3.2 WAF – Web Application Firewall
Last updated
Last updated
The Web Application Firewall (WAF) in ShieldsGuard is an advanced, multi-layered security engine designed to protect your applications against all known Layer 7 threats — from SQL injection to file inclusion, command injection, and even data leakage.
ShieldsGuard supports three different WAF models, each accessible via separate tabs:
ShieldsGuard WAF (recommended — proprietary engine)
ModSecurity v4 (community/open standard ruleset)
ModSecurity v3 (legacy compatibility ruleset)
⚠️ Only one rule set can be active at any given time. If
ShieldsGuard WAFis active,v3andv4are automatically disabled, and vice versa.
We strongly recommend using ShieldsGuard WAF for best security, performance, and enterprise-grade rule support.
ShieldsGuard WAF is a custom-built, proprietary firewall engine developed by the ShieldsGuard security engineering team. It contains handcrafted, threat-intelligence-enhanced rules, designed to detect and stop real-world attack patterns before they ever reach your application.
It is continuously updated and optimized for:
Performance under high load
Low false-positive rates
Real-time botnet and CVE protection
Enterprise-grade precision
Below is the complete list of available .conf modules within ShieldsGuard WAF:
00_asl_whitelist.conf
Whitelisted IP/User-Agent definitions
00_asl_x_searchengines.conf
X search engine behavior filtering
00_asl_y_searchengines.conf
Y search engine behavior filtering
00_asl_z_aa_threat_intelligence.conf
Real-time threat intelligence integration
00_asl_z_antievasion.conf
Evasion technique detection
00_asl_zz_strict.conf
Strict mode for aggressive filtering
01_asl_content.conf
General content attack detection
01_asl_content_smuggling.conf
HTTP smuggling prevention
01_asl_content_z.conf
Extended payload filtering
03_asl_dos.conf
Application-layer DoS and slowloris protection
05_asl_exclude.conf
Global exclusions definition
10_asl_antimalware.conf
Malware upload and binary detection
11_asl_brute_enhanced.conf
Bruteforce attack blocking
11_asl_data_loss.conf
Sensitive data exfiltration attempts
12_asl_adv_rules.conf
Advanced heuristics for dynamic payloads
12_asl_adv_xss_rules.conf
Cross-Site Scripting (XSS) protection
12_asl_brute.conf
Basic bruteforce detection
13_asl_brute_enhanced.conf
Extended bruteforce detection
13_asl_command_injection.conf
OS command injection blocking
20_asl_useragents.conf
Suspicious user-agent filtering
21_asl_useragents.conf
Known malicious agent blocking
30_asl_antispam.conf
Spam bots and injection via forms
31_asl_urispam.conf
URI-based spam detection
45_asl_hpp.conf
HTTP parameter pollution detection
50_asl_rootkits.conf
Known webshell/rootkit patterns
51_asl_paranoid_extra.conf
Paranoid-level detection logic
51_asl_rootkits.conf
Enhanced rootkit detection
51_asl_wordpress_extra.conf
Additional rules for WordPress hardening
60_asl_recons.conf
Reconnaissance & fingerprinting detection
61_asl_recons_dlp.conf
Data leak prevention during scans
80_asl_proxy_abuse.conf
Proxy chaining, Tor & VPN abuse
98_asl_jitp.conf
Just-in-time payload heuristics
99_asl_jitp.conf
Extended payload interpretation logic
🛠️ Enterprise users receive assistance in tuning these rules with direct engineer access and 24/7 monitoring options.
📘 ModSecurity v4 Rule Set
💡 DescriptionModSecurity v4 is a structured, open-source community-driven ruleset, built around OWASP Core Rule Set (CRS) standards. ShieldsGuard supports v4 through modular
.conffiles, each focusing on specific vulnerabilities or exploit methods.
🔧 Example Rules:
REQUEST-901-INITIALIZATION.conf
Rule engine initialization
REQUEST-905-COMMON-EXCEPTIONS.conf
General exceptions for stability
REQUEST-911-METHOD-ENFORCEMENT.conf
Enforce allowed HTTP methods
REQUEST-913-SCANNER-DETECTION.conf
Identify automated vulnerability scanners
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Detect malformed HTTP requests
REQUEST-921-PROTOCOL-ATTACK.conf
Detect protocol-based evasion
REQUEST-922-MULTIPART-ATTACK.conf
Detect file upload boundary attacks
REQUEST-930-APPLICATION-ATTACK-LFI.conf
Local File Inclusion
REQUEST-931-APPLICATION-ATTACK-RFI.conf
Remote File Inclusion
REQUEST-932-APPLICATION-ATTACK-RCE.conf
Remote Code Execution attempts
REQUEST-933-APPLICATION-ATTACK-PHP.conf
PHP-specific attack patterns
REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
Generic payload anomalies
REQUEST-941-APPLICATION-ATTACK-XSS.conf
Cross-site scripting
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
SQL injection detection
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Session hijack prevention
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Java-targeted attacks
REQUEST-949-BLOCKING-EVALUATION.conf
Decide if request should be blocked
RESPONSE-950-DATA-LEAKAGES.conf
Generic data leakage (SSN, CCN, etc.)
RESPONSE-951-DATA-LEAKAGES-SQL.conf
SQL error-based leakage
RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Java stack leakage
RESPONSE-953-DATA-LEAKAGES-PHP.conf
PHP error output
RESPONSE-954-DATA-LEAKAGES-IIS.conf
IIS debug info
RESPONSE-955-WEB-SHELLS.conf
Known web shell signatures
RESPONSE-959-BLOCKING-EVALUATION.conf
Final blocking stage
RESPONSE-980-CORRELATION.conf
Multi-rule correlation logic
ModSecurity v3 is a lightweight, simplified version of v4, maintained for legacy compatibility. While not as complete or intelligent as v4 or ShieldsGuard WAF, it offers baseline protection for older stacks.
REQUEST-901-INITIALIZATION.conf
Rule engine initialization
REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Drupal exclusions
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
WordPress exclusions
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
NextCloud exclusions
REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
DokuWiki
REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
cPanel
REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
XenForo
REQUEST-905-COMMON-EXCEPTIONS.conf
Common exclusions
REQUEST-910-IP-REPUTATION.conf
IP reputation match
REQUEST-911-METHOD-ENFORCEMENT.conf
Method enforcement
REQUEST-912-DOS-PROTECTION.conf
DoS detection
REQUEST-913-SCANNER-DETECTION.conf
Scanner detection
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Protocol enforcement
REQUEST-921-PROTOCOL-ATTACK.conf
Protocol manipulation
REQUEST-922-MULTIPART-ATTACK.conf
Multipart abuse
REQUEST-930 to 944
Application-level attacks
RESPONSE-950 to 980
Data leakage and block logic
Go to Protection > WAF
Enable WAF Control (top toggle)
Select the desired WAF rule engine tab (ShieldsGuard WAF / v4 / v3)
Activate the .conf modules relevant to your environment
Save and monitor – changes apply immediately
Always use ShieldsGuard WAF unless legacy compatibility is strictly required
For CMS users (WordPress, Drupal, NextCloud), enable only one CMS exclusion rule at a time
Enable all critical attack class protections (SQLi, XSS, RCE)
Disable unused protocol types to reduce false positives
For enterprise environments, contact the ShieldsGuard team for:
Rule tuning
False positive mitigation
Custom platform rules
CVE simulation and patching
ShieldsGuard WAF provides a complete application-layer security solution with options tailored for all needs — from enterprises needing expert-backed protection to legacy systems requiring minimal rules.
🔐 Choose one rule engine. Activate only what you need. Let ShieldsGuard handle the rest.
