very regular timing
|
|
MinRequests = 20
|
|
|
|
[Rules.Action]
|
|
Score = 35
|
|
Tags = ["automated_scanner", "bot"]
|
|
Challenge = true # Show CAPTCHA or similar
|
|
|
|
[[Rules]]
|
|
Name = "Admin Interface Probing"
|
|
Type = "reconnaissance"
|
|
Severity = "medium"
|
|
Description = "Attempts to find admin interfaces"
|
|
|
|
[[Rules.Triggers]]
|
|
Metric = "path_status_combo"
|
|
PathPattern = "^/(wp-)?admin|^/administrator|^/manage|^/cpanel|^/phpmyadmin"
|
|
StatusCodes = [200, 301, 302, 403, 404]
|
|
Threshold = 5
|
|
TimeWindow = 300000
|
|
|
|
[Rules.Action]
|
|
Score = 25
|
|
Tags = ["admin_probe", "reconnaissance"]
|
|
RateLimit = { Requests = 5, Window = 300000 }
|
|
|
|
# =============================================================================
|
|
# CORRELATION RULES EXAMPLES
|
|
# =============================================================================
|
|
|
|
[[Correlations]]
|
|
Name = "Rotating User-Agent Attack"
|
|
Description = "Same IP using multiple user agents rapidly"
|
|
|
|
[Correlations.Conditions]
|
|
Metric = "unique_user_agents_per_ip"
|
|
Threshold = 5
|
|
TimeWindow = 60000
|
|
|
|
[Correlations.Action]
|
|
Score = 20
|
|
Tags = ["evasion", "user_agent_rotation"]
|
|
|
|
# =============================================================================
|
|
# BEHAVIORAL THRESHOLDS
|
|
# =============================================================================
|
|
|
|
[Thresholds]
|
|
# Minimum score to trigger any action
|
|
MinActionScore = 20
|
|
|
|
# Score thresholds for different severity levels
|
|
LowSeverityThreshold = 20
|
|
MediumSeverityThreshold = 40
|
|
HighSeverityThreshold = 60
|
|
CriticalSeverityThreshold = 80
|
|
|
|
# =============================================================================
|
|
# WHITELISTING
|
|
# =============================================================================
|
|
|
|
[Whitelist]
|
|
# IPs that should never be blocked by behavioral rules
|
|
TrustedIPs = [
|
|
"127.0.0.1",
|
|
"::1"
|
|
# Add your monitoring service IPs here
|
|
]
|
|
|
|
# User agents to treat with lower sensitivity
|
|
TrustedUserAgents = [
|
|
"Googlebot",
|
|
"bingbot",
|
|
"Slackbot",
|
|
"monitoring-bot"
|
|
]
|
|
|
|
# Paths where higher thresholds apply
|
|
MonitoringPaths = [
|
|
"/health",
|
|
"/metrics",
|
|
"/api/status",
|
|
"/.well-known/",
|
|
"/robots.txt",
|
|
"/sitemap.xml"
|
|
]
|
|
|
|
# =============================================================================
|
|
# RESPONSE CUSTOMIZATION
|
|
# =============================================================================
|
|
|
|
[Responses]
|
|
# Custom block message (can include HTML)
|
|
BlockMessage = """
|
|
<html>
|
|
<head><title>Access Denied</title></head>
|
|
<body>
|
|
<h1>Access Denied</h1>
|
|
<p>Your access has been restricted due to suspicious activity.</p>
|
|
<p>If you believe this is an error, please contact support.</p>
|
|
</body>
|
|
</html>
|
|
"""
|
|
|
|
# Rate limit message
|
|
RateLimitMessage = "Rate limit exceeded. Please slow down your requests."
|
|
|
|
# Challenge page URL (for CAPTCHA/verification)
|
|
ChallengePageURL = "/verify" |