// network perimeter defense //

Real-Time Intrusion Detection
and Web Application Firewall

DAG NGWAF IDS monitors every HTTP request at the kernel level — before your application ever sees it. Attacks are detected, logged, and silently dropped in milliseconds. No agents. No cloud dependency. No false-positive bans on your own infrastructure.

Get in touch →

200+Attack Patterns

16Detection Stages

48hDefault Ban TTL

<1msPer-Request Latency

0.0Fail-Open ML Score

7Enforcement Stages

Core Capabilities

🛡️

Kernel-Level Blocking

Banned IPs are added to an ipset blocklist enforced by iptables. Active TCP sessions are killed immediately via conntrack. The web server process never wakes up for blocked traffic.

ipset · iptables · conntrack

⚡

XDP Fast-Path (eBPF)

An optional Aya/eBPF kernel program pins the blocklist into a BPF hash map at /sys/fs/bpf/xdp_blocklist. Packets from banned IPs are dropped at the NIC driver layer — before the kernel IP stack processes them.

eBPF · XDP · Aya 0.13

🤖

CNN-GRU ML Scoring

An optional Python inference service scores requests via Unix socket using a trained Keras model. 100-dimensional feature extraction (20 structural + 80-char histogram). Fail-open by design — a dead socket scores 0.0, never causing a ban.

TensorFlow 2.15 · fail-open

🔍

Verified Bot Allowance

Legitimate crawlers (Googlebot, Bingbot) are verified by Forward-Confirmed Reverse DNS before being allowed. PTR lookup → hostname pattern check → forward A confirmation. Unverified crawlers are treated as hostile.

FCrDNS · PTR + A lookup

🔫

Attack Tool Detection

Known scanner and exploitation tool User-Agents (sqlmap, nikto, masscan, nuclei, Metasploit, Burp Suite, dirbuster, ffuf, and 20+ others) are flagged before any other check — catches scanners even on structurally trivial paths like GET /.

BAD_UA · 26 signatures

📈

Burst & Shadow Detection

A 2-second sliding window catches volumetric bursts (≥10 req + ≥5 unique paths, or ≥6 req + ≥3 repeated method+path). Shadow tracking accumulates sub-threshold ML hits — three dead-zone scores within 10 minutes trigger a full ban without crossing the block threshold alone.

2s window · shadow 3-hit rule

🕸️

Campaign Correlation

Attacks are correlated into campaigns using a deterministic SHA-256 hash of reason family, URI prefix, and /24 subnet. Related events across time and instances are grouped automatically — enabling coordinated campaign tracking without a separate SIEM.

SHA-256 correlation · NDJSON

🌐

Subnet Escalation

When 5 or more distinct IPs from the same /24 subnet are banned within one hour, the entire subnet is added to a separate bad_subnets ipset — automatically blocking coordinated distributed attacks before each individual IP can probe your server.

/24 density · 1h window

👥

Tiered Trust Model

Three trust tiers: Hard (operator IPs — fully bypass detection, hot-reloaded via JSON), Soft (Cloudflare, Google, Bing CIDRs — logged but never banned), and None (everything else). Localhost and RFC1918 ranges are hard-protected in the binary itself.

Hard · Soft · None · hot-reload

📊

SOC Dashboard

Built-in PHP SOC interface provides live event streaming, ML score visualization, shadow hit tracking, ground-truth labeling for model retraining, and automated daily reports with ATT&CK technique mapping, ASN intelligence, and enforcement evidence export.

Live · ATT&CK · JSON export

🔄

7-Stage Enforcement State Machine

IPs progress through Observe → ScoreAmplify → RateLimit → Challenge → TempBan → XdpDrop → SubnetEscalate. Stages 0–2 are informational. Stages 3–6 enforce. IPs automatically cool down to Observe after 1 hour of inactivity.

Graduated · 1h cooldown

🗺️

GeoIP & ASN Enrichment

Every event is enriched offline with MaxMind GeoLite2 ASN and country data — no external API call, no latency added. Absent databases fail gracefully; enrichment is never on the enforcement path. ASN hostile-density tracking surfaces coordinated campaigns by network.

MaxMind GeoLite2 · fail-open

Technology Stack

Rust 2021 edition

Tokio async runtime

Aya / eBPF (XDP)

DashMap (lock-free)

Regex 1.11 (compiled once)

TensorFlow 2.15 (optional)

MaxMind GeoLite2

nginx

Apache httpd

ipset + iptables

conntrack-tools

systemd templates

SELinux enforcing

RHEL 10.1

Live Detection Stream

tail -f /var/log/davco/detections.log

2026-05-13T18:15:17Z DETECT ip=185.220.101.47  stage=BLKLST    reason=blocklist_regex    path="/etc/passwd"              score=0.00 action=BAN
2026-05-13T18:15:21Z DETECT ip=45.33.32.156   stage=ADM_PRB   reason=admin_probe         path="/phpmyadmin/index.php"    score=0.00 action=LOG
2026-05-13T18:15:25Z DETECT ip=91.108.4.200   stage=ML_SCORE  reason=ml_suspicious      path="/wp-login.php?a=b"        score=0.94 action=BAN
2026-05-13T18:15:28Z ALLOW  ip=66.249.66.1    stage=BOT_VRF   reason=verified_googlebot  path="/sitemap.xml"            score=0.00 action=PASS
2026-05-13T18:15:31Z DETECT ip=193.32.161.8   stage=BAD_UA    reason=bad_user_agent     ua="sqlmap/1.7"                score=0.00 action=BAN
2026-05-13T18:15:34Z DETECT ip=198.199.88.12  stage=ML_SCORE  reason=ml_shadow_threshold path="/api/v1/users"            score=0.71 action=BAN
2026-05-13T18:15:38Z BURST  ip=103.167.112.33 stage=BURST     reason=burst_diversity     req=12 paths=8 window=2s       action=BAN

SOC Dashboard — Live View

DAF NGWAF IDS nginx-edge SOC dashboard showing live event stream, ML scores, shadow tracking, burst detection, and ground-truth labeling — Real-time detection stream — ML scores, shadow hits, burst escalation, campaign tagging, and enforcement stage per IP. Built-in ground-truth labeling feeds the retraining pipeline directly.

Contact

Get in touch

Interested in deploying DAG NGWAF IDS on your infrastructure, or have questions about integration, licensing, or custom deployment? Send a message and we'll get back to you.

Your email address is only used to reply to your inquiry and is never shared.

Real-Time Intrusion Detectionand Web Application Firewall