Advanced Web Application Firewall (WAF) Configuration: Enterprise Security Implementation Guide
Web Application Firewalls serve as critical defense mechanisms protecting web applications from sophisticated attacks including SQL injection, XSS, and DDoS attacks. This comprehensive guide provides enterprise-grade WAF implementations with advanced rule configurations, threat intelligence integration, and automated response capabilities.
Advanced Web Application Firewall Configuration
Section 1: Enterprise WAF Architecture
Modern WAF implementations require sophisticated rule engines, threat intelligence integration, and automated response mechanisms to protect against evolving attack vectors.
ModSecurity Advanced Configuration
# modsecurity-advanced.conf
# Advanced ModSecurity Configuration for Enterprise WAF
# Enable ModSecurity engine
SecRuleEngine On
# Request body handling
SecRequestBodyAccess On
SecRequestBodyLimit 134217728
SecRequestBodyNoFilesLimit 1048576
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
# Response body handling
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/json
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
# File uploads
SecTmpDir /tmp/
SecDataDir /opt/modsecurity/var/
SecUploadDir /opt/modsecurity/var/upload/
SecUploadKeepFiles RelevantOnly
SecUploadFileMode 0600
# Debug logging
SecDebugLog /var/log/modsecurity/debug.log
SecDebugLogLevel 0
# Audit logging
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABDEFHIJZ
SecAuditLogType Serial
SecAuditLog /var/log/modsecurity/audit.log
# Advanced rule configurations
SecRule REQUEST_HEADERS:User-Agent "@detectSQLi" \
"id:1001,\
phase:2,\
block,\
msg:'SQL Injection Attack in User-Agent',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
severity:CRITICAL,\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
ver:'1.0',\
maturity:8,\
accuracy:8,\
setvar:tx.sql_injection_score=+5,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
# XSS Protection
SecRule ARGS "@detectXSS" \
"id:1002,\
phase:2,\
block,\
msg:'Cross-site Scripting (XSS) Attack',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
severity:CRITICAL,\
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
setvar:tx.xss_score=+5,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
# Command Injection Protection
SecRule ARGS "@detectCmdExec" \
"id:1003,\
phase:2,\
block,\
msg:'System Command Injection Attack',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
severity:CRITICAL,\
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
setvar:tx.command_injection_score=+5,\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"
# Rate limiting
SecRule IP:REQUEST_COUNT "@gt 100" \
"id:1004,\
phase:1,\
deny,\
status:429,\
msg:'Rate limit exceeded',\
severity:WARNING,\
expirevar:IP.REQUEST_COUNT=60"
SecAction "id:1005,phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR},setvar:IP.REQUEST_COUNT=+1"
# Geolocation blocking
SecRule GEO:COUNTRY_CODE "@streq CN" \
"id:1006,\
phase:1,\
deny,\
status:403,\
msg:'Request from blocked country',\
severity:WARNING"
# Advanced threat intelligence integration
SecRule REQUEST_URI "@ipMatchFromFile /etc/modsecurity/threat-intel/malicious-ips.txt" \
"id:1007,\
phase:1,\
deny,\
status:403,\
msg:'Request from known malicious IP',\
severity:CRITICAL,\
tag:'THREAT_INTELLIGENCE'"
Custom WAF Rule Engine
// waf-engine.go
package main
import (
"context"
"encoding/json"
"fmt"
"net/http"
"regexp"
"strings"
"sync"
"time"
)
type WAFEngine struct {
rules map[string]WAFRule
threatIntel *ThreatIntelligence
rateLimiter *RateLimiter
analytics *WAFAnalytics
ruleUpdater *RuleUpdater
mutex sync.RWMutex
}
type WAFRule struct {
ID string `json:"id"`
Name string `json:"name"`
Description string `json:"description"`
Category string `json:"category"`
Severity string `json:"severity"`
Phase string `json:"phase"`
Conditions []RuleCondition `json:"conditions"`
Actions []RuleAction `json:"actions"`
Enabled bool `json:"enabled"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
type RuleCondition struct {
Variable string `json:"variable"`
Operator string `json:"operator"`
Value string `json:"value"`
Negated bool `json:"negated"`
Transform string `json:"transform"`
}
type RuleAction struct {
Type string `json:"type"`
Parameters map[string]interface{} `json:"parameters"`
}
type WAFRequest struct {
ID string `json:"id"`
Method string `json:"method"`
URI string `json:"uri"`
Headers map[string]string `json:"headers"`
Body string `json:"body"`
RemoteAddr string `json:"remote_addr"`
UserAgent string `json:"user_agent"`
Timestamp time.Time `json:"timestamp"`
Metadata map[string]interface{} `json:"metadata"`
}
type WAFResponse struct {
Allow bool `json:"allow"`
Block bool `json:"block"`
StatusCode int `json:"status_code"`
Message string `json:"message"`
RulesTriggered []string `json:"rules_triggered"`
Anomalies []Anomaly `json:"anomalies"`
ThreatScore int `json:"threat_score"`
Metadata map[string]interface{} `json:"metadata"`
}
func NewWAFEngine() *WAFEngine {
return &WAFEngine{
rules: make(map[string]WAFRule),
threatIntel: NewThreatIntelligence(),
rateLimiter: NewRateLimiter(),
analytics: NewWAFAnalytics(),
ruleUpdater: NewRuleUpdater(),
}
}
func (waf *WAFEngine) ProcessRequest(ctx context.Context, req *WAFRequest) (*WAFResponse, error) {
response := &WAFResponse{
Allow: true,
RulesTriggered: make([]string, 0),
Anomalies: make([]Anomaly, 0),
ThreatScore: 0,
Metadata: make(map[string]interface{}),
}
// Phase 1: Request headers analysis
phase1Result := waf.processPhase1(ctx, req)
waf.mergeResults(response, phase1Result)
if response.Block {
return response, nil
}
// Phase 2: Request body analysis
phase2Result := waf.processPhase2(ctx, req)
waf.mergeResults(response, phase2Result)
if response.Block {
return response, nil
}
// Threat intelligence check
threatResult := waf.threatIntel.CheckRequest(ctx, req)
waf.mergeResults(response, threatResult)
// Rate limiting check
rateLimitResult := waf.rateLimiter.CheckRequest(ctx, req)
waf.mergeResults(response, rateLimitResult)
// Calculate final threat score
response.ThreatScore = waf.calculateThreatScore(response)
// Apply final decision logic
waf.applyFinalDecision(response)
// Record analytics
waf.analytics.RecordRequest(req, response)
return response, nil
}
func (waf *WAFEngine) processPhase1(ctx context.Context, req *WAFRequest) *WAFResponse {
result := &WAFResponse{
Allow: true,
RulesTriggered: make([]string, 0),
Anomalies: make([]Anomaly, 0),
}
waf.mutex.RLock()
defer waf.mutex.RUnlock()
for _, rule := range waf.rules {
if !rule.Enabled || rule.Phase != "phase1" {
continue
}
if waf.evaluateRule(rule, req) {
result.RulesTriggered = append(result.RulesTriggered, rule.ID)
waf.executeRuleActions(rule, result)
}
}
return result
}
func (waf *WAFEngine) evaluateRule(rule WAFRule, req *WAFRequest) bool {
for _, condition := range rule.Conditions {
if !waf.evaluateCondition(condition, req) {
return false
}
}
return true
}
func (waf *WAFEngine) evaluateCondition(condition RuleCondition, req *WAFRequest) bool {
value := waf.extractVariable(condition.Variable, req)
if condition.Transform != "" {
value = waf.applyTransformation(condition.Transform, value)
}
match := waf.applyOperator(condition.Operator, value, condition.Value)
if condition.Negated {
return !match
}
return match
}
func (waf *WAFEngine) extractVariable(variable string, req *WAFRequest) string {
switch variable {
case "REQUEST_URI":
return req.URI
case "REQUEST_METHOD":
return req.Method
case "REQUEST_HEADERS:User-Agent":
return req.UserAgent
case "REQUEST_BODY":
return req.Body
case "REMOTE_ADDR":
return req.RemoteAddr
default:
if strings.HasPrefix(variable, "REQUEST_HEADERS:") {
headerName := strings.TrimPrefix(variable, "REQUEST_HEADERS:")
return req.Headers[headerName]
}
return ""
}
}
func (waf *WAFEngine) applyOperator(operator, value, pattern string) bool {
switch operator {
case "@rx":
matched, _ := regexp.MatchString(pattern, value)
return matched
case "@contains":
return strings.Contains(strings.ToLower(value), strings.ToLower(pattern))
case "@detectSQLi":
return waf.detectSQLInjection(value)
case "@detectXSS":
return waf.detectXSS(value)
case "@detectCmdExec":
return waf.detectCommandInjection(value)
case "@eq":
return value == pattern
case "@gt":
return len(value) > len(pattern)
default:
return false
}
}
func (waf *WAFEngine) detectSQLInjection(input string) bool {
sqlPatterns := []string{
`(?i)(union|select|insert|update|delete|drop|create|alter)\s+`,
`(?i)'\s*(or|and)\s*'`,
`(?i)\bor\b\s+\d+\s*=\s*\d+`,
`(?i)\bunion\b.*\bselect\b`,
`(?i)\bdrop\b.*\btable\b`,
}
for _, pattern := range sqlPatterns {
matched, _ := regexp.MatchString(pattern, input)
if matched {
return true
}
}
return false
}
func (waf *WAFEngine) detectXSS(input string) bool {
xssPatterns := []string{
`(?i)<script[^>]*>`,
`(?i)javascript:`,
`(?i)on\w+\s*=`,
`(?i)<iframe[^>]*>`,
`(?i)document\.cookie`,
`(?i)alert\s*\(`,
}
for _, pattern := range xssPatterns {
matched, _ := regexp.MatchString(pattern, input)
if matched {
return true
}
}
return false
}
func (waf *WAFEngine) detectCommandInjection(input string) bool {
cmdPatterns := []string{
`(?i);\s*(ls|cat|pwd|whoami|id|uname)`,
`(?i)\|\s*(ls|cat|pwd|whoami|id|uname)`,
`(?i)&&\s*(ls|cat|pwd|whoami|id|uname)`,
`(?i)\$\([^)]+\)`,
`(?i)`[^`]+`,
}
for _, pattern := range cmdPatterns {
matched, _ := regexp.MatchString(pattern, input)
if matched {
return true
}
}
return false
}
// Threat Intelligence Integration
type ThreatIntelligence struct {
maliciousIPs map[string]ThreatInfo
maliciousDomains map[string]ThreatInfo
signatures map[string]ThreatSignature
feeds []ThreatFeed
lastUpdate time.Time
}
type ThreatInfo struct {
IP string `json:"ip"`
ThreatType string `json:"threat_type"`
Severity string `json:"severity"`
Source string `json:"source"`
LastSeen time.Time `json:"last_seen"`
Confidence int `json:"confidence"`
}
func (ti *ThreatIntelligence) CheckRequest(ctx context.Context, req *WAFRequest) *WAFResponse {
response := &WAFResponse{
Allow: true,
Anomalies: make([]Anomaly, 0),
ThreatScore: 0,
}
// Check IP reputation
if threatInfo, exists := ti.maliciousIPs[req.RemoteAddr]; exists {
response.ThreatScore += 50
response.Anomalies = append(response.Anomalies, Anomaly{
Type: "malicious_ip",
Description: fmt.Sprintf("Request from known malicious IP: %s", req.RemoteAddr),
ThreatInfo: threatInfo,
})
}
// Check for malicious signatures in request
for _, signature := range ti.signatures {
if ti.matchSignature(signature, req) {
response.ThreatScore += signature.Score
response.Anomalies = append(response.Anomalies, Anomaly{
Type: "malicious_signature",
Description: signature.Description,
Signature: signature,
})
}
}
if response.ThreatScore >= 75 {
response.Block = true
response.StatusCode = 403
response.Message = "Request blocked due to threat intelligence match"
}
return response
}
This comprehensive WAF configuration guide provides enterprise-grade web application firewall implementations with advanced threat detection, custom rule development, and automated security response capabilities for protecting modern web applications.