An MCP server that lets an LLM author, validate, and test Wirefilter WAF and Smart Firewall rules — grounded in live schema and real CVE exploit templates instead of guesswork.
What it does:
- Validates rules against a real engine — expressions are checked (and optionally test-matched) through the Wirefilter rules-validator API, so the model gets real pass/fail feedback, not a hallucinated opinion
- Grounds generation in live schema — serves the authoritative actions / expressions / fields / functions / operators / values straight from the rules-validator, so rules use fields that actually exist
- Pulls real exploit context — fetches CVE-indexed Nuclei templates from multiple sources (Nuclei Open Source via GitHub, Nuclei Paid via the ProjectDiscovery API) to inform CVE-driven rule generation
- Self-updating — periodically refreshes the Wirefilter context and CVE template repositories in the background
Runs anywhere Python 3.12+ runs · ships as a Claude Desktop bundle, a stdio MCP server, or an HTTP container
# Prerequisites: uv, and mcpb (npm install -g @anthropic-ai/mcpb)
mcpb pack # produces gen0sec-mcp-server.mcpbOpen the generated gen0sec-mcp-server.mcpb file — Claude Desktop installs it in about a minute, after which the tools, resources, and prompts are available.
Add to ~/.cursor/mcp.json (%USERPROFILE%\.cursor\mcp.json on Windows):
{
"mcpServers": {
"waf-rule-mcp": {
"command": "uv",
"args": [
"run",
"--project", "/absolute/path/to/mcp-server",
"/absolute/path/to/mcp-server/server/main.py"
],
"env": {
"WAF_VALIDATION_API_URL": "https://public.gen0sec.com/v1/waf/validate"
}
}
}
}WAF_VALIDATION_API_URL is optional — if unset, the value from server/config.yaml is used. Restart Cursor to apply.
docker build -t waf-rule-mcp .
docker run -p 8000:8000 waf-rule-mcpThen point your MCP client at it:
{
"mcpServers": {
"waf-rule-mcp": { "url": "http://localhost:8000" }
}
}The WAF rule validation API must be reachable for the validation tools to work. Set its URL via
WAF_VALIDATION_API_URLorserver/config.yaml.
| Tool | Purpose |
|---|---|
fetch_cve_vulnerability_template |
Retrieve a CVE-indexed vulnerability template from a preferred source (Nuclei Open Source or Nuclei Paid API) |
fetch_cve_from_all_sources |
Fetch a CVE template from all enabled sources for cross-source comparison |
list_cve_sources |
List the registered CVE source plugins and their status |
validate_waf_expression |
Validate a Wirefilter rule expression (rule_type selects the scheme) |
validate_waf_expression_with_tests |
Validate a Wirefilter rule and match it against test data (mock data if none given) |
get_waf_context |
Fetch WAF context from Wirefilter docs: actions, expressions, fields, functions, operators, values |
get_rule_fields |
Fetch the live, authoritative Wirefilter field/function schema directly from the rules-validator |
| URI | Reference |
|---|---|
wafcontext://actions |
Actions available in the Rules language |
wafcontext://expressions |
Expressions available in the Rules language |
wafcontext://fields |
Fields available in the Rules language |
wafcontext://functions |
Functions available in the Rules language |
wafcontext://operators |
Operators available in the Rules language |
wafcontext://values |
Values available in the Rules language |
| Prompt | Generates a rule from… |
|---|---|
natural_waf_rule_generation_prompt |
a natural-language description |
cve_waf_rule_generation_prompt |
a CVE index |
smart_firewall_rule_generation_prompt |
a natural-language description, as an L3/L4 + JA4 Smart Firewall rule (no http.* fields; block/allow actions) |
flowchart TD
LLM([Agentic LLM / MCP client]) <--> MCP
subgraph MCP[Gen0Sec WAF Rule MCP Server]
T[Tools]
R["Resources<br/>wafcontext://*"]
P[Prompts]
RU[Resource updater<br/>periodic refresh]
end
T -->|validate / fields| RV[Wirefilter rules-validator API]
R -->|live schema| RV
T -->|CVE templates| CS
subgraph CS[CVE sources]
N1[Nuclei Open Source<br/>GitHub]
N2[Nuclei Paid<br/>ProjectDiscovery API]
end
RU -.refreshes.-> CS
RU -.refreshes.-> RV
| Gen0Sec Docs | Product documentation and guides |
server/config.yaml |
Validation API URL, CVE source toggles, update intervals |
manifest.json |
Claude Desktop bundle manifest and user-configurable options |
| Wirefilter | The rule expression language this server targets |
- Cloudflare for Wirefilter
- ProjectDiscovery for the Nuclei templates