WAFGuardian is a production-ready, SOC-level Web Application Firewall (WAF) built entirely in Python. It serves as a reverse proxy that sits between internet clients and protected backend servers, intercepting and analyzing all HTTP traffic in real-time. The system employs a sophisticated rule-based scoring engine to detect and block malicious actors, featuring automated IP blocking via Windows Firewall integration.
- π Real-Time Threat Detection: Advanced scoring engine detecting SQL Injection, XSS, and brute force attacks
- π‘οΈ Automated IP Blocking: Integrates with Windows Firewall for automatic threat mitigation
- π SOC Dashboard: Live WebSocket-based dashboard with real-time alerts and analytics
- π§ Email Alerting: SMTP-based notifications for critical security events
- πΎ Persistent Logging: SQLite database for comprehensive threat history
- π¬ Forensic Analysis: Offline PCAP file analysis for incident response
- β° Auto-Unblocking: Temporary blocks with automatic expiration (15 minutes)
- π Reverse Proxy Architecture: Inline inspection without backend modifications
| SOC Dashboard | Real-Time Alerts | Threat Analytics |
|---|---|---|
 |
 |
 |
System Architecture & Workflow:
Internet Client
β
βΌ
βββββββββββββββββββββββ
β WAFGuardian WAF β β Port 8085
β (Reverse Proxy) β
β FastAPI + httpx β
β β
β βββββββββββββββββββ β
β β Scoring Engine β β β analyzer.py
β β +5 SQLi β β
β β +5 XSS β β
β β +10 Brute Force β β
β βββββββββ¬ββββββββββ β
β β Score β₯ 10β
β βββββββββΌββββββββββ β
β β IP Blocker β β β blocker.py (netsh)
β βββββββββββββββββββ β
β βββββββββββββββββββ β
β β SQLite DB β β β database.py
β βββββββββββββββββββ β
β βββββββββββββββββββ β
β β SMTP Mailer β β β mailer.py
β βββββββββββββββββββ β
βββββββββββ¬ββββββββββββ
β (Clean traffic only)
βΌ
Protected Backend Server
(localhost:9000)
For a detailed visual workflow, see the WAF Architecture Diagram below.
The primary dashboard showing real-time threat monitoring, system status, and analytics overview.
Live WebSocket-powered alerts display showing active threats, blocked IPs, and security events as they occur.
Live Email Alerts On Suspecious Activities.
Comprehensive analytics view with charts, statistics, and historical threat data for SOC analysis.
General system monitoring view showing WAF operational status and key metrics.
Visual representation of the WAFGuardian system architecture and data flow.
- Backend: Python 3.8+, FastAPI, SQLAlchemy, SQLite
- Network Analysis: Scapy for packet capture and PCAP analysis
- Frontend: Vanilla HTML5, CSS3, JavaScript (ES6+)
- Real-Time Communication: WebSockets
- Firewall Integration: Windows
netshcommands - Email: SMTP (Gmail)
- Configuration: YAML-based rule engine
WAFGuardian/
βββ backend/
β βββ app.py # Main FastAPI application & reverse proxy
β βββ analyzer.py # Threat scoring engine
β βββ blocker.py # Windows Firewall integration
β βββ database.py # SQLite database operations
β βββ mailer.py # SMTP email alerting
β βββ models.py # SQLAlchemy ORM models
β βββ rules.yaml # Detection rules configuration
β βββ sniffer.py # Network packet capture
βββ frontend/
β βββ index.html # SOC dashboard UI
β βββ css/
β β βββ style.css # Dark cyberpunk styling
β βββ js/
β βββ main.js # WebSocket client & dashboard logic
βββ tests/
β βββ test_attacks.py # Automated security tests
βββ Pics/ # Project screenshots & diagrams
βββ requirements.txt # Python dependencies
βββ implementation_plan.md # Development roadmap
βββ README.md # This file
- Python 3.8 or higher
- Windows 10/11 (for
netshfirewall integration) - Administrator privileges (required for IP blocking)
- Npcap or WinPcap (for live packet capture)
-
Clone the repository
git clone https://github.com/sovandas089/WAF-IDS.git cd WAF-IDS -
Create virtual environment
python -m venv .venv .\.venv\Scripts\activate
-
Install dependencies
pip install -r requirements.txt
-
Configure email alerting (optional)
- Edit
backend/mailer.pywith your Gmail credentials - Enable "Less secure app access" or use App Passwords
- Edit
-
Start the WAF server
# Run as Administrator for firewall blocking capabilities .\.venv\Scripts\python.exe -m backend.app
-
Access the SOC Dashboard
- Open browser:
http://localhost:8085/dashboard - View real-time alerts and analytics
- Upload PCAP files for forensic analysis
- Open browser:
-
Configure protected backend
- Ensure your web application runs on
localhost:9000 - All traffic will be routed through WAFGuardian on port
8085
- Ensure your web application runs on
Edit backend/rules.yaml to customize threat detection:
rules:
sqli:
- '(?i)(SELECT|UPDATE|INSERT|DELETE|DROP|UNION).*?(FROM|INTO)'
- '(?i)(%27)|('')|(--)|(%23)|(#)'
xss:
- '(?i)<script>.*?</script>'
- '(?i)onerror\s*='
thresholds:
brute_force:
max_requests: 20
time_window_seconds: 10| Attack Type | Score | Block Threshold |
|---|---|---|
| SQL Injection | +5 | β₯ 10 total |
| XSS | +5 | β₯ 10 total |
| Brute Force | +10 | β₯ 10 total |
Run the automated test suite:
.\.venv\Scripts\python.exe tests\test_attacks.pyTests include:
- SQL Injection detection
- XSS payload blocking
- Brute force rate limiting
| Endpoint | Method | Description |
|---|---|---|
/dashboard |
GET | SOC dashboard UI |
/dashboard/api/rules |
GET | Current detection rules |
/dashboard/api/stats |
GET | Threat analytics data |
/dashboard/api/analyze_pcap |
POST | PCAP forensic analysis |
/dashboard/ws/alerts |
WS | Real-time alert stream |
- Multi-Factor Threat Scoring: Prevents false positives
- Temporary IP Blocks: 15-minute auto-expiration
- Comprehensive Logging: Full audit trail in SQLite
- Email Notifications: SOC team alerting
- Offline Analysis: PCAP file processing
- WebSocket Security: Real-time dashboard updates
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new features
- Submit a pull request
This project is developed as part of academic coursework at OP Jindal University.
Sovan Das - BTL23CS08
- GitHub: @sovandas089
- Institution: OP Jindal University
- Administrator Privileges: Required for Windows Firewall integration
- Network Capture: May require Npcap/WinPcap installation
- Port Usage: WAF runs on port 8085, backend should use 9000
- Email Configuration: Update SMTP settings in
mailer.pyfor alerts
Built with β€οΈ for cybersecurity education and SOC operations