WAF rule set

This tool is used to quickly write and compile WAF rules.

1. Code

name: test

req-method() eq "GET" =>
    waf-mark-risk(msg: "test new waf rule")

Note that there should be a ; at the end of this code, but there isn’t now, so expect an error to be reported when compiling.

2. Compile

  • Compile failure

  • Compile success

Modify the code with ; and recompile.

4. Download

  • Download the compiled output file

3. Run

  • Use the ruleset
    location /t {
        content_by_lua_block {
            local orwaf = require "orwaf".new()
            local res, err = orwaf:add_rule_set("my-waf-rule", "test")
            if not res then
                ngx.say("err: ", err)

            local names = {
            local matches, err = orwaf:run(names)
            if not matches then
                ngx.say("error: ", err)
                ngx.say("ok: matches = ", require("cjson.safe").encode(matches))
  • add_rule_set(rule_set_name, rule_set_module_name)

    • rule_set_name: Define a name for the ruleset, which will be used later to select the ruleset to be executed by name.
    • rule_set_module_name: The name of the lua module produced by the previous compilation.
  • orwaf:run(rule_set_names)

    • rule_set_names: The name of a custom ruleset, or the name of a built-in ruleset.

The names of all built-in rulesets are as follows:

  • scanner_detection
  • protocol_enforcement
  • protocol_attack
  • attack_lfi
  • attack_rfi
  • attack_rce
  • attack_php
  • attack_nodejs
  • attack_xss
  • attack_sqli
  • attack_session_fixation
  • attack_java