add plugin: Trustwave ModSecurity

BloodyMouth · Apr 17, 2015 · f8938ed · f8938ed
1 parent 0593ad2
commit f8938ed
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 16 deletions.
diff --git a/wafw00f/main.py b/wafw00f/main.py
@@ -338,21 +338,6 @@ def iswebknight(self):
                 break
         return detected
 
-    def ismodsecurity(self):
-        detected = False
-        for attack in self.attacks:
-            r = attack(self)
-            if r is None:
-                return
-            response, responsebody = r
-            if response.status == 501:
-                detected = True
-                break
-        # the following based on nmap's http-waf-fingerprint.nse
-        if self.matchheader(('server', '(mod_security|Mod_Security|NOYB)')):
-            return True
-        return detected
-
     def matchcookie(self, match):
         """
         a convenience function which calls matchheader
@@ -398,7 +383,6 @@ def ismodsecuritypositive(self):
 
     wafdetections = dict()
     # easy ones
-    wafdetections['Trustwave ModSecurity'] = ismodsecurity
     wafdetections['F5 FirePass'] = isf5firepass
     wafdetections['F5 Trafficshield'] = isf5trafficshield
     wafdetections['F5 BIG-IP LTM'] = isf5bigipltm

diff --git a/wafw00f/plugins/modsecurity.py b/wafw00f/plugins/modsecurity.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+
+NAME = 'Trustwave ModSecurity'
+
+
+def is_waf(self):
+    detected = False
+    for attack in self.attacks:
+        r = attack(self)
+        if r is None:
+            return
+        response, responsebody = r
+        if response.status == 501:
+            detected = True
+            break
+    # the following based on nmap's http-waf-fingerprint.nse
+    if self.matchheader(('server', '(mod_security|Mod_Security|NOYB)')):
+        return True
+    return detected