90 lines
No EOL
3.6 KiB
Text
90 lines
No EOL
3.6 KiB
Text
# =============================================================================
|
|
# THREAT SCORING CONFIGURATION - EXAMPLE CONFIG
|
|
# =============================================================================
|
|
# Copy this file to threat-scoring.toml and customize for your environment
|
|
# All included threat signals are fully implemented and tested
|
|
|
|
[Core]
|
|
# Enable or disable threat scoring entirely
|
|
Enabled = true
|
|
|
|
# Enable detailed logging of scoring decisions (for debugging)
|
|
LogDetailedScores = false
|
|
|
|
[Thresholds]
|
|
# Score thresholds that determine the action taken for each request
|
|
# Scores are calculated from 0-100+ based on various threat signals
|
|
|
|
# Requests with scores <= AllowThreshold are allowed through immediately
|
|
AllowThreshold = 15 # Conservative - allows more legitimate traffic
|
|
|
|
# Requests with scores <= ChallengeThreshold receive a challenge (proof-of-work)
|
|
ChallengeThreshold = 80 # Much higher - blocking is absolute last resort
|
|
|
|
# Requests with scores > ChallengeThreshold are blocked
|
|
BlockThreshold = 100 # Truly malicious content (javascript:, <script>, etc.)
|
|
|
|
[Features]
|
|
# Enable/disable specific threat analysis features
|
|
EnableBotVerification = true # Bot verification via DNS + IP ranges
|
|
EnableGeoAnalysis = true # Geographic analysis based on GeoIP data
|
|
EnableBehaviorAnalysis = true # Behavioral pattern analysis across requests
|
|
EnableContentAnalysis = true # Content/WAF analysis for malicious payloads
|
|
|
|
# Signal weights for implemented threat detections
|
|
[SignalWeights]
|
|
|
|
# User-Agent Analysis
|
|
[SignalWeights.ATTACK_TOOL_UA]
|
|
weight = 30 # Risk score added for suspicious user agents
|
|
confidence = 0.75 # Confidence in this signal (0.0-1.0)
|
|
|
|
[SignalWeights.MISSING_UA]
|
|
weight = 10 # Risk score for missing user agent
|
|
confidence = 0.60 # Lower confidence for this signal
|
|
|
|
# Web Application Firewall Signals
|
|
[SignalWeights.SQL_INJECTION]
|
|
weight = 80 # Very high risk - increased from 60
|
|
confidence = 0.95 # High confidence in WAF detection
|
|
|
|
[SignalWeights.XSS_ATTEMPT]
|
|
weight = 85 # Extremely high risk - increased from 50
|
|
confidence = 0.95 # Very high confidence - XSS is critical
|
|
|
|
[SignalWeights.COMMAND_INJECTION]
|
|
weight = 95 # Extreme risk - increased from 65
|
|
confidence = 0.98 # Near certain malicious
|
|
|
|
[SignalWeights.PATH_TRAVERSAL]
|
|
weight = 70 # High risk - increased from 45
|
|
confidence = 0.90 # High confidence
|
|
|
|
# Enhanced Bot Scoring Configuration
|
|
[EnhancedBotScoring]
|
|
# Enhanced bot verification and scoring settings
|
|
Enabled = true
|
|
|
|
# Risk adjustment weights for verified bots (negative values reduce threat scores)
|
|
[EnhancedBotScoring.Weights]
|
|
baseVerificationWeight = 15 # Base weight for bot verification
|
|
ipRangeWeight = 20 # Weight for IP range verification
|
|
dnsWeight = 25 # Weight for DNS verification
|
|
combinedWeight = 35 # Weight when both DNS + IP match
|
|
majorSearchEngineWeight = 10 # Additional weight for major search engines
|
|
|
|
# Confidence thresholds for trust level determination
|
|
[EnhancedBotScoring.Thresholds]
|
|
verifiedLevel = 0.9 # Threshold for verified bot (90% confidence)
|
|
highLevel = 0.8 # High confidence threshold
|
|
mediumLevel = 0.7 # Medium confidence threshold
|
|
lowLevel = 0.5 # Low confidence threshold
|
|
|
|
# Maximum risk reduction that can be applied (prevents abuse)
|
|
maxRiskReduction = 50
|
|
|
|
# Cache TTL Settings
|
|
[Cache]
|
|
BotVerificationTTL = "1h" # How long to cache bot verification results
|
|
IPScoreTTL = "30m" # How long to cache IP threat scores
|
|
SessionBehaviorTTL = "2h" # How long to cache session behavior data |