WAF Phase

The Web Application Firewall (WAF) phase analyses requests for potential security threats.

Available Actions

• waf.block: Blocks the request if it matches WAF rules.
• waf.log: Logs the request details without blocking.

Fields

The WAF phase provides access to the following fields:

• Standard Request Fields
• GeoIP Fields
• User Agent Fields
• Bot Fields
• Fingerprint ML Fields

Example

The filter matches requests with a URI path that starts with "/admin/":

starts_with(http.request.uri.path, "/admin/")

The configuration blocks requests to the admin area that trigger WAF rules:

waf.block:
  reason: "Unauthorised access attempt to admin area"

For more information on the waf.block action, refer to the Modsecurity section in the vconf documentation.

Use Cases

1. Block SQL injection attempts
2. Prevent cross-site scripting (XSS) attacks
3. Protect against remote file inclusion (RFI) vulnerabilities
4. Log suspicious requests for further analysis