aiwaf 0.1.2__tar.gz → 0.1.5__tar.gz

aiwaf-0.1.5/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Aayush Gauba
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aiwaf-0.1.5/PKG-INFO

@@ -0,0 +1,195 @@
+Metadata-Version: 2.4
+Name: aiwaf
+Version: 0.1.5
+Summary: AI-powered Web Application Firewall
+Home-page: https://github.com/aayushgauba/aiwaf
+Author: Aayush Gauba
+Author-email: Aayush Gauba <gauba.aayush@gmail.com>
+License: MIT
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: author
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
+
+
+# AI‑WAF 
+
+> A self‑learning, Django‑friendly Web Application Firewall  
+> with rate‑limiting, anomaly detection, honeypots, UUID‑tamper protection, dynamic keyword extraction, file‑extension probing detection, and daily retraining.
+
+---
+
+## Package Structure
+
+```
+aiwaf/
+├── __init__.py
+├── blacklist_manager.py
+├── middleware.py
+├── trainer.py                   # exposes train()
+├── utils.py
+├── template_tags/
+│   └── aiwaf_tags.py
+├── resources/
+│   ├── model.pkl                # pre‑trained base model
+│   └── dynamic_keywords.json    # evolves daily
+├── management/
+│   └── commands/
+│       └── detect_and_train.py  # `python manage.py detect_and_train`
+└── LICENSE
+```
+
+---
+
+## Features
+
+- **IP Blocklist**  
+  Instantly blocks suspicious IPs (supports CSV fallback or Django model).
+
+- **Rate Limiting**  
+  Sliding‑window blocks flooders (> `AIWAF_RATE_MAX` per `AIWAF_RATE_WINDOW`), then blacklists them.
+
+- **AI Anomaly Detection**  
+  IsolationForest on features:
+  - Path length  
+  - Keyword hits (static + dynamic)  
+  - Response time  
+  - Status‑code index  
+  - Burst count  
+  - Total 404s  
+
+- **Dynamic Keyword Extraction**  
+  Every retrain: top 10 most frequent “words” from 4xx/5xx paths are appended to your malicious keyword set.
+
+- **File‑Extension Probing Detection**  
+  Tracks repeated 404s on common web‑extensions (e.g. `.php`, `.asp`) and auto‑blocks after a burst.
+
+- **Honeypot Field**  
+  Hidden form field (via template tag) that bots fill → instant block.
+
+- **UUID Tampering Protection**  
+  Any `<uuid:…>` URL that doesn’t map to **any** model in its Django app gets blocked.
+
+- **Daily Retraining**  
+  Reads rotated/gzipped logs, auto‑blocks 404 floods (≥6), retrains the model, updates `model.pkl` + `dynamic_keywords.json`.
+
+---
+
+## Installation
+
+```bash
+# From PyPI
+pip install aiwaf
+
+# Or for local development
+git clone https://github.com/aayushgauba/aiwaf.git
+cd aiwaf
+pip install -e .
+```
+
+---
+
+## ⚙️ Configuration (`settings.py`)
+
+```python
+INSTALLED_APPS += ["aiwaf"]
+
+### Database Setup
+
+After adding `aiwaf` to your `INSTALLED_APPS`, create the necessary tables for the IP‐blacklist and dynamic‐keyword models:
+
+```bash
+python manage.py makemigrations aiwaf
+python manage.py migrate
+
+# Required
+AIWAF_ACCESS_LOG = "/var/log/nginx/access.log"
+
+# Optional (defaults shown)
+AIWAF_MODEL_PATH         = BASE_DIR / "aiwaf" / "resources" / "model.pkl"
+AIWAF_HONEYPOT_FIELD     = "hp_field"
+AIWAF_RATE_WINDOW        = 10         # seconds
+AIWAF_RATE_MAX           = 20         # max reqs/window
+AIWAF_RATE_FLOOD         = 10         # flood threshold
+AIWAF_WINDOW_SECONDS     = 60         # anomaly window
+AIWAF_FILE_EXTENSIONS    = [".php", ".asp", ".jsp"]  # 404‑burst tracked extensions
+```
+
+> **Note:** You no longer need to define `AIWAF_MALICIOUS_KEYWORDS` or `AIWAF_STATUS_CODES` in your settings — they’re built in and evolve dynamically.
+
+---
+
+## Middleware Setup
+
+Add in **this** order to your `MIDDLEWARE` list:
+
+```python
+MIDDLEWARE = [
+    "aiwaf.middleware.IPBlockMiddleware",
+    "aiwaf.middleware.RateLimitMiddleware",
+    "aiwaf.middleware.AIAnomalyMiddleware",
+    "aiwaf.middleware.HoneypotMiddleware",
+    "aiwaf.middleware.UUIDTamperMiddleware",
+    # ... other middleware ...
+]
+```
+
+---
+
+## Honeypot Field (in your template)
+
+```django
+{% load aiwaf_tags %}
+
+<form method="post">
+  {% csrf_token %}
+  {% honeypot_field %}
+  <!-- your real fields -->
+</form>
+```
+
+> Renders a hidden `<input name="hp_field" style="display:none">`.  
+> Any non‑empty submission → IP blacklisted.
+
+---
+
+## Running Detection & Training
+
+```bash
+python manage.py detect_and_train
+```
+
+**What happens:**
+1. Read access logs
+2. Auto‑block IPs with ≥ 6 total 404s
+3. Extract features & train IsolationForest
+4. Save `model.pkl`
+5. Extract top 10 dynamic keywords from 4xx/5xx
+
+---
+
+## How It Works
+
+| Middleware                         | Purpose                                                         |
+|------------------------------------|-----------------------------------------------------------------|
+| IPAndKeywordBlockMiddleware        | Blocks requests from known blacklisted IPs and Keywords         |
+| RateLimitMiddleware                | Enforces burst & flood thresholds                               |
+| AIAnomalyMiddleware                | ML‑driven behavior analysis + block on anomaly                  |
+| HoneypotMiddleware                 | Detects bots filling hidden inputs in forms                     |
+| UUIDTamperMiddleware               | Blocks guessed/nonexistent UUIDs across all models in an app    |
+
+---
+
+## License
+
+This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.
+
+---
+
+## Credits
+
+**AI‑WAF** by [Aayush Gauba](https://github.com/aayushgauba)  
+> “Let your firewall learn and evolve — keep your site a fortress.”

aiwaf-0.1.5/README.md

@@ -0,0 +1,179 @@
+
+# AI‑WAF 
+
+> A self‑learning, Django‑friendly Web Application Firewall  
+> with rate‑limiting, anomaly detection, honeypots, UUID‑tamper protection, dynamic keyword extraction, file‑extension probing detection, and daily retraining.
+
+---
+
+## Package Structure
+
+```
+aiwaf/
+├── __init__.py
+├── blacklist_manager.py
+├── middleware.py
+├── trainer.py                   # exposes train()
+├── utils.py
+├── template_tags/
+│   └── aiwaf_tags.py
+├── resources/
+│   ├── model.pkl                # pre‑trained base model
+│   └── dynamic_keywords.json    # evolves daily
+├── management/
+│   └── commands/
+│       └── detect_and_train.py  # `python manage.py detect_and_train`
+└── LICENSE
+```
+
+---
+
+## Features
+
+- **IP Blocklist**  
+  Instantly blocks suspicious IPs (supports CSV fallback or Django model).
+
+- **Rate Limiting**  
+  Sliding‑window blocks flooders (> `AIWAF_RATE_MAX` per `AIWAF_RATE_WINDOW`), then blacklists them.
+
+- **AI Anomaly Detection**  
+  IsolationForest on features:
+  - Path length  
+  - Keyword hits (static + dynamic)  
+  - Response time  
+  - Status‑code index  
+  - Burst count  
+  - Total 404s  
+
+- **Dynamic Keyword Extraction**  
+  Every retrain: top 10 most frequent “words” from 4xx/5xx paths are appended to your malicious keyword set.
+
+- **File‑Extension Probing Detection**  
+  Tracks repeated 404s on common web‑extensions (e.g. `.php`, `.asp`) and auto‑blocks after a burst.
+
+- **Honeypot Field**  
+  Hidden form field (via template tag) that bots fill → instant block.
+
+- **UUID Tampering Protection**  
+  Any `<uuid:…>` URL that doesn’t map to **any** model in its Django app gets blocked.
+
+- **Daily Retraining**  
+  Reads rotated/gzipped logs, auto‑blocks 404 floods (≥6), retrains the model, updates `model.pkl` + `dynamic_keywords.json`.
+
+---
+
+## Installation
+
+```bash
+# From PyPI
+pip install aiwaf
+
+# Or for local development
+git clone https://github.com/aayushgauba/aiwaf.git
+cd aiwaf
+pip install -e .
+```
+
+---
+
+## ⚙️ Configuration (`settings.py`)
+
+```python
+INSTALLED_APPS += ["aiwaf"]
+
+### Database Setup
+
+After adding `aiwaf` to your `INSTALLED_APPS`, create the necessary tables for the IP‐blacklist and dynamic‐keyword models:
+
+```bash
+python manage.py makemigrations aiwaf
+python manage.py migrate
+
+# Required
+AIWAF_ACCESS_LOG = "/var/log/nginx/access.log"
+
+# Optional (defaults shown)
+AIWAF_MODEL_PATH         = BASE_DIR / "aiwaf" / "resources" / "model.pkl"
+AIWAF_HONEYPOT_FIELD     = "hp_field"
+AIWAF_RATE_WINDOW        = 10         # seconds
+AIWAF_RATE_MAX           = 20         # max reqs/window
+AIWAF_RATE_FLOOD         = 10         # flood threshold
+AIWAF_WINDOW_SECONDS     = 60         # anomaly window
+AIWAF_FILE_EXTENSIONS    = [".php", ".asp", ".jsp"]  # 404‑burst tracked extensions
+```
+
+> **Note:** You no longer need to define `AIWAF_MALICIOUS_KEYWORDS` or `AIWAF_STATUS_CODES` in your settings — they’re built in and evolve dynamically.
+
+---
+
+## Middleware Setup
+
+Add in **this** order to your `MIDDLEWARE` list:
+
+```python
+MIDDLEWARE = [
+    "aiwaf.middleware.IPBlockMiddleware",
+    "aiwaf.middleware.RateLimitMiddleware",
+    "aiwaf.middleware.AIAnomalyMiddleware",
+    "aiwaf.middleware.HoneypotMiddleware",
+    "aiwaf.middleware.UUIDTamperMiddleware",
+    # ... other middleware ...
+]
+```
+
+---
+
+## Honeypot Field (in your template)
+
+```django
+{% load aiwaf_tags %}
+
+<form method="post">
+  {% csrf_token %}
+  {% honeypot_field %}
+  <!-- your real fields -->
+</form>
+```
+
+> Renders a hidden `<input name="hp_field" style="display:none">`.  
+> Any non‑empty submission → IP blacklisted.
+
+---
+
+## Running Detection & Training
+
+```bash
+python manage.py detect_and_train
+```
+
+**What happens:**
+1. Read access logs
+2. Auto‑block IPs with ≥ 6 total 404s
+3. Extract features & train IsolationForest
+4. Save `model.pkl`
+5. Extract top 10 dynamic keywords from 4xx/5xx
+
+---
+
+## How It Works
+
+| Middleware                         | Purpose                                                         |
+|------------------------------------|-----------------------------------------------------------------|
+| IPAndKeywordBlockMiddleware        | Blocks requests from known blacklisted IPs and Keywords         |
+| RateLimitMiddleware                | Enforces burst & flood thresholds                               |
+| AIAnomalyMiddleware                | ML‑driven behavior analysis + block on anomaly                  |
+| HoneypotMiddleware                 | Detects bots filling hidden inputs in forms                     |
+| UUIDTamperMiddleware               | Blocks guessed/nonexistent UUIDs across all models in an app    |
+
+---
+
+## License
+
+This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.
+
+---
+
+## Credits
+
+**AI‑WAF** by [Aayush Gauba](https://github.com/aayushgauba)  
+> “Let your firewall learn and evolve — keep your site a fortress.”

aiwaf-0.1.5/aiwaf/middleware.py

@@ -0,0 +1,184 @@
+# aiwaf/middleware.py
+
+import time
+import re
+import os
+import numpy as np
+import joblib
+
+from collections import defaultdict
+from django.utils.deprecation import MiddlewareMixin
+from django.http import JsonResponse
+from django.conf import settings
+from django.core.cache import cache
+from django.db.models import F
+from django.apps import apps
+from django.urls import get_resolver
+
+from .blacklist_manager import BlacklistManager
+from .models import DynamicKeyword
+
+MODEL_PATH = getattr(
+    settings,
+    "AIWAF_MODEL_PATH",
+    os.path.join(os.path.dirname(__file__), "resources", "model.pkl")
+)
+MODEL = joblib.load(MODEL_PATH)
+
+STATIC_KW = getattr(
+    settings,
+    "AIWAF_MALICIOUS_KEYWORDS",
+    [
+        ".php", "xmlrpc", "wp-", ".env", ".git", ".bak",
+        "conflg", "shell", "filemanager"
+    ]
+)
+
+def get_ip(request):
+    xff = request.META.get("HTTP_X_FORWARDED_FOR")
+    if xff:
+        return xff.split(",")[0].strip()
+    return request.META.get("REMOTE_ADDR", "")
+
+class IPAndKeywordBlockMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.url_patterns = self._collect_view_paths()
+
+    def _collect_view_paths(self):
+        resolver = get_resolver()
+        patterns = set()
+
+        def extract(patterns_list, prefix=""):
+            for p in patterns_list:
+                if hasattr(p, "url_patterns"):
+                    extract(p.url_patterns, prefix + str(p.pattern))
+                else:
+                    pat = (prefix + str(p.pattern)).strip("^$")
+                    patterns.add(pat)
+        extract(resolver.url_patterns)
+        return patterns
+
+    def __call__(self, request):
+        ip = get_ip(request)
+        path = request.path.lower()
+        if BlacklistManager.is_blocked(ip):
+            return JsonResponse({"error": "blocked"}, status=403)
+        segments = [seg for seg in re.split(r"\W+", path) if len(seg) > 3]
+        for seg in segments:
+            obj, _ = DynamicKeyword.objects.get_or_create(keyword=seg)
+            DynamicKeyword.objects.filter(pk=obj.pk).update(count=F("count") + 1)
+        dynamic_top = list(
+            DynamicKeyword.objects
+            .order_by("-count")
+            .values_list("keyword", flat=True)[: getattr(settings, "AIWAF_DYNAMIC_TOP_N", 10)]
+        )
+        all_kw = set(STATIC_KW) | set(dynamic_top)
+        safe_kw = {kw for kw in all_kw if any(kw in pat for pat in self.url_patterns)}
+        suspicious_kw = all_kw - safe_kw
+        for seg in segments:
+            if seg in suspicious_kw:
+                BlacklistManager.block(ip, f"Keyword block: {seg}")
+                return JsonResponse({"error": "blocked"}, status=403)
+        return self.get_response(request)
+
+
+class RateLimitMiddleware:
+    WINDOW = 10
+    MAX    = 20
+    FLOOD  = 10
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.logs = defaultdict(list)
+
+    def __call__(self, request):
+        ip  = get_ip(request)
+        now = time.time()
+        recs = [t for t in self.logs[ip] if now - t < self.WINDOW]
+        recs.append(now)
+        self.logs[ip] = recs
+
+        if len(recs) > self.MAX:
+            return JsonResponse({"error": "too_many_requests"}, status=429)
+        if len(recs) > self.FLOOD:
+            BlacklistManager.block(ip, "Flood pattern")
+            return JsonResponse({"error": "blocked"}, status=403)
+
+        return self.get_response(request)
+
+
+class AIAnomalyMiddleware(MiddlewareMixin):
+    WINDOW = getattr(settings, "AIWAF_WINDOW_SECONDS", 60)
+    TOP_N  = getattr(settings, "AIWAF_DYNAMIC_TOP_N", 10)
+
+    def process_request(self, request):
+        ip = get_ip(request)
+        if BlacklistManager.is_blocked(ip):
+            return JsonResponse({"error": "blocked"}, status=403)
+
+        now = time.time()
+        key = f"aiwaf:{ip}"
+        data = cache.get(key, [])
+        # TODO: you may want to capture real status & response_time in process_response
+        data.append((now, request.path, 0, 0.0))
+        data = [d for d in data if now - d[0] < self.WINDOW]
+        cache.set(key, data, timeout=self.WINDOW)
+
+        # update dynamic‐keyword counts
+        for seg in re.split(r"\W+", request.path.lower()):
+            if len(seg) > 3:
+                obj, _ = DynamicKeyword.objects.get_or_create(keyword=seg)
+                DynamicKeyword.objects.filter(pk=obj.pk).update(count=F("count") + 1)
+
+        if len(data) < 5:
+            return None
+
+        # pull top‐N dynamic tokens
+        top_dynamic = list(
+            DynamicKeyword.objects
+            .order_by("-count")
+            .values_list("keyword", flat=True)[: self.TOP_N]
+        )
+        ALL_KW = set(STATIC_KW) | set(top_dynamic)
+
+        total    = len(data)
+        ratio404 = sum(1 for (_, _, st, _) in data if st == 404) / total
+        hits     = sum(any(kw in path.lower() for kw in ALL_KW) for (_, path, _, _) in data)
+        avg_rt   = np.mean([rt for (_, _, _, rt) in data]) if data else 0.0
+        ivs      = [data[i][0] - data[i - 1][0] for i in range(1, total)]
+        avg_iv   = np.mean(ivs) if ivs else 0.0
+
+        X = np.array([[total, ratio404, hits, avg_rt, avg_iv]], dtype=float)
+        if MODEL.predict(X)[0] == -1:
+            BlacklistManager.block(ip, "AI anomaly")
+            return JsonResponse({"error": "blocked"}, status=403)
+
+        return None
+
+
+class HoneypotMiddleware(MiddlewareMixin):
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        trap = request.POST.get(getattr(settings, "AIWAF_HONEYPOT_FIELD", "hp_field"), "")
+        if trap:
+            ip = get_ip(request)
+            BlacklistManager.block(ip, "HONEYPOT triggered")
+            return JsonResponse({"error": "bot_detected"}, status=403)
+        return None
+
+
+class UUIDTamperMiddleware(MiddlewareMixin):
+    def process_view(self, request, view_func, view_args, view_kwargs):
+        uid = view_kwargs.get("uuid")
+        if not uid:
+            return None
+
+        ip = get_ip(request)
+        app_label = view_func.__module__.split(".")[0]
+        app_cfg   = apps.get_app_config(app_label)
+        for Model in app_cfg.get_models():
+            if Model.objects.filter(pk=uid).exists():
+                return None
+
+        BlacklistManager.block(ip, "UUID tampering")
+        return JsonResponse({"error": "blocked"}, status=403)

{aiwaf-0.1.2 → aiwaf-0.1.5}/aiwaf/models.py

@@ -26,3 +26,11 @@ class BlacklistEntry(models.Model):
 
     def __str__(self):
         return f"{self.ip_address} ({self.reason})"
+
+class DynamicKeyword(models.Model):
+    keyword      = models.CharField(max_length=100, unique=True)
+    count        = models.PositiveIntegerField(default=0)
+    last_updated = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        ordering = ['-count']