Why We're Beating Modsecurity

westurner2 days ago

How does RhinoWAF compare to other open WAFs like OWASP Coraza WAF, bunkerweb, and SafeLine?Does RhinoWAF support ModSecurity SecLang rulesets like OWASP CRS? Is there a SecLang to RhinoWAF JSON converter?Shouldn't eBPF be fast at sorting and running rules?What are good metrics for evaluating WAFs?coraza: <a href="https://github.com/corazawaf/coraza" rel="nofollow">https://github.com/corazawaf/coraza</a>bunkerweb: <a href="https://github.com/bunkerity/bunkerweb" rel="nofollow">https://github.com/bunkerity/bunkerweb</a>SafeLine: <a href="https://github.com/chaitin/SafeLine" rel="nofollow">https://github.com/chaitin/SafeLine</a>RhinoWAF: <a href="https://github.com/1rhino2/RhinoWAF" rel="nofollow">https://github.com/1rhino2/RhinoWAF</a>gh topic: waf: <a href="https://github.com/topics/waf" rel="nofollow">https://github.com/topics/waf</a>awesome-WAF: <a href="https://github.com/0xInfection/Awesome-WAF" rel="nofollow">https://github.com/0xInfection/Awesome-WAF</a>

westurner2 days ago
> What are good metrics for evaluating WAFs?TPR: True Positive Rate (Detection Rate), TNT: True Negative Rate, FPR: False Positive Rate ("ROC Curve")Accuracy = TP + TN / # RequestsLatency / Detection Time as percentilesThroughput: response time in ms given requests per secondTime to Virtual Patch, and CI/CD rule deployment integrationDDoS Response Time: How quickly does the WAF mitigate a Layer 7 (application) DDoS attack?... Rule Management Overhead: MTTT: Mean Time To Tune, Policy Complexity; CI/CD, SIEM/SOAR integration; <a href="https://gemini.google.com/share/0d2d1c53bfb0" rel="nofollow">https://gemini.google.com/share/0d2d1c53bfb0</a>

1rhino22 days ago

Modsec is a sloppy tool thats honestly sucky. Its config hell, rule hell and its outdated ash. Its vulnerable to just about EVERY modern attack surface. We are gonna make that change: <a href="https://github.com/1rhino2/RhinoWAF/" rel="nofollow">https://github.com/1rhino2/RhinoWAF/</a>Just to clarify, we are not a company of any sorts, simply people willing to help.

westurner2 days ago

Is there a good way to go from an OpenAPI / Swagger schema to WAF rules; and then to verify that the rules don't collide? IIUC eBPF does part of this

westurner2 days ago
Re: eBPF WAFawesome-ebpf > Kernel docs, examples, "eBPF/XDP hardware offload to SmartNICs", Go libraries: <a href="https://github.com/zoidyzoidzoid/awesome-ebpf#go-libraries" rel="nofollow">https://github.com/zoidyzoidzoid/awesome-ebpf#go-libraries</a>/? ebpf waf site:github.com <a href="https://www.google.com/search?q=+ebpf+waf+site%3Agithub.com" rel="nofollow">https://www.google.com/search?q=+ebpf+waf+site%3Agithub.com</a>harporoeder/ebpfsnitch: "Linux Application Level Firewall based on eBPF and NFQUEUE" <a href="https://github.com/harporoeder/ebpfsnitch" rel="nofollow">https://github.com/harporoeder/ebpfsnitch</a>ebpf-security/ebpf-https: "eBPF-https is an open source web application firewall (WAF)" <a href="https://github.com/ebpf-security/ebpf-https" rel="nofollow">https://github.com/ebpf-security/ebpf-https</a>cilium/cilium: <a href="https://github.com/cilium/cilium" rel="nofollow">https://github.com/cilium/cilium</a> :> Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.