Skip to main content

Crate waf_detection

Crate waf_detection 

Source

Modules§

crs
Import parser for OWASP CRS / ModSecurity seclang rules (B2, BOUNDARY.md §1.7).
graphql
GraphQL structural protections (Phase 11).
grpc
gRPC structural protections (gRPC phase).
header_injection
ldap
lfi_rfi
mail
nosql
path_traversal
rate_limit
rce
request_smuggling
HTTP request-smuggling defence (Fase 6 / Pillar 4).
scanner
sqli
ssi
ssrf
ssti
xss
xxe

Structs§

ContentPrefilter
A sound, scope-aware skip-prefilter: per-scope unions (RegexSet) of the active content patterns, evaluated over the canonical surface (§6).
Rule
A single detection rule: an id (used as rule_id in the emitted decision), a regex pattern compiled into a RegexSet at module init time, a severity class (mapped to points by the pipeline), and the minimum paranoia level at which the rule becomes active.

Constants§

HIGHEST_RULE_PARANOIA
Highest paranoia level any shipped rule currently declares. The config contract allows up to waf_core::MAX_PARANOIA_LEVEL (4), but no rule uses 4 yet — so a higher paranoia_level activates no additional rules. The proxy logs this at startup so PL4 is “empty but legal”, never silently == PL3. Bump this when the first higher-paranoia rule is added.

Functions§

content_rules_split
(rule_id, pattern) for every CONTENT-inspection rule active at paranoia, split into two scope buckets (request_smuggling is excluded — it is structural framing validation, not regex content inspection, and always runs in the connection phase). Single source for the prefilter, so it cannot drift from the per-module rules.

Type Aliases§

RuleList
A list of (rule_id, pattern) for one scope bucket of the content prefilter.