Skip to content

Commit f346de2

Browse files
Akagi201Akagi201
committed
feat(waf): add monitor mode for logging threats without blocking requests
1 parent 4778bec commit f346de2

2 files changed

Lines changed: 74 additions & 33 deletions

File tree

src/adapters/http_handler.rs

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -172,15 +172,24 @@ impl HttpHandler {
172172
Some(&bytes),
173173
client_ip.as_deref(),
174174
) {
175-
tracing::warn!(
176-
uri = %parts.uri,
177-
threat_type = ?violation.threat_type,
178-
"WAF blocked request"
179-
);
180-
return Ok(Response::builder()
181-
.status(StatusCode::FORBIDDEN)
182-
.body(AxumBody::from("Request blocked by WAF"))
183-
.expect("Failed to build WAF forbidden response"));
175+
if violation.blocked {
176+
tracing::warn!(
177+
uri = %parts.uri,
178+
threat_type = ?violation.threat_type,
179+
"WAF blocked request"
180+
);
181+
return Ok(Response::builder()
182+
.status(StatusCode::FORBIDDEN)
183+
.body(AxumBody::from("Request blocked by WAF"))
184+
.expect("Failed to build WAF forbidden response"));
185+
} else {
186+
// Monitor mode: log but allow request
187+
tracing::warn!(
188+
uri = %parts.uri,
189+
threat_type = ?violation.threat_type,
190+
"WAF detected threat (monitor mode, not blocking)"
191+
);
192+
}
184193
}
185194

186195
Request::from_parts(parts, AxumBody::from(bytes))

src/core/waf/engine.rs

Lines changed: 56 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -171,48 +171,80 @@ impl WafEngine {
171171
if let Some(ref detector) = self.sql_injection
172172
&& let Err(violation) = detector.check(uri, headers, body)
173173
{
174-
warn!(
175-
uri = %uri,
176-
threat_type = violation.threat_type,
177-
"SQL injection detected"
178-
);
179-
return Err(violation);
174+
if violation.blocked {
175+
warn!(
176+
uri = %uri,
177+
threat_type = violation.threat_type,
178+
"SQL injection detected"
179+
);
180+
return Err(violation);
181+
} else {
182+
debug!(
183+
uri = %uri,
184+
threat_type = violation.threat_type,
185+
"SQL injection detected (log only)"
186+
);
187+
}
180188
}
181189

182190
// Check XSS
183191
if let Some(ref detector) = self.xss
184192
&& let Err(violation) = detector.check(uri, headers, body)
185193
{
186-
warn!(
187-
uri = %uri,
188-
threat_type = violation.threat_type,
189-
"XSS attack detected"
190-
);
191-
return Err(violation);
194+
if violation.blocked {
195+
warn!(
196+
uri = %uri,
197+
threat_type = violation.threat_type,
198+
"XSS attack detected"
199+
);
200+
return Err(violation);
201+
} else {
202+
debug!(
203+
uri = %uri,
204+
threat_type = violation.threat_type,
205+
"XSS attack detected (log only)"
206+
);
207+
}
192208
}
193209

194210
// Check command injection
195211
if let Some(ref detector) = self.command_injection
196212
&& let Err(violation) = detector.check(uri, headers, body)
197213
{
198-
warn!(
199-
uri = %uri,
200-
threat_type = violation.threat_type,
201-
"Command injection detected"
202-
);
203-
return Err(violation);
214+
if violation.blocked {
215+
warn!(
216+
uri = %uri,
217+
threat_type = violation.threat_type,
218+
"Command injection detected"
219+
);
220+
return Err(violation);
221+
} else {
222+
debug!(
223+
uri = %uri,
224+
threat_type = violation.threat_type,
225+
"Command injection detected (log only)"
226+
);
227+
}
204228
}
205229

206230
// Check path traversal
207231
if let Some(ref detector) = self.path_traversal
208232
&& let Err(violation) = detector.check(uri, headers, body)
209233
{
210-
warn!(
211-
uri = %uri,
212-
threat_type = violation.threat_type,
213-
"Path traversal detected"
214-
);
215-
return Err(violation);
234+
if violation.blocked {
235+
warn!(
236+
uri = %uri,
237+
threat_type = violation.threat_type,
238+
"Path traversal detected"
239+
);
240+
return Err(violation);
241+
} else {
242+
debug!(
243+
uri = %uri,
244+
threat_type = violation.threat_type,
245+
"Path traversal detected (log only)"
246+
);
247+
}
216248
}
217249

218250
Ok(())

0 commit comments

Comments
 (0)