wafrift-detect 0.2.13

WAF detection from response headers and body, response fingerprint drift analysis.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

[[waf]]
name = "ModSecurity"
vendor = "SpiderLabs"
confidence_threshold = 0.3
evasions = ["SqlCommentInsertion", "WhitespaceInsertion", "CaseAlternation", "DoubleUrlEncode", "ContentTypeSwitch"]
source = "WAFW00F:modsecurity"
[[waf.signature]]
  body_regex = "This error was generated by Mod.?Security"
  weight = 0.4
[[waf.signature]]
  body_regex = "rules of the mod.security.module"
  weight = 0.4
[[waf.signature]]
  body_regex = "mod.security.rules triggered"
  weight = 0.4
[[waf.signature]]
  body_regex = "Protected by Mod.?Security"
  weight = 0.4
[[waf.signature]]
  body_regex = "/modsecurity[\\-_]errorpage/"
  weight = 0.4
[[waf.signature]]
  body_regex = "modsecurity iis"
  weight = 0.4
[[waf.signature]]
  status_code = 403
  weight = 0.2
[[waf.signature]]
  status_code = 406
  weight = 0.2
[[waf.signature]]
  header_name = "server"
  header_regex = "mod_security"
  weight = 0.6
[[waf.signature]]
  body_regex = "mod_security"
  weight = 0.5
[[waf.signature]]
  body_regex = "modsecurity"
  weight = 0.5
[[waf.signature]]
  body_regex = "not acceptable"
  weight = 0.4
[[waf.signature]]
  body_regex = "owasp"
  weight = 0.3
[[waf.signature]]
  body_regex = "crs"
  weight = 0.3