[WEB SECURITY] Query: Open Source Web Application Firewalls

Ofer Shezaf ofer at shezaf.com
Wed Aug 19 18:47:54 EDT 2009

I list one or two more in my WAF list: http://www.xiom.com/waf/products


~  Ofer


Ofer Shezaf, ofer at shezaf.com, +972-54-4431119

Read my professoinal blog at http://blog.xiom.com


From: Neil Matatall [mailto:nmatatal at uci.edu] 
Sent: Thursday, August 20, 2009 12:26 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Query: Open Source Web Application Firewalls


Thanks to the senders of the offlist responses.  I need to clarify that I am
just compiling a list of options for a presentation so the quality of the
WAF is relevant, but the variety of options is more important to me. 

One that was brought to my attention was PHPIDS

So far:


Neil Matatall wrote: 


Disclaimer:  I'm not trying to start a WAF comparison war or debate the
usefulness of WAFs!

Does anyone know of a list of OS WAFs?  The OWASP WAF
<http://www.owasp.org/index.php/Web_Application_Firewall>  page lists
ModSecurity and WebKnight, but I am looking for more.  The only criteria
that matters to me is that the WAF be open source.  I'm looking for any type
of WAF whether it's an apache module, ISAPI filter, etc. or if you can set
it up as a standalone appliance (like proxying everything through a
ModSecurity instance).  

Yes, the definition of WAF is quite broad here.  Signature detection only
would be considered a WAF in my case.  

Or if you know a few off the top of your head, I don't mind compiling a list
myself.  Also, any experience you've had with these tools (other than
ModSecurity/WebKnight) would be greatly appreciated.  

A Google search for "open source web application firewall -apache
-modsecurity -webknight" resulted in Guardian
<http://guardian.jumperz.net/index.html> , any feedback on this product?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090820/285832c8/attachment.html>

More information about the websecurity mailing list