Gen0Sec WAF Rule Server
FreeNot checkedEnables an LLM to author, validate, and test Wirefilter WAF and Smart Firewall rules using live schema and real CVE exploit templates.
About
Enables an LLM to author, validate, and test Wirefilter WAF and Smart Firewall rules using live schema and real CVE exploit templates.
README
WAF & Smart-Firewall Rule Generation for Agentic LLMs
An MCP server that lets an LLM author, validate, and test Wirefilter WAF and Smart Firewall rules — grounded in live schema and real CVE exploit templates instead of guesswork.
What it does:
- Validates rules against a real engine — expressions are checked (and optionally test-matched) through the Wirefilter rules-validator API, so the model gets real pass/fail feedback, not a hallucinated opinion
- Grounds generation in live schema — serves the authoritative actions / expressions / fields / functions / operators / values straight from the rules-validator, so rules use fields that actually exist
- Pulls real exploit context — fetches CVE-indexed Nuclei templates from multiple sources (Nuclei Open Source via GitHub, Nuclei Paid via the ProjectDiscovery API) to inform CVE-driven rule generation
- Self-updating — periodically refreshes the Wirefilter context and CVE template repositories in the background
Runs anywhere Python 3.12+ runs · ships as a Claude Desktop bundle, a stdio MCP server, or an HTTP container
Quick start
Claude Desktop (bundle)
# Prerequisites: uv, and mcpb (npm install -g @anthropic-ai/mcpb)
mcpb pack # produces gen0sec-mcp-server.mcpb
Open the generated gen0sec-mcp-server.mcpb file — Claude Desktop installs it in about a minute, after which the tools, resources, and prompts are available.
Cursor IDE — local (stdio)
Add to ~/.cursor/mcp.json (%USERPROFILE%\.cursor\mcp.json on Windows):
{
"mcpServers": {
"waf-rule-mcp": {
"command": "uv",
"args": [
"run",
"--project", "/absolute/path/to/mcp-server",
"/absolute/path/to/mcp-server/server/main.py"
],
"env": {
"WAF_VALIDATION_API_URL": "https://public.gen0sec.com/v1/waf/validate"
}
}
}
}
WAF_VALIDATION_API_URL is optional — if unset, the value from server/config.yaml is used. Restart Cursor to apply.
Docker (HTTP)
docker build -t waf-rule-mcp .
docker run -p 8000:8000 waf-rule-mcp
Then point your MCP client at it:
{
"mcpServers": {
"waf-rule-mcp": { "url": "http://localhost:8000" }
}
}
The WAF rule validation API must be reachable for the validation tools to work. Set its URL via
WAF_VALIDATION_API_URLorserver/config.yaml.
MCP surface
Tools
| Tool | Purpose |
|---|---|
fetch_cve_vulnerability_template |
Retrieve a CVE-indexed vulnerability template from a preferred source (Nuclei Open Source or Nuclei Paid API) |
fetch_cve_from_all_sources |
Fetch a CVE template from all enabled sources for cross-source comparison |
list_cve_sources |
List the registered CVE source plugins and their status |
validate_waf_expression |
Validate a Wirefilter rule expression (rule_type selects the scheme) |
validate_waf_expression_with_tests |
Validate a Wirefilter rule and match it against test data (mock data if none given) |
get_waf_context |
Fetch WAF context from Wirefilter docs: actions, expressions, fields, functions, operators, values |
get_rule_fields |
Fetch the live, authoritative Wirefilter field/function schema directly from the rules-validator |
Resources
| URI | Reference |
|---|---|
wafcontext://actions |
Actions available in the Rules language |
wafcontext://expressions |
Expressions available in the Rules language |
wafcontext://fields |
Fields available in the Rules language |
wafcontext://functions |
Functions available in the Rules language |
wafcontext://operators |
Operators available in the Rules language |
wafcontext://values |
Values available in the Rules language |
Prompts
| Prompt | Generates a rule from… |
|---|---|
natural_waf_rule_generation_prompt |
a natural-language description |
cve_waf_rule_generation_prompt |
a CVE index |
smart_firewall_rule_generation_prompt |
a natural-language description, as an L3/L4 + JA4 Smart Firewall rule (no http.* fields; block/allow actions) |
Architecture
flowchart TD
LLM([Agentic LLM / MCP client]) <--> MCP
subgraph MCP[Gen0Sec WAF Rule MCP Server]
T[Tools]
R["Resources<br/>wafcontext://*"]
P[Prompts]
RU[Resource updater<br/>periodic refresh]
end
T -->|validate / fields| RV[Wirefilter rules-validator API]
R -->|live schema| RV
T -->|CVE templates| CS
subgraph CS[CVE sources]
N1[Nuclei Open Source<br/>GitHub]
N2[Nuclei Paid<br/>ProjectDiscovery API]
end
RU -.refreshes.-> CS
RU -.refreshes.-> RV
Documentation
| Gen0Sec Docs | Product documentation and guides |
| server/config.yaml | Validation API URL, CVE source toggles, update intervals |
| manifest.json | Claude Desktop bundle manifest and user-configurable options |
| Wirefilter | The rule expression language this server targets |
Thank you!
- Cloudflare for Wirefilter
- ProjectDiscovery for the Nuclei templates
Install Gen0Sec WAF Rule Server in Claude Desktop, Claude Code & Cursor
unyly install gen0sec-waf-rule-mcp-serverInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add gen0sec-waf-rule-mcp-server -- uvx --from git+https://github.com/gen0sec/mcp-server gen0sec-waf-rule-mcpFAQ
Is Gen0Sec WAF Rule Server MCP free?
Yes, Gen0Sec WAF Rule Server MCP is free — one-click install via Unyly at no cost.
Does Gen0Sec WAF Rule Server need an API key?
No, Gen0Sec WAF Rule Server runs without API keys or environment variables.
Is Gen0Sec WAF Rule Server hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Gen0Sec WAF Rule Server in Claude Desktop, Claude Code or Cursor?
Open Gen0Sec WAF Rule Server on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Gen0Sec WAF Rule Server with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
