aiwaf 0.1.8.4__py3-none-any.whl → 0.1.8.5__py3-none-any.whl

aiwaf/middleware.py

@@ -219,7 +219,8 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             return None
             
         if request.method == "GET":
-            # Store timestamp for this IP's GET request
+            # Store timestamp for this IP's GET request  
+            # Use a general key for the IP, not path-specific
             cache.set(f"honeypot_get:{ip}", time.time(), timeout=300)  # 5 min timeout
         
         elif request.method == "POST":
@@ -228,15 +229,26 @@ class HoneypotTimingMiddleware(MiddlewareMixin):
             
             if get_time is None:
                 # No GET request - likely bot posting directly
-                BlacklistManager.block(ip, "Direct POST without GET")
-                return JsonResponse({"error": "blocked"}, status=403)
-            
-            # Check timing
-            time_diff = time.time() - get_time
-            if time_diff < self.MIN_FORM_TIME:
-                # Posted too quickly - likely bot
-                BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
-                return JsonResponse({"error": "blocked"}, status=403)
+                # But be more lenient for login paths since users might bookmark them
+                if not any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    BlacklistManager.block(ip, "Direct POST without GET")
+                    return JsonResponse({"error": "blocked"}, status=403)
+            else:
+                # Check timing - be more lenient for login paths
+                time_diff = time.time() - get_time
+                min_time = self.MIN_FORM_TIME
+                
+                # Use shorter time threshold for login paths (users can login quickly)
+                if any(request.path.lower().startswith(login_path) for login_path in [
+                    "/admin/login/", "/login/", "/accounts/login/", "/auth/login/", "/signin/"
+                ]):
+                    min_time = 0.1  # Very short threshold for login forms
+                
+                if time_diff < min_time:
+                    BlacklistManager.block(ip, f"Form submitted too quickly ({time_diff:.2f}s)")
+                    return JsonResponse({"error": "blocked"}, status=403)
         
         return None
 

aiwaf/trainer.py

@@ -203,13 +203,48 @@ def train() -> None:
     os.makedirs(os.path.dirname(MODEL_PATH), exist_ok=True)
     joblib.dump(model, MODEL_PATH)
     print(f"Model trained on {len(X)} samples → {MODEL_PATH}")
+    
+    # Check for anomalies and intelligently decide which IPs to block
     preds = model.predict(X)
     anomalous_ips = set(df.loc[preds == -1, "ip"])
-    for ip in anomalous_ips:
-        BlacklistEntry.objects.get_or_create(
-            ip_address=ip,
-            defaults={"reason": "Anomalous behavior"}
-        )
+    
+    if anomalous_ips:
+        print(f"⚠️  Detected {len(anomalous_ips)} potentially anomalous IPs during training")
+        
+        blocked_count = 0
+        for ip in anomalous_ips:
+            # Skip if IP is exempted
+            if IPExemption.objects.filter(ip_address=ip).exists():
+                continue
+            
+            # Get this IP's behavior from the data
+            ip_data = df[df["ip"] == ip]
+            
+            # Criteria to determine if this is likely a legitimate user vs threat:
+            avg_kw_hits = ip_data["kw_hits"].mean()
+            max_404s = ip_data["total_404"].max()
+            avg_burst = ip_data["burst_count"].mean()
+            total_requests = len(ip_data)
+            
+            # Don't block if it looks like legitimate behavior:
+            if (
+                avg_kw_hits < 2 and           # Not hitting many malicious keywords
+                max_404s < 10 and            # Not excessive 404s
+                avg_burst < 15 and           # Not excessive burst activity
+                total_requests < 100         # Not excessive total requests
+            ):
+                print(f"   - {ip}: Anomalous but looks legitimate (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f}) - NOT blocking")
+                continue
+            
+            # Block if it shows clear signs of malicious behavior
+            BlacklistEntry.objects.get_or_create(
+                ip_address=ip,
+                defaults={"reason": f"AI anomaly + suspicious patterns (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})"}
+            )
+            blocked_count += 1
+            print(f"   - {ip}: Blocked for suspicious behavior (kw:{avg_kw_hits:.1f}, 404s:{max_404s}, burst:{avg_burst:.1f})")
+        
+        print(f"   → Blocked {blocked_count}/{len(anomalous_ips)} anomalous IPs (others looked legitimate)")
 
     tokens = Counter()
     for r in parsed:

{aiwaf-0.1.8.4.dist-info → aiwaf-0.1.8.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aiwaf
-Version: 0.1.8.4
+Version: 0.1.8.5
 Summary: AI-powered Web Application Firewall
 Home-page: https://github.com/aayushgauba/aiwaf
 Author: Aayush Gauba

{aiwaf-0.1.8.4.dist-info → aiwaf-0.1.8.5.dist-info}/RECORD

@@ -1,10 +1,10 @@
 aiwaf/__init__.py,sha256=nQFpJ1YpX48snzLjEQCf8zD2YNh8v0b_kPTrXx8uBYc,46
 aiwaf/apps.py,sha256=nCez-Ptlv2kaEk5HenA8b1pATz1VfhrHP1344gwcY1A,142
 aiwaf/blacklist_manager.py,sha256=sM6uTH7zD6MOPGb0kzqV2aFut2vxKgft_UVeRJr7klw,392
-aiwaf/middleware.py,sha256=3zFW0hGPpNti2_6Vbamw8m8YiqcJ2jC5sygWNxJPsMU,9670
+aiwaf/middleware.py,sha256=GmN9R6z1wx1g4coMoixGK_b3i4dwI5z0xBAIu4I7CoQ,10477
 aiwaf/models.py,sha256=XaG1pd_oZu3y-fw66u4wblGlWcUY9gvsTNKGD0kQk7Y,1672
 aiwaf/storage.py,sha256=bxCILzzvA1-q6nwclRE8WrfoRhe25H4VrsQDf0hl_lY,1903
-aiwaf/trainer.py,sha256=IUPCGVe0RT6sRHecBeNZuKop2d6APzXlvv3nirgKQLI,7319
+aiwaf/trainer.py,sha256=eJOHuJgIyqUIqmbYwnMWoR4fQQ8miTn64ASXMmShgI8,9120
 aiwaf/utils.py,sha256=RkEUWhhHy6tOk7V0UYv3cN4xhOR_7aBy9bjhwuV2cdA,1436
 aiwaf/management/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 aiwaf/management/commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -14,8 +14,8 @@ aiwaf/management/commands/detect_and_train.py,sha256=-o-LZ7QZ5GeJPCekryox1DGXKMm
 aiwaf/resources/model.pkl,sha256=5t6h9BX8yoh2xct85MXOO60jdlWyg1APskUOW0jZE1Y,1288265
 aiwaf/templatetags/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 aiwaf/templatetags/aiwaf_tags.py,sha256=XXfb7Tl4DjU3Sc40GbqdaqOEtKTUKELBEk58u83wBNw,357
-aiwaf-0.1.8.4.dist-info/licenses/LICENSE,sha256=Ir8PX4dxgAcdB0wqNPIkw84fzIIRKE75NoUil9RX0QU,1069
-aiwaf-0.1.8.4.dist-info/METADATA,sha256=abO7KBH2-WR5UDKt_bawhvXohcIToLXKQm_J33uwjRY,7435
-aiwaf-0.1.8.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-aiwaf-0.1.8.4.dist-info/top_level.txt,sha256=kU6EyjobT6UPCxuWpI_BvcHDG0I2tMgKaPlWzVxe2xI,6
-aiwaf-0.1.8.4.dist-info/RECORD,,
+aiwaf-0.1.8.5.dist-info/licenses/LICENSE,sha256=Ir8PX4dxgAcdB0wqNPIkw84fzIIRKE75NoUil9RX0QU,1069
+aiwaf-0.1.8.5.dist-info/METADATA,sha256=ef023TmhChIqMkNwTgEsyPODvDs44q9SXmQCYjxzoBs,7435
+aiwaf-0.1.8.5.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+aiwaf-0.1.8.5.dist-info/top_level.txt,sha256=kU6EyjobT6UPCxuWpI_BvcHDG0I2tMgKaPlWzVxe2xI,6
+aiwaf-0.1.8.5.dist-info/RECORD,,