
WAF (ModSecurity)
from KratosUAE
Monitor WAF events, analyze attacks, tune rules and whitelist IPs for OWASP ModSecurity CRS via Docker
WAF MCP Server
An MCP (Model Context Protocol) server for managing OWASP ModSecurity CRS via Docker. Gives AI assistants like Claude direct access to WAF monitoring, analysis, and configuration through a structured drill-down pipeline.
Built for Claude Code but works with any MCP-compatible client.
Why
LLM proxy services (LiteLLM, OpenRouter, etc.) sit behind WAFs that generate massive amounts of false positives โ prompts contain code, SQL, HTML, shell commands that trigger every content-inspection rule in the book. Managing these WAFs requires constant monitoring, tuning exclusions, and investigating events.
This MCP server lets an AI assistant do that work directly:
- Overview โ see total events, unique IPs, active rules at a glance
- Drill down โ filter events by IP or rule, inspect matched data
- Act โ disable rules, whitelist IPs, change engine mode โ all without leaving the conversation
Tools
Analysis (drill-down pipeline)
| Tool | Description |
|---|---|
waf_overview | Dashboard: total events, unique IPs/rules, events last hour |
waf_top_ips | Top IPs by event count with geo enrichment (ipinfo.io) |
waf_top_rules | Most triggered rules with severity and description |
waf_fp_candidates | Rules that fired on HTTP 2xx responses (false positive candidates) |
waf_events_by_ip | Events filtered by source IP |
waf_events_by_rule | Events filtered by rule ID |
waf_event_detail | Full event: headers, request body, all rule matches with matched data |
Actions
| Tool | Description |
|---|---|
waf_status | Container health, engine mode, rules loaded, paranoia level |
waf_set_engine | Switch between On, Off, DetectionOnly |
waf_set_paranoia | Set CRS paranoia level (1โ4) |
waf_disable_rule | Disable a rule by ID (adds SecRuleRemoveById to exclusions) |
waf_enable_rule | Re-enable a previously disabled rule |
waf_allow_ip | Whitelist an IP (bypass WAF entirely) |
waf_deny_ip | Remove an IP from whitelist |
waf_test | Run test suite: scanner detection, SQLi, XSS, path traversal |
Common parameters
since โ All analysis tools accept a since parameter to control the time window. Default is "24h". Supports Docker duration syntax: "1h", "24h", "7d", "30m". Days are automatically converted to hours (Docker's --since doesn't support the d suffix natively).
waf_overview(since: "7d") # last 7 days
waf_events_by_ip(ip: "1.2.3.4", since: "1h") # last hourverbose โ waf_events_by_ip, waf_events_by_rule, and waf_event_detail accept verbose: true. By default, matchedData and requestBody are truncated to keep responses within context limits:
| Field | Default | Verbose |
|---|---|---|
matchedData (per rule) | 150โ200 chars | 4000 chars |
requestBody | 500 chars | 8000 chars |
Development
npm run build # Compile TypeScript
npm test # Run tests (43 tests)
npm run test:watch # Watch mode
WAF_DEBUG=1 npm start # Run with debug loggingArchitecture
src/
โโโ index.ts # MCP server setup, tool registration
โโโ waf-manager.ts # Core service: Docker exec, log parsing, config management
โโโ types.ts # TypeScript interfaces
โโโ config.ts # Environment-based configuration
โโโ logger.ts # stderr-only logger (stdout reserved for MCP protocol)
โโโ tools/
โโโ overview.ts # L0: dashboard
โโโ top-ips.ts # L1: IP aggregation
โโโ top-rules.ts # L1: rule aggregation
โโโ fp-candidates.ts # L1: false positive detection
โโโ events-by-ip.ts # L2: drill-down by IP
โโโ events-by-rule.ts # L2: drill-down by rule
โโโ event-detail.ts # L3: full event inspection
โโโ status.ts # Container status
โโโ set-engine.ts # Engine mode control
โโโ set-paranoia.ts # Paranoia level control
โโโ disable-rule.ts # Rule management
โโโ enable-rule.ts # Rule management
โโโ allow-ip.ts # IP whitelist
โโโ deny-ip.ts # IP whitelist
โโโ test.ts # WAF test suite
โโโ utils.ts # Shared utilitiesEvents are parsed from Docker logs and cached for 30 seconds. Rapid drill-down calls (overview โ top IPs โ events by IP โ event detail) hit the cache instead of re-parsing. The cache is invalidated when the since parameter changes.
License
MIT
git clone https://github.com/KratosUAE/waf_mcp.git
cd waf_mcp
npm install
npm run buildBefore it works, you'll need: WAF_COMPOSE_DIRWAF_DOMAIN
Prerequisites
- Docker with a running owasp/modsecurity-crs container
- Docker Compose managing the ModSecurity container
- Node.js 18+
- ModSecurity configured with JSON Serial audit log (
SecAuditLogFormat JSON)
Installation
git clone https://github.com/KratosUAE/waf_mcp.git
cd waf_mcp
npm install
npm run buildConfiguration
Environment variables
| Variable | Required | Default | Description |
|---|---|---|---|
WAF_COMPOSE_DIR | Yes | โ | Path to directory containing docker-compose.yml |
WAF_DOMAIN | No | https://localhost | Domain for WAF test requests |
WAF_LOGS_SINCE | No | 24h | Default time window for log queries |
WAF_CONTAINER_PATTERN | No | modsecurity | Grep pattern to find the ModSecurity container |
WAF_EXCLUSIONS_FILE | No | modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf | Path to CRS exclusions file (relative to compose dir) |
WAF_COMPOSE_FILE | No | docker-compose.yml | Docker Compose filename |
IPINFO_TOKEN | No | โ | ipinfo.io token for IP geolocation |
WAF_DEBUG | No | โ | Set to any value to enable debug logging |
Connect to Claude Code
claude mcp add --transport stdio --scope user \
-e WAF_COMPOSE_DIR=/path/to/your/compose/dir \
-e WAF_DOMAIN=https://your-domain.com \
waf -- node /path/to/waf_mcp/dist/index.jsOr manually add to ~/.claude.json:
{
"mcpServers": {
"waf": {
"type": "stdio",
"command": "node",
"args": ["/path/to/waf_mcp/dist/index.js"],
"env": {
"WAF_COMPOSE_DIR": "/path/to/your/compose/dir",
"WAF_DOMAIN": "https://your-domain.com"
}
}
}
}Docker Compose setup
The server expects a ModSecurity container managed by Docker Compose. Example service definition:
modsecurity:
image: owasp/modsecurity-crs:nginx-alpine
environment:
- BACKEND=http://your-app:8080
- MODSEC_RULE_ENGINE=DetectionOnly
- MODSEC_AUDIT_LOG=/dev/stderr
- MODSEC_AUDIT_LOG_FORMAT=JSON
- MODSEC_AUDIT_LOG_TYPE=Serial
- MODSEC_AUDIT_ENGINE=RelevantOnly
- MODSEC_REQ_BODY_ACCESS=On
- MODSEC_REQ_BODY_LIMIT=52428800
- MODSEC_RESP_BODY_ACCESS=Off
- PARANOIA=1
- ANOMALY_INBOUND=5
volumes:
- ./modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:roKey settings:
MODSEC_AUDIT_LOG=/dev/stderrโ sends audit log to Docker logs (required for the MCP server to read events)MODSEC_AUDIT_LOG_FORMAT=JSONโ JSON format for structured parsing- Exclusions file mount โ allows hot-reload of rule exclusions via
nginx -s reload
CRS exclusions for LLM traffic
LLM API endpoints receive prompts containing code, SQL, HTML, and shell commands โ all legitimate content that triggers WAF rules. Create an exclusions file to disable content-inspection rules on API paths:
# modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
SecRule REQUEST_URI "@rx ^(/v1/)?(chat/completions|completions|embeddings|responses|messages)|^/anthropic/" \
"id:1000,phase:1,nolog,pass,\
ctl:ruleRemoveById=921000-944999"This disables rules 921000โ944999 (all content-inspection categories: SQLi, XSS, RCE, LFI, RFI, etc.) on LLM API endpoints while keeping protocol enforcement, scanner detection, DoS protection, and IP reputation checks active.
Usage example
Typical workflow in Claude Code:
You: "Check the WAF โ anything suspicious?"
Claude: [calls waf_overview]
โ 332 events, 4 unique IPs, 12 rules triggered
Claude: [calls waf_top_ips]
โ 135.237.83.23 (Washington, US, Microsoft) โ 320 events
Claude: [calls waf_events_by_ip, ip: "135.237.83.23", count: 5]
โ All POST /chat/completions, HTTP 200, rules: 942360, 932100...
Claude: [calls waf_event_detail, index: 42]
โ User-Agent: OpenAI/JS 6.26.0, body contains tool descriptions
โ Rule 942360 matched "update" in cron action descriptions
Claude: "This is your OpenClaw bot โ all false positives.
Want me to whitelist this IP?"
You: "Yes"
Claude: [calls waf_allow_ip, ip: "135.237.83.23"]
โ Done. IP whitelisted.Investigating older events:
You: "Check IP 185.206.249.230 โ it was flagged yesterday"
Claude: [calls waf_events_by_ip, ip: "185.206.249.230", since: "7d"]
โ 2 events from Apr 7, GET /v1/skills, HTTP 401, no rules triggered
โ Apple Private Relay IP (Singapore), just unauthorized API probesNo common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.