This project is not intended for production yet, APIs are going to change, it's not secure enough and it might crash.

• Coraza Web Application Firewall
  • What is the difference between this project and ModSecurity
  • Connector's status
  • To be Pre-Alpha
  • To be Alpha
  • Low priority TO-DO
  • Rules reservation
  • Additional Operators
  • Compile
  • Usage
  • Credits
  • License

• Normalize API
• Libinjection integration
• LibGeoIp2 integration
• Implement PCRE to replicate modsecurity regex
• Add more settings
• Replace libinjection for something awesome, maybe AI?
• Create Documentation
• Audit Logging (syslog, ES and concurrent)
• Logrotate support
• Implement Aho-Corasick matching
• API Swagger
• Docker Package
• Fix logger
• Implement Modsecurity Level 1 Core Features
• Autoconf
• Vendoring
• Optimize pcre compilation instructions
• Optimize multi-threading
• Reorder file and code structure
• Optimize rule parser
• OWASP CRS Full Support (almost there)
• Tests and Travis
• Benchmarking tools
• Plugin system
• Add IP Forward support
• Add settings reload feature
• Windows compatibility
• Add lua support (Do not copy modsecurity, we must build something better)

• Cache geoip to enhance speed
• Create cloud playground
• Add lua scripting support
• Add clustering features
• Add support for plugins
• OpenAPI 3.0 Enforcement
• Implement coraza packages (rules and scripts)
• Implement custom data types
• Replace libinjection with something cooler
• Add custom operator to import files
• Add replace and masking capabilities to rules as "actions"

This project respects the original ModSecurity reserved rule IDs but removes those thar are not used anymore or not documented enough.

• 1–99,999: reserved for local (internal) use. Use as you see fit, but do not use this range for rules that are distributed to others
• 100,000–199,999: unused (available for reservation)*
• 200,000–299,999: reserved for rules published by Comodo
• 300,000–399,999: unused (available for reservation)*
• 400,000–419,999: unused (available for reservation)
• 420,000–429,999: unused (available for reservation)*
• 430,000–439,999: unused (available for reservation)*
• 440.000-599,999: unused (available for reservation)
• 600,000-699,999: reserved for use by Akamai http://www.akamai.com/html/solutions/waf.html
• 700,000–799,999: unused (available for reservation)*
• 900,000–999,999: reserved for the OWASP ModSecurity Core Rule Set http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project project
• 1,000,000-1,009,999: reserved for rules published by Redhat Security Team
• 1,010,000-1,999,999: reserved for rules from Coraza Technologies Research team
• 2,000,000-2,999,999: reserved for rules from Trustwave's SpiderLabs Research team
• 3,000,000-3,999,999: reserved for use by Akamai http://www.akamai.com/html/solutions/waf.html
• 4,000,000-4,099,999 unused (available for reservation)*
• 4,100,000-4,199,999 reserved: in use by Fastly https://www.fastly.com/products/cloud-security/#products-cloud-security-web-application-firewall
• 4,200,000-4,299,999 unused (available for reservation)*
• 4,300,000-4,300,999 unused (available for reservation)*
• 4,301,000-19,999,999: unused (available for reservation)
• 20,000,000-21,999,999: reserved for rules from Trustwave's SpiderLabs Research team
• 22,000,000 and above: unused (available for reservation)

docker build -t coraza-waf .
docker run -d -it -p 8080:8080 --name=coraza-waf coraza-waf --host=0.0.0.0

If you want to use your own settings, you must set the volume of /etc/coraza/ to your custom virtual path.

Using Skipper filter sample:

-> corazaWAF("/path/to/rules.conf", "/path/to/datafiles")

Sample:

baidu:
        Path("/baidu")
        -> corazaWAF("/path/to/rules.conf", "/path/to/datafiles")
        -> setRequestHeader("Host", "www.baidu.com")
        -> setPath("/s")
        -> setQuery("wd", "godoc skipper")
        -> "http://www.baidu.com";

Compilation prerequisites: golang 1.11>, C compiler, libpcre++-dev, libinjection compiled (use make libinjection)

You can compile each package individually running: go build cmd/skipper/main.go or using the make scripts.

make
sudo make install

Change package name of pkg/skipper/filters.go from skipper to main and then:

GO111MODULE=on go build -buildmode=plugin -o coraza.so pkg/skipper/filters.go
skipper -filter-plugin coraza

• The modsecurity team from the baseline for this project

• ARGS
• ARGS_COMBINED_SIZE
• ARGS_GET
• ARGS_GET_NAMES
• ARGS_NAMES
• ARGS_POST
• ARGS_POST_NAMES
• AUTH_TYPE
• DURATION
• ENV
• FILES
• FILES_COMBINED_SIZE
• FILES_NAMES
• FULL_REQUEST
• FULL_REQUEST_LENGTH
• FILES_SIZES
• FILES_TMPNAMES
• FILES_TMP_CONTENT
• GEO
• HIGHEST_SEVERITY
• INBOUND_DATA_ERROR
• MATCHED_VAR
• MATCHED_VARS
• MATCHED_VAR_NAME
• MATCHED_VARS_NAMES
• MODSEC_BUILD
• MULTIPART_CRLF_LF_LINES
• MULTIPART_FILENAME
• MULTIPART_NAME
• MULTIPART_STRICT_ERROR
• MULTIPART_UNMATCHED_BOUNDARY
• OUTBOUND_DATA_ERROR
• PATH_INFO
• PERF_ALL
• PERF_COMBINED
• PERF_GC
• PERF_LOGGING
• PERF_PHASE1
• PERF_PHASE2
• PERF_PHASE3
• PERF_PHASE4
• PERF_PHASE5
• PERF_RULES
• PERF_SREAD
• PERF_SWRITE
• QUERY_STRING
• REMOTE_ADDR
• REMOTE_HOST
• REMOTE_PORT
• REMOTE_USER
• REQBODY_ERROR
• REQBODY_ERROR_MSG
• REQBODY_PROCESSOR
• REQUEST_BASENAME
• REQUEST_BODY
• REQUEST_BODY_LENGTH
• REQUEST_COOKIES
• REQUEST_COOKIES_NAMES
• REQUEST_FILENAME
• REQUEST_HEADERS
• REQUEST_HEADERS_NAMES
• REQUEST_LINE
• REQUEST_METHOD
• REQUEST_PROTOCOL
• REQUEST_URI
• REQUEST_URI_RAW
• RESPONSE_BODY
• RESPONSE_CONTENT_LENGTH
• RESPONSE_CONTENT_TYPE
• RESPONSE_HEADERS
• RESPONSE_HEADERS_NAMES
• RESPONSE_PROTOCOL
• RESPONSE_STATUS
• RULE
• SCRIPT_BASENAME
• SCRIPT_FILENAME
• SCRIPT_GID
• SCRIPT_GROUPNAME
• SCRIPT_MODE
• SCRIPT_UID
• SCRIPT_USERNAME
• SDBM_DELETE_ERROR
• SERVER_ADDR
• SERVER_NAME
• SERVER_PORT
• SESSION
• SESSIONID
• STATUS_LINE
• STREAM_INPUT_BODY
• STREAM_OUTPUT_BODY
• TIME
• TIME_DAY
• TIME_EPOCH
• TIME_HOUR
• TIME_MIN
• TIME_MON
• TIME_SEC
• TIME_WDAY
• TIME_YEAR
• TX
• UNIQUE_ID
• URLENCODED_ERROR
• USERID
• USERAGENT_IP
• WEBAPPID
• WEBSERVER_ERROR_LOG
• XML

• beginsWith
• contains
• containsWord
• detectSQLi
• detectXSS
• endsWith
• fuzzyHash
• eq
• ge
• geoLookup
• gsbLookup
• gt
• inspectFile
• ipMatch
• ipMatchF
• ipMatchFromFile
• le
• lt
• noMatch
• pm
• pmf
• pmFromFile
• rbl
• rsub
• rx
• streq
• strmatch
• unconditionalMatch
• validateByteRange
• validateDTD
• validateHash
• validateSchema
• validateUrlEncoding
• validateUtf8Encoding
• verifyCC
• verifyCPF
• verifySSN
• within

• Phase Request Headers
• Phase Request Body
• Phase Response Headers
• Phase Response Body
• Phase Logging

• accuracy
• allow
• append
• auditlog
• block
• capture
• chain
• ctl
• deny
• deprecatevar
• drop
• exec
• expirevar
• id
• initcol
• log
• logdata
• maturity
• msg
• multiMatch
• noauditlog
• nolog
• pass
• pause
• phase
• prepend
• proxy
• redirect
• rev
• sanitiseArg
• sanitiseMatched
• sanitiseMatchedBytes
• sanitiseRequestHeader
• sanitiseResponseHeader
• severity
• setuid
• setrsc
• setsid
• setenv
• setvar
• skip
• skipAfter
• status
• t
• tag
• ver
• xmlns

• base64Decode
• sqlHexDecode
• base64DecodeExt
• base64Encode
• cmdLine
• compressWhitespace
• cssDecode
• escapeSeqDecode
• hexDecode
• hexEncode
• htmlEntityDecode
• jsDecode
• length
• lowercase
• md5
• none
• normalisePath
• normalizePath
• normalisePathWin
• normalizePathWin
• parityEven7bit
• parityOdd7bit
• parityZero7bit
• removeNulls
• removeWhitespace
• replaceComments
• removeCommentsChar
• removeComments
• replaceNulls
• urlDecode
• uppercase
• urlDecodeUni
• urlEncode
• utf8toUnicode
• sha1
• trimLeft
• trimRight
• trim

To pay respect for the spirit of the ModSecurity project, Coraza also inherits the Apache 2 License, please check the LICENSE file for full details.