multitenant ModSecurity compatible WAF engine from Verizon Digital Media Services
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs
ext
include/waflz adding rendering code for event id and status code (#39) Jan 15, 2019
proto adding top level anomaly threshold setting, removing xss, sqli scores… Jan 15, 2019
sample/profile
src
sub
tests
util
.gitmodules
CMakeLists.txt
Dockerfile Embedding libmaxminddb source. Jul 11, 2018
LICENSE.txt
NOTICE.txt
README.md
TODO First commit. Jun 7, 2018
Vagrantfile Update apt before installing stuff. Aug 3, 2018
build.sh
requirements.txt

README.md

waflz

A multitenant ModSecurity compatible WAF engine. Docs

Overview

An implementation of a WAF engine in c/c++ supporting processing a subset of ModSecurity rules functionalties, configurable with either json or ModSecurity rules. waflz is optimized to support running many WAF profiles side by side, by using faster/smaller internal data types and sharing common ruleset data between the profiles -ie if multiple WAF profiles refer to the same ruleset(s), the ruleset(s) are loaded only once for all and shared in memory.

Rationale

The VDMS global edge platform is a multitenant CDN supporting our hundreds of thousands individual customer configurations from any given location. The VDMS WAF supports running OWASP Core Rulesets as well as some third-party rulesets. The performance and resource allocation of any given customer configuration has the potential of impacting others -ie eventually all configurations live in memory on a physical server in a "Point of Presence" (POP) in a datacenter. It was important then to the VDMS CDN the WAF be as high performant, memory constrained, and deterministic as possible.

Capabilities

The open source standard implementation of the ModSecurity Rules Engine -while excellent, and extremely flexible for individuals' use-cases, could be problematic in a CDN, where performance is the product. Several ModSecurity capabilities eg SecRemoteRules and inspectFile, were intentionally ommitted, due to potential performance impacts in a multitenant environment. A list of currently supported variables, operators and transforms are listed in the capabilities section of the docs

Build requirement (Ubuntu 14.04/16.04)

Packages

$ sudo apt-get install -y libssl-dev libpcre3-dev libxml2-dev libicu-dev protobuf-compiler libprotobuf-dev python-pip

Python Packages

$ pip install -r requirements.txt

Build steps

$ ./build.sh

Running standalone waflz_server for testing WAF rules

$ cat rule.conf
  SecRule &REQUEST_HEADERS:Host "@eq 0" \
        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

$ ./build/util/waflz_server/waflz_server --conf-file=rule.conf

curl'ing waflz_server

$ curl -s "http://localhost:12345/index.html" -H"Host:" | jq '.'
{
  "req_info": {
    "epoch_time": {
      "sec": 1527623134,
      "nsec": 2909744297
    },
    "virt_remote_host": "MC4wLjAuMA==",
    "request_method": "R0VU",
    "orig_url": "L2luZGV4Lmh0bWw=",
    "url": "L2luZGV4Lmh0bWw=",
    "common_header": {
      "user_agent": "Y3VybC83LjQ3LjA="
    },
    "req_uuid": "YWFiYmNjZGRlZWZm"
  },
  "rule_id": 981176,
  "rule_msg": "Inbound Anomaly Score Exceeded (Total Score: 3, SQLi=0, XSS=0): Last Matched Message: Request Missing a Host Header",
  "rule_target": [
    {
      "name": "TX",
      "param": "ANOMALY_SCORE"
    }
  ],
  "rule_op_name": "gt",
  "rule_op_param": "0",
  "rule_tag": [
    "OWASP_CRS/ANOMALY/EXCEEDED"
  ],
  "matched_var": {
    "name": "REQUEST_HEADERS",
    "value": "MA=="
  },
  "total_anomaly_score": 3,
  "total_sql_injection_score": 0,
  "total_xss_score": 0,
  "sub_event": [
    {
      "rule_id": 960008,
      "rule_msg": "Request Missing a Host Header",
      "rule_intercept_status": 403,
      "rule_target": [
        {
          "name": "REQUEST_HEADERS",
          "param": "Host",
          "is_counting": true
        }
      ],
      "rule_op_name": "EQ",
      "rule_op_param": "0",
      "rule_tag": [
        "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST",
        "WASCTC/WASC-21",
        "OWASP_TOP_10/A7",
        "PCI/6.5.10"
      ],
      "matched_var": {
        "name": "REQUEST_HEADERS",
        "value": "MA=="
      },
      "total_anomaly_score": 3,
      "total_sql_injection_score": 0,
      "total_xss_score": 0,
      "waf_profile_id": "NA",
      "waf_profile_name": "NA"
    }
  ],
  "waf_profile_id": "NA",
  "waf_profile_name": "NA"
}