pub struct WafRules { /* private fields */ }Expand description
Compiled WAF rules: fingerprint list + single Aho-Corasick automaton.
builtin() loads from the compile-time TOML corpus. Hot-reload swaps
the Rules wrapped in arc_swap::ArcSwap (Commit 1.6).
Implementations§
Source§impl Rules
impl Rules
Sourcepub fn classify(
&self,
response: &HttpResponse,
) -> Result<Option<WafSignal>, WafClassifyError>
pub fn classify( &self, response: &HttpResponse, ) -> Result<Option<WafSignal>, WafClassifyError>
Inspect response and return the first matching WafSignal, if any.
The algorithm runs in two passes:
-
Header-first short-circuit: fingerprints whose signals are ALL
response_headerare evaluated before the body is scanned. If any header-only fingerprint matches, its signal is returned immediately without running the AC body scan. This makes the TOML corpus the single source of truth for the 2xx header-stamp early-exit path inhttp.rs(replacing the oldheaders_only_waf_matchfunction). -
Full scan: Aho-Corasick runs over the body and all fingerprints (including mixed header+body ones) are evaluated.
On a 2xx response the body fingerprint check is only applied when the
body is ≤ CHALLENGE_BODY_LIMIT — real content pages are much larger.
Header signals are always checked regardless of status code.
Returns Ok(None) for clean responses, Ok(Some(sig)) for a match,
and Err(WafClassifyError) for classifier-internal failures.