Why We're Beating Modsecurity

Posted2 months agoActive2 months ago

1rhino2

9 points

5 comments

github.comTechstory

supportivepositive

Debate

20/100

WafModsecurityCybersecurity

Key topics

Waf

Modsecurity

Cybersecurity

The post showcases RhinoWAF, an alternative to Modsecurity, and receives positive feedback from the community, with discussions around its features and potential applications.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

N/A

Peak period

1-2h

Avg / period

1.7

Key moments

01Story posted
Oct 29, 2025 at 5:58 PM EDT
2 months ago
Step 01
02First comment
Oct 29, 2025 at 5:58 PM EDT
0s after posting
Step 02
03Peak activity
2 comments in 1-2h
Hottest window of the conversation
Step 03
04Latest activity
Oct 29, 2025 at 8:55 PM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (5 comments)

Showing 5 comments

westurner

2 months ago

1 reply

How does RhinoWAF compare to other open WAFs like OWASP Coraza WAF, bunkerweb, and SafeLine?

Does RhinoWAF support ModSecurity SecLang rulesets like OWASP CRS? Is there a SecLang to RhinoWAF JSON converter?

Shouldn't eBPF be fast at sorting and running rules?

What are good metrics for evaluating WAFs?

coraza: https://github.com/corazawaf/coraza

bunkerweb: https://github.com/bunkerity/bunkerweb

SafeLine: https://github.com/chaitin/SafeLine

RhinoWAF: https://github.com/1rhino2/RhinoWAF

gh topic: waf: https://github.com/topics/waf

awesome-WAF: https://github.com/0xInfection/Awesome-WAF

westurner

2 months ago

> What are good metrics for evaluating WAFs?

TPR: True Positive Rate (Detection Rate), TNT: True Negative Rate, FPR: False Positive Rate ("ROC Curve")

Accuracy = TP + TN / # Requests

Latency / Detection Time as percentiles

Throughput: response time in ms given requests per second

Time to Virtual Patch, and CI/CD rule deployment integration

DDoS Response Time: How quickly does the WAF mitigate a Layer 7 (application) DDoS attack?

... Rule Management Overhead: MTTT: Mean Time To Tune, Policy Complexity; CI/CD, SIEM/SOAR integration; https://gemini.google.com/share/0d2d1c53bfb0

westurner

2 months ago

1 reply

Is there a good way to go from an OpenAPI / Swagger schema to WAF rules; and then to verify that the rules don't collide? IIUC eBPF does part of this

westurner

2 months ago

Re: eBPF WAF

awesome-ebpf > Kernel docs, examples, "eBPF/XDP hardware offload to SmartNICs", Go libraries: https://github.com/zoidyzoidzoid/awesome-ebpf#go-libraries

/? ebpf waf site:github.com https://www.google.com/search?q=+ebpf+waf+site%3Agithub.com

harporoeder/ebpfsnitch: "Linux Application Level Firewall based on eBPF and NFQUEUE" https://github.com/harporoeder/ebpfsnitch

ebpf-security/ebpf-https: "eBPF-https is an open source web application firewall (WAF)" https://github.com/ebpf-security/ebpf-https

cilium/cilium: https://github.com/cilium/cilium :

> Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.

1rhino2Author

2 months ago

Modsec is a sloppy tool thats honestly sucky. Its config hell, rule hell and its outdated ash. Its vulnerable to just about EVERY modern attack surface. We are gonna make that change: https://github.com/1rhino2/RhinoWAF/

Just to clarify, we are not a company of any sorts, simply people willing to help.

View full discussion on Hacker News

ID: 45753629Type: storyLast synced: 11/17/2025, 8:09:03 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN