sentinel-agent-waf

Web Application Firewall agent for Sentinel reverse proxy. Detects and blocks common web attacks.

Features

• SQL Injection detection - UNION-based, blind, time-based
• Cross-Site Scripting (XSS) - Script tags, event handlers, JavaScript URIs
• Path Traversal - Directory traversal, encoded attacks
• Command Injection - Shell commands, pipe injection
• Protocol Attacks - Request smuggling, scanner detection
• Paranoia levels (1-4) for tuning sensitivity
• Detect-only mode for monitoring without blocking

Installation

From crates.io

cargo install sentinel-agent-waf

From source

git clone https://github.com/raskell-io/sentinel-agent-waf
cd sentinel-agent-waf
cargo build --release

Usage

sentinel-waf-agent --socket /var/run/sentinel/waf.sock --paranoia-level 1

Command Line Options

Paranoia Levels

Detection Rules

SQL Injection (942xxx)

• UNION-based injection
• Tautology attacks (OR 1=1)
• Comment injection (--, #, /**/)
• Time-based blind injection (SLEEP(), BENCHMARK())

Cross-Site Scripting (941xxx)

• Script tag injection (<script>)
• Event handler injection (onclick=, onerror=)
• JavaScript URI (javascript:)
• Data URI (data:text/html)

Path Traversal (930xxx)

• Directory traversal (../, ..\\)
• URL-encoded traversal (%2e%2e%2f)
• OS file access (/etc/passwd, c:\\windows)

Command Injection (932xxx)

• Shell command injection (; ls, | cat)
• Unix command execution ($(...), backticks)
• Windows command execution (cmd.exe, powershell)

Protocol Attacks (920xxx)

• Control characters in request
• Request smuggling patterns
• Scanner detection (Nikto, SQLMap, etc.)

Configuration

Sentinel Proxy Configuration

agents {
    agent "waf" {
        type "custom"
        transport "unix_socket" {
            path "/var/run/sentinel/waf.sock"
        }
        events ["request_headers"]
        timeout-ms 50
        failure-mode "open"
    }
}

routes {
    route "all" {
        matches { path-prefix "/" }
        upstream "backend"
        agents ["waf"]
    }
}

Docker/Kubernetes

# Environment variables
WAF_PARANOIA_LEVEL: "1"
WAF_BLOCK_MODE: "true"
WAF_EXCLUDE_PATHS: "/health,/metrics"

Response Headers

On blocked requests:

• X-WAF-Blocked: true
• X-WAF-Rule: <rule_id>

In detect-only mode, the request continues but includes:

• X-WAF-Detected: <rule_ids>

Excluding Paths

Exclude paths from WAF inspection:

sentinel-waf-agent --exclude-paths "/health,/metrics,/static"

False Positive Handling

1. Lower paranoia level - Start with level 1 and increase gradually
2. Exclude paths - Exclude known-safe endpoints
3. Detect-only mode - Monitor before enabling blocking
4. Custom rules - Future feature for rule customization

Comparison with ModSecurity

This agent provides a subset of ModSecurity's OWASP CRS functionality:

For full OWASP CRS compatibility, consider using ModSecurity with Sentinel's external processing.

Development

# Run with debug logging
RUST_LOG=debug cargo run -- --socket /tmp/test.sock --paranoia-level 2

# Run tests
cargo test

License

MIT OR Apache-2.0