SOC Analyst’s Ultimate WAF Playbook: Stop SQLi, XSS & RCE Attacks in Real-Time (Hands-On Labs Inside) + Video

Listen to this Post

Featured Image

Introduction:

A Web Application Firewall (WAF) is far more than a simple “block bad traffic” tool—it is a critical layer of defense that inspects HTTP/S headers, cookies, JSON payloads, and API requests to detect and mitigate common web attacks. For SOC analysts, mastering WAF investigation workflows enables faster triage of SQL injection, cross-site scripting (XSS), remote code execution (RCE), local/remote file inclusion (LFI/RFI), botnets, and DDoS attempts, while reducing false positives through automation and tuning.

Learning Objectives:

  • Analyze WAF logs to identify attack patterns (payloads, user-agent anomalies, geo‑location spikes) and differentiate between automated scans and manual exploitation.
  • Implement custom WAF rules for login pages, admin panels, and APIs using ModSecurity Core Rule Set (CRS) or cloud-native policies.
  • Automate incident response actions—IP blocking, CAPTCHA challenges, session termination—based on real-time WAF alerts and rate anomalies.

You Should Know:

  1. Inspecting HTTP/S Traffic and WAF Logs – A Step‑by‑Step Guide
    WAF logs are typically stored in JSON, syslog, or custom CSV formats. To extract actionable intelligence, you need command-line fu on both Linux and Windows.

Linux (using `jq`, `grep`, `awk`)

Assume a log line:

`{“time”:”2026-05-16T10:00:00Z”,”src_ip”:”45.33.22.11″,”method”:”POST”,”url”:”/login.php”,”status”:403,”payload”:”‘ OR ‘1’=’1″,”rule_id”:942100}`

 Extract all SQLi attempts (rule_id 942100-942199)
cat waf.log | jq 'select(.rule_id | startswith("942")) | {src_ip, url, payload}'

Count unique attacking IPs
cat waf.log | jq -r '.src_ip' | sort | uniq -c | sort -nr | head -10

Find spikes in 403/406 status codes per minute
cat waf.log | awk -F'"' '{print $4}' | cut -d: -f1,2 | sort | uniq -c

Windows (PowerShell)

 Import JSON logs and filter for XSS attempts (rule_id 941100-941199)
Get-Content .\waf.log | ConvertFrom-Json | Where-Object { $_.rule_id -match '941' } | Select-Object src_ip, url, payload

Group by IP and show top attackers
Get-Content .\waf.log | ConvertFrom-Json | Group-Object src_ip | Select-Object Name, Count | Sort-Object Count -Descending | Select-Object -First 10

What this does: Quickly identifies the most active attack sources, targets, and payload types. Use these commands during the first five minutes of an alert to decide whether to block an IP or escalate to incident response.

  1. Blocking SQL Injection & XSS – Enabling and Tuning ModSecurity CRS
    Most open‑source WAFs (like ModSecurity with Apache/Nginx) use the OWASP Core Rule Set. Here’s how to enable it and add custom blocking logic.

Step 1 – Install ModSecurity and CRS (Ubuntu 22.04)

sudo apt update && sudo apt install libapache2-mod-security2 -y
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo git clone https://github.com/coreruleset/coreruleset.git /usr/share/modsecurity-crs
sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Step 2 – Configure CRS to block SQLi and XSS

Edit `/etc/modsecurity/crs-setup.conf` and set:

SecAction "id:900000, phase:1, nolog, pass, t:none, setvar:tx.detection_paranoia_level=2"
SecAction "id:900100, phase:1, nolog, pass, t:none, setvar:tx.executing_paranoia_level=2"

Step 3 – Test a blocked SQLi payload

curl -X POST "http://localhost/login.php" -d "user=admin' OR '1'='1&pass=x"
 Expected response: 403 Forbidden with a ModSecurity error page

Tuning to reduce false positives – Monitor `/var/log/modsec_audit.log` for legitimate requests that trigger rules, then add `ctl:ruleRemoveById=942100` in a custom rule file for that specific URL.

3. Monitoring Request Rate, Geolocation & Reputation Scores

Combine WAF logs with external intelligence to block abusive scanners. Use `fail2ban` for rate‑based blocking, and `geoiplookup` for country‑specific actions.

Step‑by‑step rate monitoring with `fail2ban`

Create `/etc/fail2ban/jail.d/waf.conf`:

[waf-403]
enabled = true
logpath = /var/log/modsec_audit.log
filter = waf-403
maxretry = 5
findtime = 60
bantime = 3600
action = iptables-multiport[name=WAF, port="http,https", protocol=tcp]

Create filter `/etc/fail2ban/filter.d/waf-403.conf`:

[bash]
failregex = ^.[client <HOST>] ModSecurity:.Access denied.$

Restart fail2ban: `sudo systemctl restart fail2ban`

Geolocation blocking (Linux)

 Get country code for an attacking IP
geoiplookup 45.33.22.11 | awk -F': ' '{print $2}'

Block all traffic from a suspicious country using iptables
sudo iptables -A INPUT -m geoip --src-cc RU,CN,KP -j DROP

For cloud WAF (AWS WAF, Cloudflare), export logs to S3 and use Athena queries:

SELECT src_ip, COUNT() as requests, country 
FROM waf_logs 
WHERE action='BLOCK' AND timestamp > now() - interval '1' hour 
GROUP BY src_ip, country ORDER BY requests DESC;
  1. Creating Practical Rules for Login Pages, Admin Panels & APIs
    Attackers focus on /admin, /api/v1/login, and /wp-admin. Create custom rules that block suspicious patterns without breaking legitimate traffic.

ModSecurity custom rule – block sequential admin page scans

SecRule REQUEST_URI "@rx ^/(admin|wp-admin|manager)" "phase:1,id:10001,msg:'Admin Panel Scan Detected',setvar:tx.admin_scan_count=+1,expirevar:tx.admin_scan_count=10"
SecRule TX:ADMIN_SCAN_COUNT "@gt 3" "phase:1,id:10002,deny,status:403,msg:'Admin Panel Scan Blocked'"

API‑specific rule – enforce JSON content type and block oversized payloads

SecRule REQUEST_HEADERS:Content-Type "!@streq application/json" "phase:1,id:10003,deny,status:415,msg:'Invalid Content-Type for API'"
SecRule REQUEST_BODY "@gt 1048576" "phase:2,id:10004,deny,status:413,msg:'Payload too large'"

Testing the rules

 Should be blocked (wrong Content-Type)
curl -X POST https://yourapp/api/login -H "Content-Type:text/plain" -d '{"user":"test"}'

Should be allowed
curl -X POST https://yourapp/api/login -H "Content-Type:application/json" -d '{"user":"test"}'
  1. Investigating Attacking IPs, 403 Spikes & Payload Patterns
    When a 403/406 spike occurs, you need to pivot quickly. Use `grep` and `awk` to build an investigation timeline.

Step 1 – Identify the time of spike

cat waf.log | awk '{print $1,$2}' | cut -d: -f1-2 | uniq -c
 Look for a minute with > 10x normal volume

Step 2 – Extract all unique payloads during that spike

cat waf.log | grep "2026-05-16T14:35" | jq -r '.payload' | sort | uniq -c | sort -nr

Step 3 – Correlate with user‑agent anomalies

cat waf.log | jq -r '.user_agent' | sort | uniq -c | sort -nr | head -5
 Look for "sqlmap/1.6", "Nuclei", "python-requests", or missing User-Agent

Example investigation output:

A spike at 14:35 shows 47 requests with payload ' UNION SELECT @@version,user() --, all coming from IP `185.130.5.253` with User-Agent sqlmap/1.6. This is a confirmed automated SQL injection campaign – immediate response required.

  1. Responding with IP Blocks, CAPTCHA Challenges & Session Kills
    Automated response can be done via WAF API, firewall, or orchestration tools like TheHive/Cortex.

Immediate IP block using Linux iptables

sudo iptables -A INPUT -s 185.130.5.253 -j DROP
sudo iptables -A OUTPUT -d 185.130.5.253 -j DROP
 Make persistent (Ubuntu)
sudo apt install iptables-persistent && sudo netfilter-persistent save

Trigger CAPTCHA challenge (Cloudflare API example)

curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/rules" \
-H "Authorization: Bearer $CF_TOKEN" \
-H "Content-Type: application/json" \
--data '{"action":"challenge","filter":{"expression":"(ip.src eq 185.130.5.253)"}}'

Session kill via application server (Node.js/Express example)

// Called by webhook from WAF
app.post('/kill-session', (req, res) => {
const badSession = req.body.session_id;
sessionStore.destroy(badSession, (err) => {
if(err) console.error(err);
res.sendStatus(200);
});
});

7. Automating and Tuning to Reduce False Positives

False positives exhaust SOC teams. Build a feedback loop that allows analysts to whitelist without modifying core rules.

Step 1 – Log all blocks to a separate “false‑positive‑candidate” file

In ModSecurity:

SecRule RESPONSE_STATUS "^403$" "id:20000,phase:5,log,msg:'Potential FP',setvar:tx.fp_candidate=1"

Step 2 – Create a weekly review script

 fp_review.py
import json, re
with open('/var/log/waf.log') as f:
for line in f:
entry = json.loads(line)
if entry['rule_id'] in ['942100','941110'] and entry['status'] == 403:
 Check if payload looks like legitimate data (e.g., "O'Brian")
if re.search(r"[a-zA-Z]'[a-zA-Z]", entry['payload']):
print(f"False positive candidate: {entry['src_ip']} -> {entry['url']} payload: {entry['payload']}")

Step 3 – Whitelist legitimate patterns

SecRule REQUEST_URI "@streq /search" "id:20001,phase:1,pass,nolog,ctl:ruleRemoveById=942100"

Run this script weekly and adjust whitelists. Aim for a false positive rate below 1% over a month.

What Undercode Say:

  • Key Takeaway 1: A WAF is only as good as your ability to read its logs. Mastering command-line log analysis (jq, awk, PowerShell) turns raw data into actionable threat intelligence within minutes.
  • Key Takeaway 2: Automation without tuning creates alert fatigue. Build a feedback loop that treats every 403 as a candidate for whitelist review, and use rate‑based blocking (fail2ban) rather than static IP blacklists.

Analysis (approx. 10 lines):

The post emphasizes that SOC analysts must go beyond “block bad traffic” and adopt an investigator mindset. By integrating WAF logs with external tools like geolocation databases, API-driven CAPTCHA challenges, and session kill mechanisms, teams can respond in real time without disrupting users. Practical exercises—such as extracting payload patterns or configuring ModSecurity CRS—bridge the gap between theory and hands-on defense. The inclusion of cloud WAF queries (Athena) and hybrid on‑premise commands ensures relevance across environments. Most importantly, the workflow stresses continuous tuning: false positives are inevitable, but a weekly review script turns them into learning opportunities. This transforms WAF from a noisy blocklist into a precision instrument for web application defense.

Prediction:

As web applications increasingly adopt API‑first architectures and AI‑generated attack payloads evolve, traditional signature‑based WAF rules will become insufficient. Within 24 months, SOC teams will rely on behavioral WAFs that use machine learning to model normal API traffic patterns and automatically generate anomaly detection rules. We’ll see tighter integration between WAFs and SIEM/SOAR platforms, where a single 403 spike triggers an automated playbook: pull vulnerability scan results, correlate with threat intel feeds, and push a temporary CAPTCHA challenge—all without human intervention. However, attackers will counter by using distributed residential proxies and generative AI to craft payloads that mimic legitimate JSON structures, forcing SOC analysts to adopt continuous retraining pipelines. The labs available at platforms like Haxcamp (www.haxcamp.com) will become essential for keeping blue teams sharp against these adaptive threats.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky