aiwaf 0.1.0__tar.gz

aiwaf-0.1.0/PKG-INFO

@@ -0,0 +1,13 @@
+Metadata-Version: 2.4
+Name: aiwaf
+Version: 0.1.0
+Summary: AI‑driven pluggable Web Application Firewall for Django (CSV or DB storage)
+Author: Aayush Gauba
+Requires-Dist: django>=3.0
+Requires-Dist: scikit-learn
+Requires-Dist: numpy
+Requires-Dist: pandas
+Requires-Dist: joblib
+Dynamic: author
+Dynamic: requires-dist
+Dynamic: summary

aiwaf-0.1.0/README.md

@@ -0,0 +1,176 @@
+# AI‑WAF
+
+> A self-learning, Django-friendly Web Application Firewall  
+> with rate-limiting, anomaly detection, honeypots, UUID-tamper protection, and daily retraining.
+
+---
+
+## Package Structure
+
+```
+aiwaf/
+├── __init__.py
+├── blacklist_manager.py
+├── middleware.py
+├── trainer.py                   # exposes detect_and_train()
+├── utils.py
+├── template_tags/
+│   └── aiwaf_tags.py
+├── resources/
+│   └── model.pkl                # pre-trained base model
+├── management/
+│   └── commands/
+│       └── detect_and_train.py  # python manage.py detect_and_train
+└── LICENSE
+```
+
+---
+
+## Features
+
+- **IP Blocklist**  
+  Automatically blocks suspicious IPs; optionally backed by CSV or Django model.
+
+- **Rate Limiting**  
+  Sliding window logic blocks IPs exceeding a threshold of requests per second.
+
+- **AI Anomaly Detection**  
+  IsolationForest trained on real logs with features like:
+  - Path length
+  - Keyword hits
+  - Response time
+  - Status code index
+  - Burst count
+  - Total 404s
+
+- **Honeypot Field**  
+  Hidden form field that bots are likely to fill — if triggered, the IP is blocked.
+
+- **UUID Tampering Protection**  
+  Detects if someone is probing by injecting random/nonexistent UUIDs into URLs.
+
+- **Daily Retraining**  
+  A single command retrains your model every day based on your logs.
+
+---
+
+## Installation
+
+Install locally or from PyPI:
+
+```bash
+pip install aiwaf
+```
+
+Or for local dev:
+
+```bash
+git clone https://github.com/aayushgauba/aiwaf.git
+cd aiwaf
+pip install -e .
+```
+
+---
+
+## ⚙️ Configuration (`settings.py`)
+
+```python
+INSTALLED_APPS += [
+    "aiwaf",
+]
+
+# Required
+AIWAF_ACCESS_LOG = "/var/log/nginx/access.log"
+
+# Optional (defaults included)
+AIWAF_MODEL_PATH = BASE_DIR / "aiwaf" / "resources" / "model.pkl"
+AIWAF_MALICIOUS_KEYWORDS = [".php", "xmlrpc", "wp-", ".env", ".git", ".bak", "conflg", "shell", "filemanager"]
+AIWAF_STATUS_CODES = ["200", "403", "404", "500"]
+AIWAF_HONEYPOT_FIELD = "hp_field"
+```
+
+---
+
+## Middleware Setup
+
+Add to `MIDDLEWARE` in order:
+
+```python
+MIDDLEWARE = [
+    "aiwaf.middleware.IPBlockMiddleware",
+    "aiwaf.middleware.RateLimitMiddleware",
+    "aiwaf.middleware.AIAnomalyMiddleware",
+    "aiwaf.middleware.HoneypotMiddleware",
+    "aiwaf.middleware.UUIDTamperMiddleware",
+    ...
+]
+```
+
+---
+
+## Honeypot Field (in template)
+
+```html
+{% load aiwaf_tags %}
+
+<form method="post">
+  {% csrf_token %}
+  {% honeypot_field %}
+  <!-- other fields -->
+</form>
+```
+
+The hidden field will be `<input type="hidden" name="hp_field">`.  
+If it’s ever filled → IP gets blocked.
+
+---
+
+##  Run Detection + Training
+
+```bash
+python manage.py detect_and_train
+```
+
+What it does:
+
+- Reads logs (supports `.gz` and rotated logs).
+- Detects excessive 404s (≥6) → instant block.
+- Builds feature vectors from logs.
+- Trains IsolationForest and saves `model.pkl`.
+
+Schedule it to run daily via `cron`, `Celery beat`, or systemd timer.
+
+---
+
+## How It Works (Simplified)
+
+| Middleware             | Functionality                                                |
+|------------------------|--------------------------------------------------------------|
+| IPBlockMiddleware      | Blocks requests from known blacklisted IPs                   |
+| RateLimitMiddleware    | Blocks flooders (>20/10s) and blacklists them (>10/10s)      |
+| AIAnomalyMiddleware    | Uses ML to detect suspicious behavior in request patterns    |
+| HoneypotMiddleware     | Detects bots filling hidden inputs in forms                  |
+| UUIDTamperMiddleware   | Detects guessing/probing by checking invalid UUID access     |
+
+---
+
+## Development Roadmap
+
+- [ ] Add CSV blocklist fallback
+- [ ] Admin dashboard integration
+- [ ] Auto-pruning of old block entries
+- [ ] Real-time log streaming compatibility
+- [ ] Docker/Helm deployment guide
+
+---
+
+##  License
+
+This project is licensed under the **MIT License** — see `LICENSE` for details.
+
+---
+
+## Credits
+
+**AIWAF** by [Aayush Gauba](https://github.com/aayushgauba)  
+> "Let your firewall learn and evolve with your logs. Make your site a fortress."

aiwaf-0.1.0/aiwaf/__init__.py

@@ -0,0 +1 @@
+default_app_config = "aiwaf.apps.AiwafConfig"

aiwaf-0.1.0/aiwaf/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+class AiwafConfig(AppConfig):
+    name = "aiwaf"
+    verbose_name = "AI‑Driven Web Application Firewall"

aiwaf-0.1.0/aiwaf/blacklist_manager.py

@@ -0,0 +1,14 @@
+from .models import BlacklistEntry
+
+class BlacklistManager:
+    @staticmethod
+    def block(ip, reason):
+        BlacklistEntry.objects.get_or_create(ip_address=ip, defaults={"reason": reason})
+
+    @staticmethod
+    def is_blocked(ip):
+        return BlacklistEntry.objects.filter(ip_address=ip).exists()
+
+    @staticmethod
+    def all_blocked():
+        return BlacklistEntry.objects.all()

aiwaf-0.1.0/aiwaf/management/commands/detect_and_train.py

@@ -0,0 +1,10 @@
+from django.core.management.base import BaseCommand
+from aiwaf.trainer import train
+
+class Command(BaseCommand):
+    help = "Run AI‑WAF detect & retrain"
+
+    def handle(self, *args, **options):
+        train()
+        self.stdout.write(self.style.SUCCESS("Done."))
+

aiwaf-0.1.0/aiwaf/middleware.py

@@ -0,0 +1,115 @@
+import time
+import numpy as np
+import joblib
+from collections import defaultdict
+from django.utils.deprecation import MiddlewareMixin
+from django.http import JsonResponse
+from django.conf import settings
+from django.core.cache import cache
+from django.urls import resolve
+from django.apps import apps
+from .blacklist_manager import BlacklistManager
+
+try:
+    MODEL_PATH = settings.AIWAF_MODEL_PATH
+except AttributeError:
+    import importlib.resources
+    MODEL_PATH = importlib.resources.files("aiwaf").joinpath("resources/model.pkl")
+
+MODEL = joblib.load(MODEL_PATH)
+
+def get_ip(request):
+    xff = request.META.get("HTTP_X_FORWARDED_FOR")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "")
+
+
+class IPBlockMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        ip = get_ip(request)
+        if BlacklistManager.is_blocked(ip):
+            return JsonResponse({"error": "blocked"}, status=403)
+        return self.get_response(request)
+
+
+class RateLimitMiddleware:
+    WINDOW = getattr(settings, "AIWAF_RATE_WINDOW", 10)
+    MAX = getattr(settings, "AIWAF_RATE_MAX", 20)
+    FLOOD = getattr(settings, "AIWAF_RATE_FLOOD", 10)
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.logs = defaultdict(list)
+    def __call__(self, request):
+        ip = get_ip(request)
+        now = time.time()
+        recs = [t for t in self.logs[ip] if now - t < self.WINDOW]
+        recs.append(now)
+        self.logs[ip] = recs
+        if len(recs) > self.MAX:
+            return JsonResponse({"error": "too_many_requests"}, status=429)
+        if len(recs) > self.FLOOD:
+            BlacklistManager.block(ip, "Flood pattern")
+            return JsonResponse({"error": "blocked"}, status=403)
+
+        return self.get_response(request)
+
+
+class AIAnomalyMiddleware(MiddlewareMixin):
+    WINDOW_SECONDS = getattr(settings, "AIWAF_WINDOW_SECONDS", 60)
+    def process_request(self, request):
+        ip = get_ip(request)
+        if BlacklistManager.is_blocked(ip):
+            return JsonResponse({"error": "blocked"}, status=403)
+        now = time.time()
+        key = f"aiwaf:{ip}"
+        data = cache.get(key, [])
+        data.append((now, request.path, 0, 0.0))
+        data = [d for d in data if now - d[0] < self.WINDOW_SECONDS]
+        cache.set(key, data, timeout=self.WINDOW_SECONDS)
+        if len(data) < 5:
+            return None
+        total = len(data)
+        ratio_404 = sum(1 for (_, _, st, _) in data if st == 404) / total
+        hits = sum(
+            any(k in path.lower() for k in settings.AIWAF_MALICIOUS_KEYWORDS)
+            for (_, path, _, _) in data
+        )
+        avg_rt = np.mean([rt for (_, _, _, rt) in data]) if data else 0.0
+        intervals = [
+            data[i][0] - data[i-1][0] for i in range(1, total)
+        ]
+        avg_iv = np.mean(intervals) if intervals else 0.0
+        X = np.array([[total, ratio_404, hits, avg_rt, avg_iv]], dtype=float)
+        if MODEL.predict(X)[0] == -1:
+            BlacklistManager.block(ip, "AI anomaly")
+            return JsonResponse({"error": "blocked"}, status=403)
+        return None
+
+
+class HoneypotMiddleware(MiddlewareMixin):
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        trap = request.POST.get(settings.AIWAF_HONEYPOT_FIELD, "")
+        if trap:
+            ip = get_ip(request)
+            BlacklistManager.block(ip, "HONEYPOT triggered")
+            return JsonResponse({"error": "bot_detected"}, status=403)
+        return None
+
+
+class UUIDTamperMiddleware(MiddlewareMixin):
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        uid = view_kwargs.get("uuid")
+        if not uid:
+            return None
+        ip = get_ip(request)
+        app_label = view_kwargs.get("app_label") or view_func.__module__.split('.')[0]
+        app_config = apps.get_app_config(app_label)
+        for Model in app_config.get_models():
+            if Model.objects.filter(pk=uid).exists():
+                return None
+        BlacklistManager.block(ip, "UUID tampering")
+        return JsonResponse({"error": "blocked"}, status=403)

aiwaf-0.1.0/aiwaf/models.py

@@ -0,0 +1,28 @@
+from django.db import models
+
+class FeatureSample(models.Model):
+    ip          = models.GenericIPAddressField(db_index=True)
+    path_len    = models.IntegerField()
+    kw_hits     = models.IntegerField()
+    resp_time   = models.FloatField()
+    status_idx  = models.IntegerField()
+    burst_count = models.IntegerField()
+    total_404   = models.IntegerField()
+    label       = models.CharField(max_length=20, default="unlabeled")
+    created_at  = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        verbose_name = "WAF Feature Sample"
+        verbose_name_plural = "WAF Feature Samples"
+        indexes = [
+            models.Index(fields=["ip"]),
+            models.Index(fields=["created_at"]),
+        ]
+
+class BlacklistEntry(models.Model):
+    ip_address = models.GenericIPAddressField(unique=True, db_index=True)
+    reason     = models.CharField(max_length=100)
+    created_at = models.DateTimeField(auto_now_add=True)
+
+    def __str__(self):
+        return f"{self.ip_address} ({self.reason})"

aiwaf-0.1.0/aiwaf/storage.py

@@ -0,0 +1,61 @@
+import os, csv, gzip, glob
+import numpy as np
+import pandas as pd
+from django.conf import settings
+from .models import FeatureSample
+
+DATA_FILE  = getattr(settings, "AIWAF_CSV_PATH", "access_samples.csv")
+CSV_HEADER = [
+    "ip","path_len","kw_hits","resp_time",
+    "status_idx","burst_count","total_404","label"
+]
+
+class CsvFeatureStore:
+    @staticmethod
+    def persist_rows(rows):
+        new_file = not os.path.exists(DATA_FILE)
+        with open(DATA_FILE, "a", newline="", encoding="utf-8") as f:
+            w = csv.writer(f)
+            if new_file:
+                w.writerow(CSV_HEADER)
+            w.writerows(rows)
+
+    @staticmethod
+    def load_matrix():
+        if not os.path.exists(DATA_FILE):
+            return np.empty((0,6))
+        df = pd.read_csv(
+            DATA_FILE,
+            names=CSV_HEADER,
+            skiprows=1,
+            engine="python",
+            on_bad_lines="skip"
+        )
+        feature_cols = CSV_HEADER[1:7]
+        df[feature_cols] = df[feature_cols].apply(pd.to_numeric, errors="coerce").fillna(0)
+        return df[feature_cols].to_numpy()
+
+class DbFeatureStore:
+    @staticmethod
+    def persist_rows(rows):
+        objs = []
+        for ip,pl,kw,rt,si,bc,t404,label in rows:
+            objs.append(FeatureSample(
+                ip=ip, path_len=pl, kw_hits=kw,
+                resp_time=rt, status_idx=si,
+                burst_count=bc, total_404=t404,
+                label=label
+            ))
+        FeatureSample.objects.bulk_create(objs, ignore_conflicts=True)
+
+    @staticmethod
+    def load_matrix():
+        qs = FeatureSample.objects.all().values_list(
+            "path_len","kw_hits","resp_time","status_idx","burst_count","total_404"
+        )
+        return np.array(list(qs), dtype=float)
+
+def get_store():
+    if getattr(settings, "AIWAF_FEATURE_STORE", "csv") == "db":
+        return DbFeatureStore
+    return CsvFeatureStore

aiwaf-0.1.0/aiwaf/template_tags/aiwaf_tags.py

@@ -0,0 +1,14 @@
+from django import template
+from django.utils.html import format_html
+from django.conf import settings
+
+register = template.Library()
+
+@register.simple_tag
+def honeypot_field(field_name=None):
+
+    name = field_name or getattr(settings, "AIWAF_HONEYPOT_FIELD", "hp_field")
+    return format_html(
+        '<input type="text" name="{}" hidden autocomplete="off" tabindex="-1" />',
+        name
+    )

aiwaf-0.1.0/aiwaf/trainer.py

@@ -0,0 +1,123 @@
+# aiwaf/trainer.py
+
+import os
+import glob
+import gzip
+import re
+import joblib
+from datetime import datetime
+from collections import defaultdict
+from .models import BlacklistEntry
+import pandas as pd
+from sklearn.ensemble import IsolationForest
+from django.conf import settings
+from django.apps import apps
+
+LOG_PATH   = settings.AIWAF_ACCESS_LOG
+MODEL_PATH = os.path.join(
+    os.path.dirname(__file__),
+    "resources",
+    "model.pkl"
+)
+MALICIOUS_KEYWORDS = [".php", "xmlrpc", "wp-", ".env", ".git", ".bak", "conflg", "shell", "filemanager"]
+STATUS_CODES       = ["200", "403", "404", "500"]
+_LOG_RX = re.compile(
+    r'(\d+\.\d+\.\d+\.\d+).*\[(.*?)\].*"(?:GET|POST) (.*?) HTTP/.*?" (\d{3}).*?"(.*?)" "(.*?)".*?response-time=(\d+\.\d+)'
+)
+BlacklistedIP = BlacklistEntry.objects.all()
+def _read_all_logs():
+    lines = []
+    if LOG_PATH and os.path.exists(LOG_PATH):
+        with open(LOG_PATH, "r", errors="ignore") as f:
+            lines += f.readlines()
+    for path in sorted(glob.glob(LOG_PATH + ".*")):
+        opener = gzip.open if path.endswith(".gz") else open
+        try:
+            with opener(path, "rt", errors="ignore") as f:
+                lines += f.readlines()
+        except OSError:
+            continue
+    return lines
+
+def _parse(line):
+    m = _LOG_RX.search(line)
+    if not m:
+        return None
+    ip, ts_str, path, status, ref, ua, rt = m.groups()
+    try:
+        ts = datetime.strptime(ts_str.split()[0], "%d/%b/%Y:%H:%M:%S")
+    except ValueError:
+        return None
+    return {
+        "ip": ip,
+        "timestamp": ts,
+        "path": path,
+        "status": status,
+        "ua": ua,
+        "response_time": float(rt),
+    }
+
+
+def train():
+    raw = _read_all_logs()
+    if not raw:
+        print("No log lines found – check AIWAF_ACCESS_LOG")
+        return
+    parsed = []
+    ip_404   = defaultdict(int)
+    ip_times = defaultdict(list)
+    for ln in raw:
+        rec = _parse(ln)
+        if not rec:
+            continue
+        parsed.append(rec)
+        ip_times[rec["ip"]].append(rec["timestamp"])
+        if rec["status"] == "404":
+            ip_404[rec["ip"]] += 1
+    blocked = []
+    for ip, count in ip_404.items():
+        if count >= 6:
+            obj, created = BlacklistEntry.objects.get_or_create(
+                ip_address=ip,
+                defaults={"reason": "Excessive 404s (≥6)"}
+            )
+            if created:
+                blocked.append(ip)
+    if blocked:
+        print(f"Auto‑blocked {len(blocked)} IPs for ≥6 404s: {', '.join(blocked)}")
+    rows = []
+    for r in parsed:
+        ip        = r["ip"]
+        burst     = sum(
+            1 for t in ip_times[ip]
+            if (r["timestamp"] - t).total_seconds() <= 10
+        )
+        total404  = ip_404[ip]
+        kw_hits   = sum(k in r["path"].lower() for k in MALICIOUS_KEYWORDS)
+        status_idx = STATUS_CODES.index(r["status"]) if r["status"] in STATUS_CODES else -1
+        rows.append([
+            len(r["path"]),
+            kw_hits,
+            r["response_time"],
+            status_idx,
+            burst,
+            total404
+        ])
+
+    if not rows:
+        print("No entries to train on!")
+        return
+
+    df = pd.DataFrame(
+        rows,
+        columns=[
+            "path_len", "kw_hits", "resp_time",
+            "status_idx", "burst_count", "total_404"
+        ]
+    ).fillna(0).astype(float)
+    clf = IsolationForest(contamination=0.01, random_state=42)
+    clf.fit(df.values)
+    os.makedirs(os.path.dirname(MODEL_PATH), exist_ok=True)
+    joblib.dump(clf, MODEL_PATH)
+    print(f"Model trained on {len(df)} samples and saved to {MODEL_PATH}")
+

aiwaf-0.1.0/aiwaf/utils.py

@@ -0,0 +1,50 @@
+import os
+import re
+import glob
+import gzip
+from datetime import datetime
+
+_LOG_RX = re.compile(
+    r'(\d+\.\d+\.\d+\.\d+).*\[(.*?)\].*"(GET|POST) (.*?) HTTP/.*?" (\d{3}).*?"(.*?)" "(.*?)"'
+)
+
+def get_ip(request):
+    xff = request.META.get("HTTP_X_FORWARDED_FOR", "")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "")
+
+def read_rotated_logs(base_path):
+    lines = []
+    if os.path.exists(base_path):
+        with open(base_path, "r", encoding="utf-8", errors="ignore") as f:
+            lines.extend(f.readlines())
+    for path in sorted(glob.glob(base_path + ".*")):
+        opener = gzip.open if path.endswith(".gz") else open
+        try:
+            with opener(path, "rt", encoding="utf-8", errors="ignore") as f:
+                lines.extend(f.readlines())
+        except OSError:
+            continue
+    return lines
+
+def parse_log_line(line):
+    m = _LOG_RX.search(line)
+    if not m:
+        return None
+    ip, ts_str, _, path, status, ref, ua = m.groups()
+    try:
+        ts = datetime.strptime(ts_str.split()[0], "%d/%b/%Y:%H:%M:%S")
+    except ValueError:
+        return None
+    rt_m = re.search(r'response-time=(\d+\.\d+)', line)
+    rt = float(rt_m.group(1)) if rt_m else 0.0
+    return {
+        "ip": ip,
+        "timestamp": ts,
+        "path": path,
+        "status": status,
+        "referer": ref,
+        "user_agent": ua,
+        "response_time": rt
+    }

aiwaf-0.1.0/aiwaf.egg-info/PKG-INFO

@@ -0,0 +1,13 @@
+Metadata-Version: 2.4
+Name: aiwaf
+Version: 0.1.0
+Summary: AI‑driven pluggable Web Application Firewall for Django (CSV or DB storage)
+Author: Aayush Gauba
+Requires-Dist: django>=3.0
+Requires-Dist: scikit-learn
+Requires-Dist: numpy
+Requires-Dist: pandas
+Requires-Dist: joblib
+Dynamic: author
+Dynamic: requires-dist
+Dynamic: summary

aiwaf-0.1.0/aiwaf.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+README.md
+setup.py
+aiwaf/__init__.py
+aiwaf/apps.py
+aiwaf/blacklist_manager.py
+aiwaf/middleware.py
+aiwaf/models.py
+aiwaf/storage.py
+aiwaf/trainer.py
+aiwaf/utils.py
+aiwaf.egg-info/PKG-INFO
+aiwaf.egg-info/SOURCES.txt
+aiwaf.egg-info/dependency_links.txt
+aiwaf.egg-info/entry_points.txt
+aiwaf.egg-info/requires.txt
+aiwaf.egg-info/top_level.txt
+aiwaf/management/__init__.py
+aiwaf/management/commands/__init__.py
+aiwaf/management/commands/detect_and_train.py
+aiwaf/resources/model.pkl
+aiwaf/template_tags/__init__.py
+aiwaf/template_tags/aiwaf_tags.py

aiwaf-0.1.0/aiwaf.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

aiwaf-0.1.0/aiwaf.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+aiwaf-detect = aiwaf.trainer:detect_and_train

aiwaf-0.1.0/aiwaf.egg-info/requires.txt

@@ -0,0 +1,5 @@
+django>=3.0
+scikit-learn
+numpy
+pandas
+joblib

aiwaf-0.1.0/aiwaf.egg-info/top_level.txt

@@ -0,0 +1 @@
+aiwaf

aiwaf-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

aiwaf-0.1.0/setup.py

@@ -0,0 +1,25 @@
+from setuptools import setup, find_packages
+
+setup(
+    name="aiwaf",
+    version="0.1.0",
+    description="AI‑driven pluggable Web Application Firewall for Django (CSV or DB storage)",
+    author="Aayush Gauba",
+    packages=find_packages(),
+    package_data={
+        "aiwaf": ["resources/*.pkl"],
+    },
+    include_package_data=True,
+    install_requires=[
+        "django>=3.0",
+        "scikit-learn",
+        "numpy",
+        "pandas",
+        "joblib",
+    ],
+    entry_points={
+        "console_scripts": [
+            "aiwaf-detect=aiwaf.trainer:detect_and_train",
+        ]
+    },
+)