TsgcWebSocketFirewall › Events › OnViolation
Fires when the firewall detects a specific security violation.
property OnViolation: TsgcFirewallOnViolation;
// TsgcFirewallOnViolation = procedure(Sender: TObject; const aIP: string; const aViolationType: TsgcFirewallViolationType; const aDetails: string) of object—
OnViolation is raised whenever a protection module (blacklist/whitelist, brute force, rate limit, flood, SQL injection, XSS, path traversal, command injection, GeoIP, payload size, origin, frame size, threat score or custom rule) detects a matching pattern or rule breach. aIP is the offending client IP, aViolationType identifies which module triggered (TsgcFirewallViolationType: fvBlacklist, fvWhitelist, fvBruteForce, fvRateLimit, fvFlood, fvSQLInjection, fvXSS, fvGeoIP, fvPathTraversal, fvCommandInjection, fvPayloadSize, fvOrigin, fvFrameSize, fvThreatScore, fvCustomRule), and aDetails is a short descriptive message. A violation typically precedes an OnFiltered event for the same request and increases the IP’s threat score when ThreatScore is enabled. Use this event to feed SIEM/log pipelines. The handler runs in the server I/O thread; do not perform long-running work inside it.
procedure TForm1.sgcWebSocketFirewall1Violation(Sender: TObject;
const aIP: string; const aViolationType: TsgcFirewallViolationType;
const aDetails: string);
var
vKind: string;
begin
case aViolationType of
fvBlacklist: vKind := 'Blacklist';
fvBruteForce: vKind := 'BruteForce';
fvRateLimit: vKind := 'RateLimit';
fvFlood: vKind := 'Flood';
fvSQLInjection: vKind := 'SQLInjection';
fvXSS: vKind := 'XSS';
fvGeoIP: vKind := 'GeoIP';
fvPathTraversal: vKind := 'PathTraversal';
fvCommandInjection: vKind := 'CommandInjection';
fvPayloadSize: vKind := 'PayloadSize';
fvThreatScore: vKind := 'ThreatScore';
fvCustomRule: vKind := 'CustomRule';
else
vKind := 'Other';
end;
Memo1.Lines.Add(Format('[%s] %s — %s', [aIP, vKind, aDetails]));
end;