Modsec is a sloppy tool thats honestly sucky. Its config hell, rule hell and its outdated ash. Its vulnerable to just about EVERY modern attack surface. We are gonna make that change: https://github.com/1rhino2/RhinoWAF/
Just to clarify, we are not a company of any sorts, simply people willing to help.
> Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.
Modsec is a sloppy tool thats honestly sucky. Its config hell, rule hell and its outdated ash. Its vulnerable to just about EVERY modern attack surface. We are gonna make that change: https://github.com/1rhino2/RhinoWAF/
Just to clarify, we are not a company of any sorts, simply people willing to help.
Is there a good way to go from an OpenAPI / Swagger schema to WAF rules; and then to verify that the rules don't collide? IIUC eBPF does part of this
Re: eBPF WAF
awesome-ebpf > Kernel docs, examples, "eBPF/XDP hardware offload to SmartNICs", Go libraries: https://github.com/zoidyzoidzoid/awesome-ebpf#go-libraries
/? ebpf waf site:github.com https://www.google.com/search?q=+ebpf+waf+site%3Agithub.com
harporoeder/ebpfsnitch: "Linux Application Level Firewall based on eBPF and NFQUEUE" https://github.com/harporoeder/ebpfsnitch
ebpf-security/ebpf-https: "eBPF-https is an open source web application firewall (WAF)" https://github.com/ebpf-security/ebpf-https
cilium/cilium: https://github.com/cilium/cilium :
> Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.
How does RhinoWAF compare to other open WAFs like OWASP Coraza WAF, bunkerweb, and SafeLine?
Does RhinoWAF support ModSecurity SecLang rulesets like OWASP CRS? Is there a SecLang to RhinoWAF JSON converter?
Shouldn't eBPF be fast at sorting and running rules?
What are good metrics for evaluating WAFs?
coraza: https://github.com/corazawaf/coraza
bunkerweb: https://github.com/bunkerity/bunkerweb
SafeLine: https://github.com/chaitin/SafeLine
RhinoWAF: https://github.com/1rhino2/RhinoWAF
gh topic: waf: https://github.com/topics/waf
awesome-WAF: https://github.com/0xInfection/Awesome-WAF
> What are good metrics for evaluating WAFs?
TPR: True Positive Rate (Detection Rate), TNT: True Negative Rate, FPR: False Positive Rate ("ROC Curve")
Accuracy = TP + TN / # Requests
Latency / Detection Time as percentiles
Throughput: response time in ms given requests per second
Time to Virtual Patch, and CI/CD rule deployment integration
DDoS Response Time: How quickly does the WAF mitigate a Layer 7 (application) DDoS attack?
... Rule Management Overhead: MTTT: Mean Time To Tune, Policy Complexity; CI/CD, SIEM/SOAR integration; https://gemini.google.com/share/0d2d1c53bfb0