Caileb/Checkpoint
1
0
Fork 0
Code Issues Pull requests Wiki Activity
Checkpoint/config/waf.toml.example

340 lines
No EOL
9.1 KiB
Text
Raw Blame History

# =============================================================================
# WEB APPLICATION FIREWALL (WAF) CONFIGURATION - EXAMPLE
# =============================================================================
# Copy this file to waf.toml and customize for your environment
# =============================================================================
# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the WAF entirely
Enabled = true
# Log all WAF detections (even if not blocked)
LogAllDetections = true
# Maximum request body size to analyze (in bytes)
MaxBodySize = 10485760 # 10MB
# WAF operation mode: "detect" or "prevent"
# detect = log only, prevent = actively block
Mode = "prevent"
# -----------------------------------------------------------------------------
# DETECTION SETTINGS
# -----------------------------------------------------------------------------
[Detection]
# Enable specific attack detection categories
SQLInjection = true
XSS = true
CommandInjection = true
PathTraversal = true
LFI_RFI = true
NoSQLInjection = true
XXE = true
LDAPInjection = true
SSRF = true
XMLRPCAttacks = true
# Sensitivity levels: low, medium, high
Sensitivity = "medium"
# Paranoia level (1-4)
ParanoiaLevel = 2
# -----------------------------------------------------------------------------
# SCORING CONFIGURATION
# -----------------------------------------------------------------------------
[Scoring]
# Base scores for each attack type - significantly increased for aggressive detection
SQLInjection = 80 # Increased from 35
XSS = 90 # Increased from 30 - XSS is extremely dangerous
CommandInjection = 100 # Increased from 40 - most dangerous
PathTraversal = 70 # Increased from 25
LFI_RFI = 80 # Increased from 35
NoSQLInjection = 60 # Increased from 30
XXE = 80 # Increased from 35
LDAPInjection = 50 # Increased from 30
SSRF = 75 # Increased from 35
XMLRPCAttacks = 45 # Increased from 25
# Score modifiers based on confidence
HighConfidenceMultiplier = 1.2
MediumConfidenceMultiplier = 1.0
LowConfidenceMultiplier = 0.8
# -----------------------------------------------------------------------------
# RATE LIMITING
# -----------------------------------------------------------------------------
[RateLimit]
# Maximum WAF detections per IP in the time window
MaxDetectionsPerIP = 5 # More aggressive - reduced from 10
# Time window for rate limiting (in seconds)
TimeWindow = 600 # 10 minutes - increased window
# Action when rate limit exceeded: "block" or "challenge"
RateLimitAction = "block" # Changed from challenge to block
# Decay factor for repeated offenses
DecayFactor = 0.8 # More aggressive decay
# -----------------------------------------------------------------------------
# ADVANCED DETECTION
# -----------------------------------------------------------------------------
[Advanced]
# Enable machine learning-based detection
MLDetection = false
# Enable payload deobfuscation
Deobfuscation = true
MaxDeobfuscationLevels = 3
# Enable response analysis (detect info leakage)
ResponseAnalysis = true
# Enable timing attack detection
TimingAnalysis = false
# -----------------------------------------------------------------------------
# CUSTOM RULES EXAMPLES
# -----------------------------------------------------------------------------
[[CustomRules]]
Name = "WordPress Admin Probe"
Pattern = "(?i)/wp-admin/(admin-ajax\\.php|post\\.php)"
Category = "reconnaissance"
Score = 15
Enabled = true
Action = "log"
Field = "uri_path"
[[CustomRules]]
Name = "Block Headless Browsers"
Field = "user_agent"
Pattern = "(?i)HeadlessChrome/"
Category = "bad_bot"
Score = 100
Enabled = true
Action = "block"
# Example of blocking specific paths on specific hosts
[[CustomRules]]
Name = "Block Setup Endpoint"
Field = "uri_path"
Pattern = "(?i)/setup"
Category = "access_control"
Score = 100
Enabled = false # Disabled by default
Action = "block"
Hosts = ["example.com"]
# Example of chained conditions (both must match)
[[CustomRules]]
Name = "Chained Demo Rule"
Category = "demo"
Score = 25
Enabled = false # Disabled by default
Action = "block"
[[CustomRules.Conditions]]
Field = "uri_query"
Pattern = "(?i)debug=true"
[[CustomRules.Conditions]]
Field = "user_agent"
Pattern = "(?i)curl"
# Block javascript: protocol in any part of the URL - CRITICAL
[[CustomRules]]
Name = "Block JavaScript Protocol"
Field = "uri"
Pattern = "(?i)javascript:"
Category = "xss"
Score = 100
Enabled = true
Action = "block"
# Block dangerous data: URLs
[[CustomRules]]
Name = "Block Data URL XSS"
Field = "uri"
Pattern = "(?i)data:.*text/html"
Category = "xss"
Score = 100
Enabled = true
Action = "block"
# Block data: URLs with JavaScript
[[CustomRules]]
Name = "Block Data URL JavaScript"
Field = "uri"
Pattern = "(?i)data:.*javascript"
Category = "xss"
Score = 100
Enabled = true
Action = "block"
# Block vbscript: protocol
[[CustomRules]]
Name = "Block VBScript Protocol"
Field = "uri"
Pattern = "(?i)vbscript:"
Category = "xss"
Score = 100
Enabled = true
Action = "block"
# Block any script tags in URL parameters
[[CustomRules]]
Name = "Block Script Tags in Query"
Field = "uri_query"
Pattern = "(?i)<script"
Category = "xss"
Score = 100
Enabled = true
Action = "block"
# Block SQL injection keywords in query
[[CustomRules]]
Name = "Block SQL Keywords"
Field = "uri_query"
Pattern = "(?i)(union.*select|insert.*into|delete.*from|drop.*table)"
Category = "sql_injection"
Score = 100
Enabled = true
Action = "block"
# -----------------------------------------------------------------------------
# WHITELIST / EXCEPTIONS
# -----------------------------------------------------------------------------
[Exceptions]
# Paths to exclude from WAF analysis
ExcludedPaths = [
"/api/upload",
"/static/",
"/assets/",
"/health",
"/metrics"
]
# Parameter names to exclude from analysis
ExcludedParameters = [
"utm_source",
"utm_medium",
"utm_campaign",
"ref",
"callback"
]
# Known good User-Agents to reduce false positives
TrustedUserAgents = [
"GoogleBot",
"BingBot",
"monitoring-system"
]
# IP addresses to exclude from WAF analysis
TrustedIPs = [
"127.0.0.1",
"::1"
]
# Content types to skip
SkipContentTypes = [
"image/",
"video/",
"audio/",
"font/",
"application/pdf"
]
# -----------------------------------------------------------------------------
# FALSE POSITIVE REDUCTION
# -----------------------------------------------------------------------------
[FalsePositive]
# Common false positive patterns to ignore
IgnorePatterns = [
# Legitimate base64 in JSON (e.g., image data)
"\"data:image\\/[^;]+;base64,",
# Markdown code blocks
"```[a-z]*\\n",
# Common API tokens (not actual secrets)
"token=[a-f0-9]{32}",
# Timestamps
"\\d{10,13}"
]
# Context-aware detection
ContextualDetection = true
# Authentication features removed - not applicable for this security system
# -----------------------------------------------------------------------------
# BOT VERIFICATION
# -----------------------------------------------------------------------------
[BotVerification]
# Enable comprehensive bot verification using IP ranges and DNS
Enabled = true
# Allow verified legitimate bots (Googlebot, Bingbot, etc.) to bypass WAF analysis
# When true, verified bots get 90% threat score reduction
AllowVerifiedBots = true
# Block requests that claim to be bots but fail verification
# When true, fake bot user agents get +50 threat score penalty
BlockUnverifiedBots = true
# Enable DNS verification (reverse DNS + forward DNS confirmation)
EnableDNSVerification = true
# Enable IP range verification using official bot IP ranges
EnableIPRangeVerification = true
# DNS lookup timeout
DNSTimeout = "5s"
# Minimum confidence score required to trust a bot (0.0-1.0)
# Higher values = more strict verification
MinimumConfidence = 0.8
# Bot source definitions with user agent patterns and IP range sources
[[BotVerification.BotSources]]
name = "googlebot"
userAgentPattern = "Googlebot/\\d+\\.\\d+"
ipRangeURL = "https://developers.google.com/static/search/apis/ipranges/googlebot.json"
dnsVerificationDomain = "googlebot.com"
updateInterval = "24h"
enabled = true
[[BotVerification.BotSources]]
name = "bingbot"
userAgentPattern = "bingbot/\\d+\\.\\d+"
ipRangeURL = "https://www.bing.com/toolbox/bingbot-ips.txt"
dnsVerificationDomain = "search.msn.com"
updateInterval = "24h"
enabled = true
[[BotVerification.BotSources]]
name = "slurp"
userAgentPattern = "Slurp"
ipRangeURL = "https://help.yahoo.com/slurpbot-ips.txt"
dnsVerificationDomain = "crawl.yahoo.net"
updateInterval = "2d"
enabled = false
[[BotVerification.BotSources]]
name = "duckduckbot"
userAgentPattern = "DuckDuckBot/\\d+\\.\\d+"
ipRangeURL = "https://duckduckgo.com/duckduckbot-ips.txt"
updateInterval = "3d"
enabled = false
[[BotVerification.BotSources]]
name = "facebookexternalhit"
userAgentPattern = "facebookexternalhit/\\d+\\.\\d+"
ipRangeURL = "https://developers.facebook.com/docs/sharing/webmasters/crawler-ips"
dnsVerificationDomain = "facebook.com"
updateInterval = "24h"
enabled = false
Reference in a new issue View git blame Copy permalink