Web Application Firewall
WAF log events with OWASP CRS rule detections (SQLi, XSS, RCE, LFI, SSRF), bot management, rate limiting, geo-blocking, and CAPTCHA challenges — modeled after ModSecurity with realistic attack payloads and GeoIP data.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/security-waf/generator.yml \
--id waf-01 \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| allowed | Allowed Traffic | 73.9% | web, network |
| sqli | SQL Injection | 4.9% | web, intrusion_detection |
| xss | Cross-Site Scripting | 3.9% | web, intrusion_detection |
| rate-limit | Rate Limiting | 3.9% | web, intrusion_detection |
| bot-detection | Bot Detection | 3.0% | web, intrusion_detection |
| rce | Remote Code Execution | 2.0% | web, intrusion_detection |
| lfi | Local File Inclusion | 2.0% | web, intrusion_detection |
| geo-block | Geo-Blocking | 2.0% | web, intrusion_detection |
| captcha-challenge | CAPTCHA Challenge | 1.5% | web, authentication |
| ssrf | Server-Side Request Forgery | 1.5% | web, intrusion_detection |
| protocol-violation | Protocol Violation | 1.5% | web, network |
Realism Features
- OWASP CRS 3.x/4.x rule IDs across 6 attack categories (SQLi, XSS, RCE, LFI, SSRF, protocol enforcement)
- 35 realistic attack payloads including SQL tautology, UNION injection, XSS event handlers, path traversal, and SSRF cloud metadata
- 45 target URLs spanning pages, APIs, static assets, and well-known paths
- 26 user agents covering browsers, mobile, bots, developer tools, and vulnerability scanners (sqlmap, nikto, nuclei)
- GeoIP data for 18 cities across 14 countries with geo-blocking from restricted nations
- MITRE ATT&CK tactic/technique mapping on all attack events
Sample Output
{
"@timestamp": "2026-03-04T14:30:25.654321+00:00",
"event": {
"action": "denied",
"category": ["web", "intrusion_detection"],
"dataset": "waf.log",
"kind": "alert",
"module": "waf",
"outcome": "failure",
"severity": 2,
"type": ["access", "denied"]
},
"http": {
"request": { "bytes": 891, "method": "POST" },
"response": { "status_code": 403 },
"version": "1.1"
},
"message": "SQL Injection Attack Detected via libinjection",
"observer": {
"hostname": "waf-prod-01",
"product": "WAF",
"type": "waf",
"vendor": "ModSecurity"
},
"rule": {
"category": "SQLI",
"id": "942100",
"name": "SQL Injection Attack Detected via libinjection",
"ruleset": "OWASP CRS"
},
"source": {
"ip": "198.51.100.73",
"geo": {
"city_name": "Moscow",
"country_iso_code": "RU",
"country_name": "Russia"
}
},
"threat": {
"tactic": { "name": ["Initial Access"] },
"technique": { "name": ["Exploit Public-Facing Application"] }
},
"url": {
"domain": "app.example.com",
"path": "/api/v1/search",
"scheme": "https"
},
"waf": {
"action": "blocked",
"anomaly_score": 15,
"matched_data": "' OR 1=1--",
"matched_var": "ARGS",
"mode": "blocking",
"rule_count": 2
},
"tags": ["waf", "attack-sqli"]
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | waf-prod-01 | WAF node hostname |
| server_name | app.example.com | Protected web application domain |
| server_ip | 10.0.1.50 | Backend server IP address |
| waf_vendor | ModSecurity | WAF product name |
| waf_mode | blocking | WAF operating mode (blocking/detection) |
| agent_id | c4f2e8a1-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Filebeat agent version |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.