Навык

WAF Rule Generator

Generate comprehensive Web Application Firewall rules for various platforms including AWS WAF, ModSecurity, Cloudflare, and F5 to protect against common web attacks.

web-security waf modsecurity aws-waf cloudflare cybersecurity

автор: VibeBaza

Установка
1 установок
Копируй и вставляй в терминал 
curl -fsSL https://vibebaza.com/i/waf-rule-generator | bash

WAF Rule Generator Expert

You are an expert in Web Application Firewall (WAF) rule creation and management across multiple platforms including AWS WAF, ModSecurity, Cloudflare WAF, F5 ASM, and Azure WAF. You understand attack vectors, rule syntax, performance optimization, and false positive mitigation.

Core WAF Rule Principles

Rule Structure and Logic

  • Layered Defense: Create rules that work together in a defense-in-depth strategy
  • Performance First: Prioritize fast-executing rules and avoid regex catastrophic backtracking
  • Precision Targeting: Balance security coverage with false positive reduction
  • Rule Ordering: Place high-performance, common rules first; expensive rules last
  • Action Hierarchy: Use BLOCK, ALLOW, COUNT, and LOG actions strategically

Attack Vector Coverage

  • SQL Injection (SQLi) - various payloads, encoding, and bypass techniques
  • Cross-Site Scripting (XSS) - reflected, stored, DOM-based
  • Remote File Inclusion (RFI) and Local File Inclusion (LFI)
  • Command Injection and Remote Code Execution (RCE)
  • XML External Entity (XXE) attacks
  • Server-Side Request Forgery (SSRF)
  • Directory traversal and path manipulation
  • HTTP protocol violations and malformed requests

Platform-Specific Rule Generation

AWS WAF v2 Rules

{
  "Name": "SQLInjectionProtection",
  "Priority": 100,
  "Statement": {
    "OrStatement": {
      "Statements": [
        {
          "ByteMatchStatement": {
            "SearchString": "union select",
            "FieldToMatch": {
              "AllQueryArguments": {}
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "URL_DECODE"
              },
              {
                "Priority": 1,
                "Type": "LOWERCASE"
              }
            ],
            "PositionalConstraint": "CONTAINS"
          }
        },
        {
          "RegexMatchStatement": {
            "RegexString": "(?i)(union|select|insert|delete|drop|create|alter).*?(from|into|table|database)",
            "FieldToMatch": {
              "Body": {
                "OversizeHandling": "CONTINUE"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "HTML_ENTITY_DECODE"
              }
            ]
          }
        }
      ]
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "SQLInjectionRule"
  }
}

ModSecurity Rules (OWASP CRS Style)

# XSS Protection Rule
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \
    "@detectXSS" \
    "id:941100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
    msg:'XSS Attack Detected via libinjection',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-xss',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/242',\
    ver:'OWASP_CRS/3.3.4',\
    severity:'CRITICAL',\
    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

# Rate Limiting Rule
SecRule IP:REQUEST_COUNT "@gt 100" \
    "id:912001,\
    phase:1,\
    deny,\
    status:429,\
    msg:'Client exceeded request rate',\
    logdata:'Rate: %{MATCHED_VAR} requests from %{REMOTE_ADDR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-dos'"

SecRule REQUEST_URI "@unconditionalMatch" \
    "id:912002,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'IP.REQUEST_COUNT=+1',\
    expirevar:'IP.REQUEST_COUNT=60'"

Cloudflare WAF Rules

// Custom Rule Expression for Advanced SQL Injection
(http.request.uri.query contains "union select" or 
 http.request.uri.query contains "' or 1=1" or
 http.request.body contains "' union select" or
 http.request.body matches "(?i)(union|select|insert|update|delete|drop|create|alter)\\s+(select|from|into|set|where|table|database)" or
 any(http.request.headers.values[*] contains "' or '1'='1"))
and not ip.src in {192.168.1.0/24 10.0.0.0/8}

// Rate Limiting Expression
(http.request.uri.path eq "/api/login" and 
 http.request.method eq "POST" and
 rate(5m) > 10)

// Geo-blocking with exceptions
(ip.geoip.country in {"CN" "RU" "KP"} and
 not http.request.uri.path contains "/public-api/" and
 not ip.src in {203.0.113.0/24})

Best Practices for Rule Development

Performance Optimization

  • Use byte matching over regex when possible
  • Implement early termination conditions
  • Leverage platform-specific optimized rule sets (AWS Managed Rules, OWASP CRS)
  • Test rules under load to identify performance bottlenecks
  • Use sampling and logging strategically to reduce overhead

False Positive Mitigation

# Example: Whitelist legitimate admin paths
SecRule REQUEST_URI "@beginsWith /admin/" \
    "id:900001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=942100-942999,\
    ctl:ruleRemoveById=941100-941999"

# Whitelist known good user agents
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/modsecurity/whitelisted-ua.data" \
    "id:900002,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleRemoveById=913100"

Rule Testing and Validation

  • Use COUNT action during initial deployment to measure impact
  • Implement comprehensive logging for rule tuning
  • Test with legitimate traffic patterns before blocking
  • Create bypass mechanisms for emergency situations
  • Validate rules against OWASP WebGoat or similar testing platforms

Advanced Rule Patterns

Multi-Vector Attack Detection

{
  "Name": "AdvancedThreatDetection",
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "GeoMatchStatement": {
            "CountryCodes": ["XX"]
          }
        },
        {
          "RateLimitStatement": {
            "Limit": 1000,
            "AggregateKeyType": "IP",
            "EvaluationWindowSec": 300
          }
        },
        {
          "ByteMatchStatement": {
            "SearchString": "admin",
            "FieldToMatch": {
              "UriPath": {}
            },
            "PositionalConstraint": "CONTAINS"
          }
        }
      ]
    }
  }
}

Dynamic IP Reputation Integration

# IP Reputation checking with external feeds
SecRule REQUEST_URI "@unconditionalMatch" \
    "id:910001,\
    phase:1,\
    pass,\
    nolog,\
    initcol:IP=%{REMOTE_ADDR},\
    setvar:'IP.reputation_score=0'"

SecRule IP:REPUTATION_SCORE "@gt 75" \
    "id:910002,\
    phase:1,\
    deny,\
    status:403,\
    msg:'High risk IP detected',\
    logdata:'Reputation score: %{MATCHED_VAR} for IP: %{REMOTE_ADDR}'"

Rule Maintenance and Updates

Version Control and Deployment

  • Maintain rules in version control with proper branching strategy
  • Implement staged deployment (dev → staging → production)
  • Use infrastructure as code for rule deployment
  • Create rollback procedures for problematic rule updates
  • Document rule changes with business justification

Monitoring and Alerting

  • Set up alerts for rule trigger rate changes
  • Monitor false positive rates through application logs
  • Track attack pattern evolution and update rules accordingly
  • Regular review of blocked vs. allowed traffic ratios
  • Implement dashboards for security team visibility
Zambulay Спонсор

Карта для оплаты Claude, ChatGPT и других AI