Skip to main content
Glama
gen0sec

Gen0Sec WAF Rule MCP Server

Official
by gen0sec
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

WAF & Smart-Firewall Rule Generation for Agentic LLMs

An MCP server that lets an LLM author, validate, and test Wirefilter WAF and Smart Firewall rules — grounded in live schema and real CVE exploit templates instead of guesswork.

What it does:

  • Validates rules against a real engine — expressions are checked (and optionally test-matched) through the Wirefilter rules-validator API, so the model gets real pass/fail feedback, not a hallucinated opinion

  • Grounds generation in live schema — serves the authoritative actions / expressions / fields / functions / operators / values straight from the rules-validator, so rules use fields that actually exist

  • Pulls real exploit context — fetches CVE-indexed Nuclei templates from multiple sources (Nuclei Open Source via GitHub, Nuclei Paid via the ProjectDiscovery API) to inform CVE-driven rule generation

  • Self-updating — periodically refreshes the Wirefilter context and CVE template repositories in the background

Runs anywhere Python 3.12+ runs · ships as a Claude Desktop bundle, a stdio MCP server, or an HTTP container

Quick start

Claude Desktop (bundle)

# Prerequisites: uv, and mcpb (npm install -g @anthropic-ai/mcpb)
mcpb pack          # produces gen0sec-mcp-server.mcpb

Open the generated gen0sec-mcp-server.mcpb file — Claude Desktop installs it in about a minute, after which the tools, resources, and prompts are available.

Cursor IDE — local (stdio)

Add to ~/.cursor/mcp.json (%USERPROFILE%\.cursor\mcp.json on Windows):

{
  "mcpServers": {
    "waf-rule-mcp": {
      "command": "uv",
      "args": [
        "run",
        "--project", "/absolute/path/to/mcp-server",
        "/absolute/path/to/mcp-server/server/main.py"
      ],
      "env": {
        "WAF_VALIDATION_API_URL": "https://public.gen0sec.com/v1/waf/validate"
      }
    }
  }
}

WAF_VALIDATION_API_URL is optional — if unset, the value from server/config.yaml is used. Restart Cursor to apply.

Docker (HTTP)

docker build -t waf-rule-mcp .
docker run -p 8000:8000 waf-rule-mcp

Then point your MCP client at it:

{
  "mcpServers": {
    "waf-rule-mcp": { "url": "http://localhost:8000" }
  }
}

The WAF rule validation API must be reachable for the validation tools to work. Set its URL via WAF_VALIDATION_API_URL or server/config.yaml.

MCP surface

Tools

Tool

Purpose

fetch_cve_vulnerability_template

Retrieve a CVE-indexed vulnerability template from a preferred source (Nuclei Open Source or Nuclei Paid API)

fetch_cve_from_all_sources

Fetch a CVE template from all enabled sources for cross-source comparison

list_cve_sources

List the registered CVE source plugins and their status

validate_waf_expression

Validate a Wirefilter rule expression (rule_type selects the scheme)

validate_waf_expression_with_tests

Validate a Wirefilter rule and match it against test data (mock data if none given)

get_waf_context

Fetch WAF context from Wirefilter docs: actions, expressions, fields, functions, operators, values

get_rule_fields

Fetch the live, authoritative Wirefilter field/function schema directly from the rules-validator

Resources

URI

Reference

wafcontext://actions

Actions available in the Rules language

wafcontext://expressions

Expressions available in the Rules language

wafcontext://fields

Fields available in the Rules language

wafcontext://functions

Functions available in the Rules language

wafcontext://operators

Operators available in the Rules language

wafcontext://values

Values available in the Rules language

Prompts

Prompt

Generates a rule from…

natural_waf_rule_generation_prompt

a natural-language description

cve_waf_rule_generation_prompt

a CVE index

smart_firewall_rule_generation_prompt

a natural-language description, as an L3/L4 + JA4 Smart Firewall rule (no http.* fields; block/allow actions)

Architecture

flowchart TD
    LLM([Agentic LLM / MCP client]) <--> MCP

    subgraph MCP[Gen0Sec WAF Rule MCP Server]
        T[Tools]
        R["Resources<br/>wafcontext://*"]
        P[Prompts]
        RU[Resource updater<br/>periodic refresh]
    end

    T -->|validate / fields| RV[Wirefilter rules-validator API]
    R -->|live schema| RV
    T -->|CVE templates| CS

    subgraph CS[CVE sources]
        N1[Nuclei Open Source<br/>GitHub]
        N2[Nuclei Paid<br/>ProjectDiscovery API]
    end

    RU -.refreshes.-> CS
    RU -.refreshes.-> RV

Documentation

Gen0Sec Docs

Product documentation and guides

server/config.yaml

Validation API URL, CVE source toggles, update intervals

manifest.json

Claude Desktop bundle manifest and user-configurable options

Wirefilter

The rule expression language this server targets

Thank you!

This server cannot be installed

A
license - permissive license
-
quality - not tested
B
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
6wRelease cycle
5Releases (12mo)

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/gen0sec/mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server