feat: first implementation of honeypot logic

data/botPolicies.yaml

@@ -95,49 +95,49 @@ bots:
   #   weight:
   #     adjust: -10
 
-  # Assert behaviour that only genuine browsers display. This ensures that Chrome
-  # or Firefox versions
-  - name: realistic-browser-catchall
-    expression:
-      all:
-        - '"User-Agent" in headers'
-        - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
-        - '"Accept" in headers'
-        - '"Sec-Fetch-Dest" in headers'
-        - '"Sec-Fetch-Mode" in headers'
-        - '"Sec-Fetch-Site" in headers'
-        - '"Accept-Encoding" in headers'
-        - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
-        - '"Accept-Language" in headers'
-    action: WEIGH
-    weight:
-      adjust: -10
+  # # Assert behaviour that only genuine browsers display. This ensures that Chrome
+  # # or Firefox versions
+  # - name: realistic-browser-catchall
+  #   expression:
+  #     all:
+  #       - '"User-Agent" in headers'
+  #       - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+  #       - '"Accept" in headers'
+  #       - '"Sec-Fetch-Dest" in headers'
+  #       - '"Sec-Fetch-Mode" in headers'
+  #       - '"Sec-Fetch-Site" in headers'
+  #       - '"Accept-Encoding" in headers'
+  #       - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+  #       - '"Accept-Language" in headers'
+  #   action: WEIGH
+  #   weight:
+  #     adjust: -10
 
-  # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
-  - name: upgrade-insecure-requests
-    expression: '"Upgrade-Insecure-Requests" in headers'
-    action: WEIGH
-    weight:
-      adjust: -2
+  # # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
+  # - name: upgrade-insecure-requests
+  #   expression: '"Upgrade-Insecure-Requests" in headers'
+  #   action: WEIGH
+  #   weight:
+  #     adjust: -2
 
-  # Chrome should behave like Chrome
-  - name: chrome-is-proper
-    expression:
-      all:
-        - userAgent.contains("Chrome")
-        - '"Sec-Ch-Ua" in headers'
-        - 'headers["Sec-Ch-Ua"].contains("Chromium")'
-        - '"Sec-Ch-Ua-Mobile" in headers'
-        - '"Sec-Ch-Ua-Platform" in headers'
-    action: WEIGH
-    weight:
-      adjust: -5
+  # # Chrome should behave like Chrome
+  # - name: chrome-is-proper
+  #   expression:
+  #     all:
+  #       - userAgent.contains("Chrome")
+  #       - '"Sec-Ch-Ua" in headers'
+  #       - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+  #       - '"Sec-Ch-Ua-Mobile" in headers'
+  #       - '"Sec-Ch-Ua-Platform" in headers'
+  #   action: WEIGH
+  #   weight:
+  #     adjust: -5
 
-  - name: should-have-accept
-    expression: '!("Accept" in headers)'
-    action: WEIGH
-    weight:
-      adjust: 5
+  # - name: should-have-accept
+  #   expression: '!("Accept" in headers)'
+  #   action: WEIGH
+  #   weight:
+  #     adjust: 5
 
   # Generic catchall rule
   - name: generic-browser

go.mod

@@ -20,6 +20,7 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/lum8rjack/go-ja4h v0.0.0-20250828030157-fa5266d50650
 	github.com/nicksnyder/go-i18n/v2 v2.6.0
+	github.com/nikandfor/spintax v0.0.0-20181023094358-fc346b245bb3
 	github.com/playwright-community/playwright-go v0.5200.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/redis/go-redis/v9 v9.17.2

go.sum

@@ -320,6 +320,8 @@ github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0
 github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
 github.com/nicksnyder/go-i18n/v2 v2.6.0 h1:C/m2NNWNiTB6SK4Ao8df5EWm3JETSTIGNXBpMJTxzxQ=
 github.com/nicksnyder/go-i18n/v2 v2.6.0/go.mod h1:88sRqr0C6OPyJn0/KRNaEz1uWorjxIKP7rUUcvycecE=
+github.com/nikandfor/spintax v0.0.0-20181023094358-fc346b245bb3 h1:foZ9X1bz2KmW7b8Yx5V0LAQKhTazdllv5rnGUe6iGTY=
+github.com/nikandfor/spintax v0.0.0-20181023094358-fc346b245bb3/go.mod h1:wwDYKfVF3WHdY0rugsAZoIpyQjDA3bn9wEzo/QXPx1Y=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

internal/clampip.go

@@ -0,0 +1,33 @@
+package internal
+
+import "net/netip"
+
+func ClampIP(addr netip.Addr) (netip.Prefix, bool) {
+	switch {
+	case addr.Is4():
+		result, err := addr.Prefix(24)
+		if err != nil {
+			return netip.Prefix{}, false
+		}
+		return result, true
+
+	case addr.Is4In6():
+		// Extract the IPv4 address from IPv4-mapped IPv6 and clamp it
+		ipv4 := addr.Unmap()
+		result, err := ipv4.Prefix(24)
+		if err != nil {
+			return netip.Prefix{}, false
+		}
+		return result, true
+
+	case addr.Is6():
+		result, err := addr.Prefix(48)
+		if err != nil {
+			return netip.Prefix{}, false
+		}
+		return result, true
+
+	default:
+		return netip.Prefix{}, false
+	}
+}