WAF MCP Server
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| WAF_DEBUG | No | Set to any value to enable debug logging | |
| WAF_DOMAIN | No | Domain for WAF test requests | https://localhost |
| IPINFO_TOKEN | No | ipinfo.io token for IP geolocation | |
| WAF_LOGS_SINCE | No | Default time window for log queries | 24h |
| WAF_COMPOSE_DIR | Yes | Path to directory containing docker-compose.yml | |
| WAF_COMPOSE_FILE | No | Docker Compose filename | docker-compose.yml |
| WAF_EXCLUSIONS_FILE | No | Path to CRS exclusions file (relative to compose dir) | modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf |
| WAF_CONTAINER_PATTERN | No | Grep pattern to find the ModSecurity container | modsecurity |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| waf_overviewA | High-level WAF dashboard: total events, unique IPs, unique rules, events in last hour. Start here to assess if anything needs attention. |
| waf_top_ipsA | Top attacking IPs with hit counts, geo info, and last seen timestamp. Use to identify most active sources. |
| waf_top_rulesA | Most frequently triggered WAF rules with severity and description. Use to identify dominant attack patterns. |
| waf_fp_candidatesA | Rules that triggered on HTTP 2xx responses — likely false positives. Critical for WAF tuning. |
| waf_events_by_ipA | Drill into events from a specific IP address. Shows timestamps, methods, URIs, HTTP codes, and triggered rules. |
| waf_events_by_ruleA | Drill into events that triggered a specific rule. Shows timestamps, IPs, methods, URIs, HTTP codes, and matched data. |
| waf_event_detailA | Full deep-dive into a single event by index. Shows all request headers, body snippet, all rule matches with matched data, and response code. |
| waf_statusA | Get WAF container health, engine mode, rules loaded, and paranoia level. |
| waf_set_engineA | Change WAF engine mode: On (actively blocking), Off (disabled), or DetectionOnly (log without blocking). |
| waf_set_paranoiaA | Set CRS paranoia level (1-4). Level 1 is minimal rules, level 4 is maximum security with more false positives. |
| waf_disable_ruleA | Disable a specific ModSecurity rule by ID to suppress false positives. |
| waf_enable_ruleA | Re-enable a previously disabled ModSecurity rule by ID. |
| waf_allow_ipB | Whitelist an IP address to bypass WAF inspection entirely. |
| waf_deny_ipB | Remove an IP address from the WAF whitelist. |
| waf_testA | Run the WAF test suite to verify blocking and pass-through rules are working correctly. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/KratosUAE/waf_mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server