OctopusWAF is an open-source Web application firewall entirely created in C language that uses libevent to make multiple connections.
The event-driven architecture is optimized for many parallel connections (keep-alive), vital for high-performance AJAX applications.
This tool is very light. You can deploy in any, please. This resource turns perfect for protecting specific endpoints that need custom protection.
- Reverse proxy function.
- Detect anomaly using regex using lib PCRE resources.
- Detect security anomaly using algorithms for match string like DFA, horspool or karp-rabin.
- Detect security anomaly using libinjection.
- Options to save log.
https://www.youtube.com/watch?v=qbnis-i7EqU Test detection with libinjection.
Install libpcre or libpcre-dev with apt. If you use RPM-based distro, search the name pcre-devel package, on BSD systems search in ports or brew(MacOS)... You Need libevent-dev to run; on RPM distros libevent-devel, you need to install OpenSSL-dev and OpenSSL-devel.
Example in debian based:
$ sudo apt install libssl-dev libevent-dev libpcre3-dev make gcc
To compile and run OctopusWAF, follow these commands:
$ git clone https://github.com/CoolerVoid/OctopusWAF
$ cd OctopusWAF; make
# if you need to see options try the following
$ bin/OctopusWAF
The example tested on DVWA on a simple HTTP channel.
$ bin/OctopusWAF -h 127.0.0.1:7008 -r 127.0.0.1:80 --debug --libinjection-sqli --log results_log.txt
Note you can use pcre, horspool, and libinjection mode protections simultaneously.
Open your browser in http://127.0.0.1:7008, and you can test the block when you attack.
- Notes: Don't execute with "cd bin; ./OctopusWAF" use full path "bin/OctopusWAF" because binary needs load content in the config directory. Use HTTP only for WAF usage. This version 0.1 runs TLS but doesn't have a resource to load cert and read TLS requests/responses. If you use TLS, the service can lose the WAF function and work a reverse proxy.
Tested on Linux but can run in FreeBSD.
-------------------------------------------------------------------------------
Language files blank comment code
-------------------------------------------------------------------------------
C/C++ Header 14 133 270 9977
C 13 591 798 2625
make 2 14 3 52
Markdown 1 34 0 52
-------------------------------------------------------------------------------
SUM: 30 772 1071 12706
-------------------------------------------------------------------------------
- Resource to load modsec rules https://github.com/SpiderLabs/owasp-modsecurity-crs/
- Resource to use NLP and try to classify payload to block using machine learning (KNN or naive Bayes)
- Insert new regulations to detect XSS
- Insert new rules to detect SQLi
- Insert new rules to see RCE
- Insert new rules to detect RFI/LFI
- Insert new rules to detect XXE
- Insert new rules to detect Anomalies.
- Channel for TLS
- Cert Load
- Issues.
The purpose of this tool is to use in pentest, take attention if you have a proper authorization before to use that. I do not have responsibility for your actions. You can use a hammer to construct a house or destroy it, choose the law path, don't be a bad guy, remember.