Skip to main content

Crate wafrift_detect

Crate wafrift_detect 

Source
Expand description

wafrift-detect — WAF detection across four independent fingerprint axes.

Identifies WAFs / CDNs / origin infrastructure from:

  • HTTP response headers + body (160+ vendor rules loaded from TOML)
  • DNS CNAME chain resolution (WAF/CDN providers leak identity in CNAME hops)
  • Reverse-DNS (PTR) on the leaf IP
  • BGP origin-ASN lookup via Cymru’s DNS service

Also detects silent blocking via response fingerprint drift analysis.

§Examples

Identify a WAF from a 403 response that carries a vendor header:

use wafrift_detect::detect;

let headers = vec![
    ("Server".to_string(), "cloudflare".to_string()),
    ("CF-Ray".to_string(), "abc123-LHR".to_string()),
];
let body = b"<html>Cloudflare blocked your request</html>";
let results = detect(403, &headers, body);
assert!(!results.is_empty(), "should identify Cloudflare");
assert!(
    results.iter().any(|r| r.name.to_lowercase().contains("cloudflare")),
    "Cloudflare must be in the result set: got {:?}",
    results.iter().map(|r| &r.name).collect::<Vec<_>>()
);

A clean 200 response with no WAF signatures gives an empty result set:

use wafrift_detect::detect;

let headers = vec![("Server".to_string(), "nginx/1.25.0".to_string())];
let body = b"<html><body>Welcome</body></html>";
let results = detect(200, &headers, body);
assert!(results.is_empty(), "no WAF should match a benign response");

Re-exports§

pub use dns_fingerprint::CnameHop;
pub use dns_fingerprint::CnameRuleEngine;
pub use dns_fingerprint::DnsProbe;
pub use dns_fingerprint::DnsProbeError;
pub use dns_fingerprint::MAX_CNAME_CHAIN_DEPTH;
pub use dns_fingerprint::probe_cname_chain;
pub use response_fingerprint::FingerprintDrift;
pub use waf_detect::DetectConfig;
pub use waf_detect::DetectRulesError;
pub use waf_detect::DetectedWaf;
pub use waf_detect::ProbePayload;
pub use waf_detect::ProbeResult;
pub use waf_detect::RuleEngine;
pub use waf_detect::active_probe;
pub use waf_detect::classify_drift;
pub use waf_detect::detect;
pub use waf_detect::is_blocked_response;
pub use waf_detect::reload_rules;
pub use waf_detect::suggest_evasion;
pub use waf_detect::supported_wafs;

Modules§

dns_fingerprint
DNS-layer WAF / CDN fingerprinting.
explain
Per-payload rule attribution.
response_fingerprint
Response fingerprinting for silent-block detection.
waf_detect
WAF detection from response headers and body.