Add defence profiles, attack signatures, and documentation#30
Merged
mclueppers merged 2 commits intomainfrom Dec 24, 2025
Merged
Add defence profiles, attack signatures, and documentation#30mclueppers merged 2 commits intomainfrom
mclueppers merged 2 commits intomainfrom
Conversation
…tion Defense Profile System: - DAG-based defense profile execution with defense, operator, action nodes - New "observation" node type for non-blocking side effects (field_learner) - Multi-profile execution with aggregation strategies (OR, AND, MAJORITY) - Score aggregation options (SUM, MAX, WEIGHTED_AVG) - Built-in profiles: Legacy, Balanced, Strict, Monitor-Only, High-Value - Visual DAG editor with React Flow Defense Mechanisms: - content_hash: Full 64-char SHA256, field-specific hashing, ignore_fields - field_anomalies: All 5 checks (caps, test-patterns, sequential, no-spaces) - expected_fields: Combined field set, all 4 actions (block/filter/flag/ignore) - keyword_filter: ignore_fields, context exclusions, global inheritance - field_learner: Observation node for automatic field learning Attack Signatures: - Pattern-based attack detection with regex/exact/contains matching - Request part targeting (uri, headers, body, args, cookies) - Built-in signatures for SQL injection, XSS, path traversal, etc. - Signature stats tracking and expiration management - Import/export functionality Header Standardization: - Aligned all WAF headers to use X-WAF- prefix consistently - Updated: X-WAF-Form-Hash, X-WAF-Spam-Score, X-WAF-Spam-Flags, X-WAF-Client-IP, X-WAF-Submission-Fingerprint, X-WAF-Fingerprint-Profile - Added missing proxy headers for HAProxy thresholds - Fixed empty header output when variables not set Bug Fixes: - Fixed vhost-specific endpoint config sync (configs weren't cached) - Removed broken deregister_instance (socket API disabled in exit_worker) - Fixed monitoring mode to continue execution and collect all metrics
…tem features New documentation files: - DEFENSE_PROFILES.md: Complete guide to the DAG-based defense profile system including node types (start, defense, operator, observation, action), built-in profiles, multi-profile execution, and aggregation strategies - ATTACK_SIGNATURES.md: Documentation for attack signatures system with pattern matching types, built-in signatures, defense lines integration - API_HANDLERS.md: Admin API modular handlers documentation - BEHAVIORAL_TRACKING.md: Anomaly detection and behavioral analysis - CLUSTER_COORDINATION.md: Leader election and instance management - FINGERPRINT_PROFILES.md: Client fingerprinting system - METRICS_AGGREGATION.md: Cluster-wide metrics collection - guide/USER_GUIDE.md: Complete user guide - guide/CONFIGURATION_REFERENCE.md: All configuration options - guide/ATTACK_PLAYBOOK.md: Defense strategies for common attacks Updated documentation: - ARCHITECTURE.md: Added defense profile execution layer diagram, updated Lua module architecture, HAProxy integration details, cross-component communication, standardized X-WAF-* header prefix, added comprehensive Related Documentation section - ENDPOINT_CONFIGURATION.md: Added defense_profiles and defense_lines configuration sections with examples and aggregation strategies - README.md: Updated overview and features
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a comprehensive defense system to the Forms WAF by introducing defense profiles, attack signatures, and extensive documentation to support advanced threat protection and configuration.
Key Changes:
- Added defense profiles system with DAG-based execution flow for orchestrating multiple defense mechanisms
- Added attack signatures store with built-in signatures for common attack vectors (WordPress, API abuse, credential stuffing)
- Added extensive user-facing documentation including user guide, configuration reference, and attack playbook
- Updated endpoint configuration to support defense profile and fingerprint profile attachments
Reviewed changes
Copilot reviewed 56 out of 71 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| openresty/lua/attack_signatures_store.lua | New Redis-backed storage layer for managing attack signatures with CRUD operations |
| openresty/lua/attack_signatures_builtins.lua | Built-in attack signature definitions for WordPress, contact forms, APIs, and credential stuffing |
| openresty/lua/api_handlers/defense_profiles.lua | API handlers for defense profile management including validation and simulation |
| openresty/lua/api_handlers/attack_signatures.lua | API handlers for attack signature management with import/export support |
| openresty/lua/config_resolver.lua | Added defense_profiles and fingerprint_profiles passthrough in endpoint resolution |
| docs/guide/USER_GUIDE.md | Comprehensive 1510-line user guide covering setup, configuration, and troubleshooting |
| docs/guide/CONFIGURATION_REFERENCE.md | Complete configuration reference with all available options and Redis key documentation |
| docs/guide/ATTACK_PLAYBOOK.md | Incident response playbook with detection signs and mitigation strategies |
| docs/DEFENSE_PROFILES.md | Technical documentation for the defense profiles DAG system |
| docs/FINGERPRINT_PROFILES.md | Documentation for fingerprint-based client identification |
| openresty/conf/nginx.conf | Updated proxy headers to use X-WAF- prefix consistently |
| admin-ui/src/pages/endpoints/EndpointForm.tsx | Added defense profiles and defense lines tabs to endpoint editor |
| admin-ui/src/hooks/usePermissions.ts | Added permissions for fingerprint profiles, defense profiles, and attack signatures |
Files not reviewed (1)
- admin-ui/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.