[WEB SECURITY] Query: Open Source Web Application Firewalls

Neil Matatall nmatatal at uci.edu
Wed Aug 19 16:37:02 EDT 2009


Disclaimer:  I'm not trying to start a WAF comparison war or debate the 
usefulness of WAFs!

Does anyone know of a list of OS WAFs?  The OWASP WAF 
<http://www.owasp.org/index.php/Web_Application_Firewall> page lists 
ModSecurity and WebKnight, but I am looking for more.  The only criteria 
that matters to me is that the WAF be open source.  I'm looking for any 
type of WAF whether it's an apache module, ISAPI filter, etc. or if you 
can set it up as a standalone appliance (like proxying everything 
through a ModSecurity instance). 

Yes, the definition of WAF is quite broad here.  Signature detection 
only would be considered a WAF in my case. 

Or if you know a few off the top of your head, I don't mind compiling a 
list myself.  Also, any experience you've had with these tools (other 
than ModSecurity/WebKnight) would be greatly appreciated. 

A Google search for "open source web application firewall -apache 
-modsecurity -webknight" resulted in Guardian 
<http://guardian.jumperz.net/index.html>, any feedback on this product?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/dd2416f1/attachment.html>

More information about the websecurity mailing list