WAF

WAF Phase#

The Web Application Firewall (WAF) phase analyses requests for potential security threats.

Available Actions#

• waf.block: Blocks the request if it matches WAF rules.
• waf.log: Logs the request details without blocking.

Fields#

The WAF phase provides access to the following fields:

• Standard Request Fields
• GeoIP Fields
• User Agent Fields
• Bot Fields
• Fingerprint ML Fields

Example#

The filter matches requests with a URI path that starts with "/admin/":

starts_with(http.request.uri.path, "/admin/")

The configuration blocks requests to the admin area that trigger WAF rules:

waf.block:
  reason: "Unauthorised access attempt to admin area"

For more information on the waf.block action, refer to the Modsecurity section in the vconf documentation.

Use Cases#

1. Block SQL injection attempts
2. Prevent cross-site scripting (XSS) attacks
3. Protect against remote file inclusion (RFI) vulnerabilities
4. Log suspicious requests for further analysis