aiwaf 0.1.8.3__tar.gz → 0.1.8.5__tar.gz

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.8.3
+Version: 0.1.8.5
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba
@@ -89,7 +89,17 @@ aiwaf/
 **Exempt Path & IP Awareness**
 
 **Exempt Paths:**
-Set `AIWAF_EXEMPT_PATHS` in your Django `settings.py` (not in your code). Fully respects this setting across all modules — exempt paths are:
+AI‑WAF automatically exempts common login paths (`/admin/`, `/login/`, `/accounts/login/`, etc.) from all blocking mechanisms. You can add additional exempt paths in your Django `settings.py`:
+
+```python
+AIWAF_EXEMPT_PATHS = [
+    "/api/webhooks/",
+    "/health/",
+    "/special-endpoint/",
+]
+```
+
+All exempt paths are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/README.md

@@ -68,7 +68,17 @@ aiwaf/
 **Exempt Path & IP Awareness**
 
 **Exempt Paths:**
-Set `AIWAF_EXEMPT_PATHS` in your Django `settings.py` (not in your code). Fully respects this setting across all modules — exempt paths are:
+AI‑WAF automatically exempts common login paths (`/admin/`, `/login/`, `/accounts/login/`, etc.) from all blocking mechanisms. You can add additional exempt paths in your Django `settings.py`:
+
+```python
+AIWAF_EXEMPT_PATHS = [
+    "/api/webhooks/",
+    "/health/",
+    "/special-endpoint/",
+]
+```
+
+All exempt paths are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/aiwaf/middleware.py

@@ -22,10 +22,28 @@ def is_ip_exempted(ip):
 
 def is_exempt_path(path):
     path = path.lower()
+    
+    # Default login paths that should always be exempt
+    default_login_paths = [
+        "/admin/login/",
+        "/admin/",
+        "/login/",
+        "/accounts/login/",
+        "/auth/login/",
+        "/signin/",
+    ]
+    
+    # Check default login paths
+    for login_path in default_login_paths:
+        if path.startswith(login_path):
+            return True
+    
+    # Check user-configured exempt paths
     exempt_paths = getattr(settings, "AIWAF_EXEMPT_PATHS", [])
     for exempt in exempt_paths:
         if path == exempt or path.startswith(exempt.rstrip("/") + "/"):
             return True
+    
     return False
 
 MODEL_PATH = getattr(
@@ -201,7 +219,8 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             return None
             
         if request.method == "GET":
-            # Store timestamp for this IP's GET request
+            # Store timestamp for this IP's GET request  
+            # Use a general key for the IP, not path-specific
             cache.set(f"honeypot_get:{ip}", time.time(), timeout=300)  # 5 min timeout
         
         elif request.method == "POST":
@@ -210,15 +229,26 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             
             if get_time is None:
                 # No GET request - likely bot posting directly
-                BlacklistManager.block(ip, "Direct POST without GET")
-                return JsonResponse({"error": "blocked"}, status=403)
-            
-            # Check timing
-            time_diff = time.time() - get_time
-            if time_diff < self.MIN_FORM_TIME:
-                # Posted too quickly - likely bot
-                BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
-                return JsonResponse({"error": "blocked"}, status=403)
+                # But be more lenient for login paths since users might bookmark them
+                if not any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    BlacklistManager.block(ip, "Direct POST without GET")
+                    return JsonResponse({"error": "blocked"}, status=403)
+            else:
+                # Check timing - be more lenient for login paths
+                time_diff = time.time() - get_time
+                min_time = self.MIN_FORM_TIME
+                
+                # Use shorter time threshold for login paths (users can login quickly)
+                if any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    min_time = 0.1  # Very short threshold for login forms
+                
+                if time_diff < min_time:
+                    BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
+                    return JsonResponse({"error": "blocked"}, status=403)
         
         return None
 

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/aiwaf/trainer.py

@@ -34,6 +34,23 @@ IPExemption = apps.get_model("aiwaf", "IPExemption")
 
 def is_exempt_path(path: str) -> bool:
     path = path.lower()
+    
+    # Default login paths that should always be exempt
+    default_login_paths = [
+        "/admin/login/",
+        "/admin/",
+        "/login/",
+        "/accounts/login/",
+        "/auth/login/",
+        "/signin/",
+    ]
+    
+    # Check default login paths
+    for login_path in default_login_paths:
+        if path.startswith(login_path):
+            return True
+    
+    # Check user-configured exempt paths
     for exempt in getattr(settings, "AIWAF_EXEMPT_PATHS", []):
         if path == exempt or path.startswith(exempt.rstrip("/") + "/"):
             return True
@@ -116,6 +133,7 @@ def train() -> None:
 
     parsed = []
     ip_404   = defaultdict(int)
+    ip_404_login = defaultdict(int)  # Track 404s on login paths separately
     ip_times = defaultdict(list)
 
     for line in raw_lines:
@@ -125,15 +143,24 @@ def train() -> None:
         parsed.append(rec)
         ip_times[rec["ip"]].append(rec["timestamp"])
         if rec["status"] == "404":
-            ip_404[rec["ip"]] += 1
+            if is_exempt_path(rec["path"]):
+                ip_404_login[rec["ip"]] += 1  # Login path 404s
+            else:
+                ip_404[rec["ip"]] += 1  # Non-login path 404s
 
-    # 3. Optional immediate 404‐flood blocking
+    # 3. Optional immediate 404‐flood blocking (only for non-login paths)
     for ip, count in ip_404.items():
         if count >= 6:
-            BlacklistEntry.objects.get_or_create(
-                ip_address=ip,
-                defaults={"reason": "Excessive 404s (≥6)"}
-            )
+            # Only block if they have significant non-login 404s
+            login_404s = ip_404_login.get(ip, 0)
+            total_404s = count + login_404s
+            
+            # Don't block if majority of 404s are on login paths
+            if count > login_404s:  # More non-login 404s than login 404s
+                BlacklistEntry.objects.get_or_create(
+                    ip_address=ip,
+                    defaults={"reason": f"Excessive 404s (≥6 non-login, {count}/{total_404s})"}
+                )
 
     feature_dicts = []
     for r in parsed:
@@ -176,13 +203,48 @@ def train() -> None:
     os.makedirs(os.path.dirname(MODEL_PATH), exist_ok=True)
     joblib.dump(model, MODEL_PATH)
     print(f"Model trained on {len(X)} samples → {MODEL_PATH}")
+    
+    # Check for anomalies and intelligently decide which IPs to block
     preds = model.predict(X)
     anomalous_ips = set(df.loc[preds == -1, "ip"])
-    for ip in anomalous_ips:
-        BlacklistEntry.objects.get_or_create(
-            ip_address=ip,
-            defaults={"reason": "Anomalous behavior"}
-        )
+    
+    if anomalous_ips:
+        print(f"⚠️  Detected {len(anomalous_ips)} potentially anomalous IPs during training")
+        
+        blocked_count = 0
+        for ip in anomalous_ips:
+            # Skip if IP is exempted
+            if IPExemption.objects.filter(ip_address=ip).exists():
+                continue
+            
+            # Get this IP's behavior from the data
+            ip_data = df[df["ip"] == ip]
+            
+            # Criteria to determine if this is likely a legitimate user vs threat:
+            avg_kw_hits = ip_data["kw_hits"].mean()
+            max_404s = ip_data["total_404"].max()
+            avg_burst = ip_data["burst_count"].mean()
+            total_requests = len(ip_data)
+            
+            # Don't block if it looks like legitimate behavior:
+            if (
+                avg_kw_hits < 2 and           # Not hitting many malicious keywords
+                max_404s < 10 and            # Not excessive 404s
+                avg_burst < 15 and           # Not excessive burst activity
+                total_requests < 100         # Not excessive total requests
+            ):
+                print(f"   - {ip}: Anomalous but looks legitimate (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f}) - NOT blocking")
+                continue
+            
+            # Block if it shows clear signs of malicious behavior
+            BlacklistEntry.objects.get_or_create(
+                ip_address=ip,
+                defaults={"reason": f"AI anomaly + suspicious patterns (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})"}
+            )
+            blocked_count += 1
+            print(f"   - {ip}: Blocked for suspicious behavior (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})")
+        
+        print(f"   → Blocked {blocked_count}/{len(anomalous_ips)} anomalous IPs (others looked legitimate)")
 
     tokens = Counter()
     for r in parsed:

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/aiwaf.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.8.3
+Version: 0.1.8.5
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba
@@ -89,7 +89,17 @@ aiwaf/
 **Exempt Path & IP Awareness**
 
 **Exempt Paths:**
-Set `AIWAF_EXEMPT_PATHS` in your Django `settings.py` (not in your code). Fully respects this setting across all modules — exempt paths are:
+AI‑WAF automatically exempts common login paths (`/admin/`, `/login/`, `/accounts/login/`, etc.) from all blocking mechanisms. You can add additional exempt paths in your Django `settings.py`:
+
+```python
+AIWAF_EXEMPT_PATHS = [
+    "/api/webhooks/",
+    "/health/",
+    "/special-endpoint/",
+]
+```
+
+All exempt paths are:
   - Skipped from keyword learning
   - Immune to AI blocking
   - Ignored in log training

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "aiwaf"
-version = "0.1.8.3"
+version = "0.1.8.5"
 description = "AI-powered Web Application Firewall"
 readme = "README.md"
 requires-python = ">=3.8"

{aiwaf-0.1.8.3 → aiwaf-0.1.8.5}/setup.py

@@ -9,7 +9,7 @@ long_description = (HERE / "README.md").read_text(encoding="utf-8")
 
 setup(
     name="aiwaf",
-    version="0.1.8.3",
+    version="0.1.8.5",
     description="AI‑driven, self‑learning Web Application Firewall for Django",
     long_description=long_description,
     long_description_content_type="text/markdown",