Skip to content

Releases: spartantri/wafme

WAFme v0.9

03 Apr 17:19
@spartantri spartantri
v0.9
6e282a1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
WAFme v0.9 Latest
Latest

ModSecurity rule editor and log analysis

The WAFme component is intended for tailing live audit logs and generate the rules and exceptions to prevent ModSecurity from blocking the regular website/webapp usability.

  • /!\ This assumes that the log is free of attacks and malicious payloads.

Tuning the CRS usually will require:

  • R1) identify element triggering the rules
  • R2) check that the payload in such element is normal not malicious
  • R3) evaluate the scope where such element is present
  • R4) whitelist such element for the specific rule id within the least possible scope
  • R5) update the ruleset to add the exceptions
  • R6) add rules to check the whitelisted element contains the expected values
  • R7) reload the configuration

Some of the different scopes can be defined as:

  • A1) Match of URI + element + payload type validation (regex, type, length, values)
  • A2) Match URI + element
  • A3) Match element for all URI + payload type validation (regex, type, length, values)
  • A4) Match element for all URI
  • A5) Match URI
  • A6) VHost
  • A7) Server
Assets 2
Loading