CADRE SCRIPT v2.0
100+ Attack Types | Enterprise WAF
CloFix CADRE Script Engine
Write powerful security rules using English-like syntax. 100+ attack Types detection modules, full metadata control, built-in rate limiting, geo-blocking, and hot reload. Just save a file - no compilation, no restart.
.clofix files if/else conditions rate() function contains / matches
Shared dictionaries Hot reload Domain restrictions Expiry support 100+ Attack Types
01 Introduction
CloFix CADRE Script is a lightweight, English‑like scripting language designed for WAF rules. It combines simplicity with enterprise-grade power - no compilation, no restart, no complex DSL. Just write a .clofix file and place it in the correct module folder; the CADRE engine loads it instantly into memory.
⚡ Key Capabilities
- 100+ built‑in attack patterns - SQLi, XSS, LFI, SSRF, Log4Shell, GraphQL, NoSQLi, CMDi, and 90+ more
- Simple conditions -
if ua contains "python" { block } - Powerful functions -
rate(ip, "60s"),matches(),contains(),starts(),ends() - Rich metadata - expiry dates, domain restrictions, IP/country filtering, rate limiting and logging
- Hot reload - update rules without restarting the WAF
- 50,000+ req/sec throughput - sub-millisecond latency
02 Why CADRE Script?
⚡1000x Faster
Memory-first architecture - all rules pre-loaded at startup. Zero disk I/O during request processing. 0.5-2ms latency even with 10,000+ rules.
📝English-like Syntax
if path contains "/admin" { block }. Anyone on your security team can write rules within 10 minutes. No programming experience required.🔄Hot Reload
Add, modify or delete rules while the WAF is running. Call
/api/cadre/reload - changes apply immediately with zero downtime.🔐100+ Attack Types
SQLi, XSS, LFI, RFI, SSRF, XXE, Log4Shell, GraphQL, NoSQLi, CMDi, LDAPi, SSTI, and 90+ more. Industry-leading coverage.
📊Enterprise Performance
50,000+ requests/second throughput. 5-10% CPU usage. 500MB-2GB memory. 99.97% threat detection rate.
🛡️Network-Level Blocking
iptables/nftables integration for kernel-level IP blocking. Automatic ban escalation for repeat offenders.
03 Syntax & Structure
A CADRE script file consists of optional metadata headers followed by any number of conditional blocks. If no block matches, the default allow action is applied. Comments start with #.
clofix (full structure)
# ============================================
# MODULE: SQL Injection Detection
# RULE ID: SQL-001
# VERSION: 1.0.0
# CREATOR-NAME: Security Team
# CREATOR-EMAIL: security@clofix.com
# CREATOR-ORGANIZATION: CloFix Security Inc.
# CREATOR-PARTNER-ID: PARTNER-001
# CREATOR-TIER: platinum
# CREATOR-WEBSITE: https://clofix.com
# REGISTRATION-ID: REG-2024-00123
# REGISTRATION-HASH: sha256:abc123...
# REGISTRATION-DATE: 2024-12-01T10:00:00Z
# LICENSE-TYPE: enterprise
# LICENSE-KEY: XXXX-XXXX-XXXX-XXXX
# LICENSE-VALID-FROM: 2024-12-01T10:00:00Z
# LICENSE-VALID-TO: 2025-12-01T10:00:00Z
# SEVERITY: critical
# SCORE: 95
# ANOMALY-SCORE: 85
# PARANOIA-LEVEL: 2
# CONFIDENCE: 0.98
# DESCRIPTION: Detects UNION and Boolean SQL injection
# CREATED: 2024-12-01T10:00:00Z
# UPDATED: 2024-12-15T14:30:00Z
# EXPIRES: 2025-12-01T10:00:00Z
# EXPIRY-DAYS: 365
# EXPIRY-WARNING: 30
# GRACE-PERIOD: 7
# AUTO-RENEW: true
# RENEWAL-PRICE: $99/month
# DOMAINS: example.com, api.example.com
# DOMAIN-PATTERNS: *.example.org
# EXCLUDE-DOMAINS: test.example.com
# ALLOWED-IPS: 192.168.1.0/24, 10.0.0.0/8
# BLOCKED-IPS: 1.2.3.4, 5.6.7.8
# ALLOWED-ASN: AS15169, AS16509
# ALLOWED-COUNTRIES: US, GB, CA
# BLOCKED-COUNTRIES: RU, CN, KP
# ALLOWED-CONTINENTS: NA, EU
# BLOCKED-CONTINENTS: AS, AF
# TIME-WINDOW: 09:00-17:00
# TIME-ZONE: America/New_York
# DAYS: Monday,Tuesday,Wednesday,Thursday,Friday
# DATE-RANGE-START: 2024-01-01
# DATE-RANGE-END: 2024-12-31
# BUSINESS-HOURS-ONLY: true
# RATE-LIMIT: 100
# RATE-WINDOW: 60s
# RATE-ACTION: block
# RATE-BLOCK-DURATION: 300s
# RATE-BURST: 20
# ACTION: block
# BLOCK-STATUS: 403
# BLOCK-MESSAGE: Access denied by security policy
# BLOCK-URL: https://clofix.com/blocked
# REDIRECT-URL: https://captcha.example.com
# LOG-LEVEL: INFO
# LOG-SAMPLE: 10
# ALERT-ENABLED: true
# ALERT-WEBHOOK: https://hooks.slack.com/xxx
# ALERT-EMAIL: security@clofix.com
# ALERT-SEVERITY: critical
# AUDIT-LOG: true
# REQUIRES-MODULES: core, base_sqli
# REQUIRES-ALL: false
# CONFLICTS-WITH: legacy_sqli
# PRIORITY: 1
# STAGE: main
# TAGS: owasp, sqli, critical, injection
# CATEGORY: SQL Injection
# SUB-CATEGORY: Union-based
# CVE: CVE-2024-12345
# OWASP: A03:2021-Injection
# PCI: 6.5.1
# HIPAA: 164.306
# GDPR: Article 32
# REFERENCE: https://owasp.org/sqli
# EXAMPLES: ' OR '1'='1 | UNION SELECT 1,2,3
# FIX: Use parameterized queries
# FALSE-POSITIVE-RATE: low
# TESTED-ENVIRONMENTS: nginx, apache, cloudflare
# BRAND-NAME: CloFix Security
# BRAND-LOGO: https://clofix.com/logo.png
# BRAND-URL: https://clofix.com
# BRAND-SUPPORT: support@clofix.com
# BRAND-HEADER-ENABLED: true
# BRAND-LOGO-IN-BLOCK: true
# BRAND-SUPPORT-LINK: true
# BRAND-FOOTER: © 2024 CloFix Inc.
# BRAND-BLOCK-PAGE: https://clofix.com/block.html
# SIGNATURE: MEUCIQD...
# SIGNING-KEY-ID: key-12345
# HASH-ALGORITHM: sha256
# ENCRYPTION: aes-256-gcm
# INTEGRITY-CHECK: true
# TRACK-HITS: true
# TRACK-LATENCY: true
# EXPORT-METRICS: true
# METRICS-PREFIX: waf_custom
# MIN-CADRE-VERSION: 4.0.0
# MAX-CADRE-VERSION: 5.0.0
# COMPATIBLE-WITH: cloudflare, aws_waf
# DEPRECATED-IN: 4.5.0
# REMOVED-IN: 5.0.0
# ============================================
if body matches "union.*select" {
log attack "SQLI" "union select pattern"
block "SQL injection detected"
}
if param.id contains "or 1=1" {
block "Boolean SQL injection"
}
allow
04 Complete Metadata Reference
Core Module Information
| Field | Description | Required | Example |
|---|---|---|---|
Module | Module name/description | ✅ Yes | SQL Injection Detection |
Rule ID | Unique rule identifier | ✅ Yes | SQL-001 |
Version | Semantic version | ✅ Yes | 1.0.0, 2.1.3 |
Severity | Threat level | ✅ Yes | critical, high, medium, low, info |
Description | What the rule does | ❌ No | Detects UNION-based SQL injection |
Created | Creation timestamp | ❌ No | 2024-12-01T10:00:00Z |
Updated | Last update timestamp | ❌ No | 2024-12-15T14:30:00Z |
Creator & Ownership
| Field | Description | Required | Example |
|---|---|---|---|
Creator-Name | Creator's full name | ✅ Yes | Security Team |
Creator-Email | Creator's email for support | ❌ No | security@clofix.com |
Creator-Organization | Organization name | ❌ No | CloFix Security Inc. |
Creator-Partner-ID | Partner identification | ❌ No | PARTNER-001 |
Creator-Tier | Creator subscription tier | ❌ No | bronze, silver, gold, platinum |
Creator-Website | Creator's website | ❌ No | https://clofix.com |
Registration & Licensing
| Field | Description | Required | Example |
|---|---|---|---|
Registration-ID | Unique registration identifier | ❌ No | REG-2024-00123 |
Registration-Hash | Cryptographic registration hash | ❌ No | sha256:abc123... |
Registration-Date | When module was registered | ❌ No | 2024-12-01T10:00:00Z |
License-Type | License type | ❌ No | free, pro, enterprise, custom |
License-Key | License key for validation | ❌ No | XXXX-XXXX-XXXX-XXXX |
License-Valid-From | License start date | ❌ No | 2024-12-01T10:00:00Z |
License-Valid-To | License expiration | ❌ No | 2025-12-01T10:00:00Z |
Expiry Configuration
| Field | Description | Behavior | Example |
|---|---|---|---|
Expires | Expiration date/time | If NOT set → NEVER expires | 2025-12-01T10:00:00Z |
Expiry-Days | Total validity days | Default: 365 | 365 |
Expiry-Warning | Days before warning | Default: 30 | 30 |
Grace-Period | Days after expiry to allow | Default: 7 | 7 |
Auto-Renew | Auto-renew subscription | Default: false | true |
Renewal-Price | Price for renewal | Optional | $99/month |
Domain & IP Restriction
| Field | Description | Behavior | Example |
|---|---|---|---|
Domains | Allowed domains (exact) | If NOT set → ALL domains | example.com, api.example.com |
Domain-Patterns | Wildcard domain patterns | Optional | *.example.com |
Exclude-Domains | Blocked domains | Optional | test.example.com |
Allowed-IPs | Allowed IPs/CIDRs | If NOT set → ALL IPs | 192.168.1.0/24, 10.0.0.0/8 |
Blocked-IPs | Exclude these IPs | Optional | 1.2.3.4, 5.6.7.8 |
Allowed-ASN | Allowed ASN numbers | Optional | AS15169, AS16509 |
GeoIP Restriction
| Field | Description | Behavior | Example |
|---|---|---|---|
Allowed-Countries | Allowed country codes | If NOT set → ALL countries | US, GB, CA, AU |
Blocked-Countries | Exclude these countries | Optional | RU, CN, KP, IR |
Allowed-Continents | Allowed continents | Optional | NA, EU, AS |
Blocked-Continents | Exclude these continents | Optional | SA, AF |
Time Restriction
| Field | Description | Behavior | Example |
|---|---|---|---|
Time-Window | Active time window | If NOT set → 24/7 | 09:00-17:00 |
Time-Zone | Timezone for window | Default: UTC | America/New_York |
Days | Active days of week | If NOT set → ALL days | Monday,Tuesday,Wednesday |
Date-Range-Start | Start date for validity | Optional | 2024-01-01 |
Date-Range-End | End date for validity | Optional | 2024-12-31 |
Business-Hours-Only | Only during business hours | Default: false | true |
Rate Limiting
| Field | Description | Default | Example |
|---|---|---|---|
Rate-Limit | Max requests per window | Not set | 100 |
Rate-Window | Time window duration | 60s | 60s, 5m, 1h |
Rate-Action | Action on limit exceeded | block | block, challenge, log |
Rate-Block-Duration | Block duration after limit | 300s | 300s, 10m, 1h |
Rate-Burst | Burst allowance | 0 | 20 |
Scoring & Confidence
| Field | Description | Default | Example |
|---|---|---|---|
Score | Severity score (0-100) | 50 | 85 |
Anomaly-Score | Anomaly detection score | None | 75 |
Paranoia-Level | Aggressiveness (1-4) | None | 2 |
Confidence | Detection confidence (0-1) | None | 0.95 |
Response Action
| Field | Description | Default | Example |
|---|---|---|---|
Action | What to do when matched | block | block, sanitize, deceive, log, pass |
Block-Status | HTTP status code | 403 | 403, 404, 429 |
Block-Message | Custom block message | None | Access denied by security policy |
Block-URL | URL to redirect blocked requests | None | https://clofix.com/blocked |
Redirect-URL | URL for redirect action | None | https://captcha.example.com |
Logging & Alerts
| Field | Description | Default | Example |
|---|---|---|---|
Log-Level | Logging detail level | INFO | DEBUG, INFO, WARN, ERROR |
Log-Sample | Sample rate for logs (1 in N) | None | 10 |
Alert-Enabled | Enable alerts | false | true |
Alert-Webhook | Slack/Discord webhook | None | https://hooks.slack.com/xxx |
Alert-Email | Email for alerts | Creator email | security@clofix.com |
Alert-Severity | Minimum severity for alerts | None | critical, high, medium, low |
Audit-Log | Enable audit logging | false | true |
Dependencies
| Field | Description | Default | Example |
|---|---|---|---|
Requires-Modules | Modules that must be active | None | core, base_sqli |
Requires-All | Require ALL dependencies | false | true, false |
Conflicts-With | Incompatible modules | None | legacy_sqli |
Priority | Execution priority (lower=higher) | 5 | 1, 5, 10 |
Stage | When to run this module | None | pre, main, post |
Tags & Classification
| Field | Description | Example |
|---|---|---|
Tags | Searchable tags | owasp, sqli, critical, injection |
Category | Main category | SQL Injection |
Sub-Category | Specific sub-category | Union-based |
CVE | Related CVE | CVE-2024-12345 |
OWASP | OWASP category | A03:2021-Injection |
PCI | PCI DSS requirement | 6.5.1 |
HIPAA | HIPAA section | 164.306 |
GDPR | GDPR article | Article 32 |
Documentation
| Field | Description | Example |
|---|---|---|
Reference | External documentation URL | https://owasp.org/sqli |
Examples | Attack examples (pipe-separated) | ' OR '1'='1 | UNION SELECT 1,2,3 |
Fix | How to fix the vulnerability | Use parameterized queries |
False-Positive-Rate | Expected FP rate | low, medium, high |
Tested-Environments | Where it's tested | nginx, apache, cloudflare |
CloFix Brand Integration
| Field | Description | Default | Example |
|---|---|---|---|
Brand-Name | Brand name for block page | CloFix Security | Enterprise WAF |
Brand-Logo | Logo URL for block page | None | https://clofix.com/logo.png |
Brand-URL | Brand website URL | https://clofix.com | https://security.com |
Brand-Support | Support contact info | None | support@clofix.com |
Brand-Header-Enabled | Add X-CloFix-* headers | true | true, false |
Brand-Logo-In-Block | Show logo on block page | true | true, false |
Brand-Support-Link | Show support link | true | true, false |
Brand-Footer | Custom footer text | None | © 2024 CloFix Inc. |
Brand-Block-Page | Custom block page URL | None | https://custom.com/block.html |
Security & Validation
| Field | Description | Example |
|---|---|---|
Signature | Digital signature of module | MEUCIQD... |
Signing-Key-ID | Key identifier for verification | key-12345 |
Hash-Algorithm | Hash algorithm for integrity | sha256, sha512 |
Encryption | Encryption method | aes-256-gcm |
Integrity-Check | Verify module integrity | true, false |
Analytics & Metrics
| Field | Description | Default | Example |
|---|---|---|---|
Track-Hits | Count rule matches | false | true |
Track-Latency | Measure processing time | false | true |
Export-Metrics | Export to Prometheus | false | true |
Metrics-Prefix | Custom metrics prefix | cadre | waf_custom |
Compatibility
| Field | Description | Example |
|---|---|---|
Min-CADRE-Version | Minimum engine version | 4.0.0 |
Max-CADRE-Version | Maximum engine version | 5.0.0 |
Compatible-With | Compatible platforms | cloudflare, aws_waf |
Deprecated-In | Deprecation version | 4.5.0 |
Removed-In | Removal version | 5.0.0 |
05 Variables
| Variable | Description | Example |
|---|---|---|
ip | Client IP address | if ip == "1.2.3.4" |
method | HTTP method | if method == "POST" |
path | URL path | if path starts "/admin" |
ua | User-Agent header | if ua contains "python" |
body | Request body | if body matches "union.*select" |
country | Country code (GeoIP) | if country == "RU" |
is_tor | Tor exit node flag | if is_tor |
score | Threat score (0-100) | if score > 80 |
param.name | Query parameter | if param.id == "1" |
form.name | POST form field | if form.username == "admin" |
06 Built‑in Functions
| Function | Description | Example |
|---|---|---|
rate(key, window) | Returns request count in window | rate(ip, "60s") |
contains(str, sub) | String contains | if ua contains "python" |
matches(str, regex) | Regex match | if body matches "union.*select" |
starts(str, prefix) | Prefix check | if path starts "/admin" |
ends(str, suffix) | Suffix check | if file ends ".php" |
length(str) | String length | if length(body) > 1000 |
log_attack(type, payload) | Structured attack log | log attack "SQLI" "union select" |
07 Actions
| Action | Description | Example |
|---|---|---|
block | Block request | block or block "Custom message" |
allow | Allow request | allow |
log | Log message | log "Request processed" |
add | Add response header | add "X-Frame-Options: DENY" |
remove | Remove response header | remove "Server" |
redirect | Redirect request | redirect "https://example.com/login" |
08 Attack Types (100+ Modules)
🔻 Injection Attacks (10 types)
💉SQL Injection
UNION-based, Boolean blind, Time-based, Error-based, Stacked queries
🍃NoSQL Injection
$ne, $gt, $regex, $where operators, JavaScript injection
📋LDAP Injection
LDAP metacharacters, filter manipulation, auth bypass
⌨️Command Injection
rm -rf, curl/wget, reverse shells, command chaining
🗺️XPath Injection
OR injection patterns, XML query manipulation
📝Code Injection
eval(), assert(), create_function() injection
🎨SSTI
Jinja2, Twig, Freemarker, Velocity template injection
🔧EL Injection
Expression Language injection, ClassLoader access
⚠️ XSS Attacks (8 types)
🔄Reflected XSS
Script tags, event handlers, JavaScript protocol
💾Stored XSS
IMG onerror, SVG onload, IFRAME injection
🌳DOM-based XSS
DOM manipulation, Cookie/location access
🎯Blind XSS
Image src callbacks, Fetch API, BeEF hooks
📄HTML Injection
IFRAME, OBJECT, EMBED injection
📜JS Injection
Alert functions, setTimeout/setInterval abuse
📁 File-Based Attacks (7 types)
📂LFI
Local File Inclusion, /etc/passwd, PHP wrappers
🌐RFI
Remote File Inclusion, HTTP/HTTPS/FTP includes
🔄Path Traversal
../, ..\, URL-encoded traversal, double encoding
📤File Upload
Dangerous extensions, double extensions, MIME spoofing
🐚WebShell
c99, r57, b374k, China Chopper, PHP webshells
🖥️ Server-Side Attacks (6 types)
🌐SSRF
Localhost, metadata endpoints, internal IPs
📄XXE
XML External Entity, DOCTYPE, parameter entities
🔧SSI
Server-Side Includes directives
📦Java Deserialization
Magic bytes detection, ysoserial payloads
📦PHP Deserialization
Object injection patterns
📦Python Deserialization
Pickle/YAML injection
🔑 Auth & Session Attacks (5 types)
🔐Session Fixation
Session cookie patterns, fixation attacks
🔄CSRF
Missing headers detection, token validation
🔑JWT Attack
None algorithm, signature bypass, alg confusion
🍪Cookie Tampering
Admin cookie patterns, manipulation
🔗OAuth Attack
Redirect URI manipulation, code injection
🔌 API Attacks (6 types)
📊GraphQL Introspection
__schema, __type queries
📏GraphQL Depth
Deep nested queries, DoS
📦GraphQL Batching
Alias bombing, batch attacks
🔓API Auth Bypass
URL override, method override
📝API Mass Assignment
Admin field injection
⏱️API Rate Limit Bypass
IP spoofing detection
🐌 DoS/Protocol Attacks (6 types)
🐌Slowloris
Incomplete headers, slow read attacks
🔁ReDoS
Nested quantifiers, evil regex patterns
💣XML Bomb
Billion laughs, entity expansion
📦JSON Bomb
Deep nesting attacks
📨HTTP Smuggling
CL.TE, TE.CL, duplicate headers
🏠Host Header Injection
Duplicate host, CRLF injection
🔍 Scanner Detection (6 types)
🗺️SQLMap
SQLMap User-Agent and signatures
🔍Nmap
Nmap scripting engine detection
📋Nikto
Nikto scanner detection
🔧Burp Suite
Burp User-Agent and headers
📁DirBuster
Directory brute-forcing tools
🖥️WPScan
WordPress scanner detection
🐞 Modern Vulnerabilities (4 types)
📝Log4Shell
JNDI injection patterns, obfuscated bypasses
🍃Spring4Shell
ClassLoader access patterns
💥ShellShock
Function definition patterns
⚙️Struts2
OGNL injection patterns
☁️ Cloud Attacks (4 types)
☁️AWS Metadata
169.254.169.254, /latest/meta-data/
☁️GCP Metadata
metadata.google.internal
☁️Azure Metadata
169.254.169.254/metadata
📦S3 Bucket
Bucket enumeration, access patterns
📜 Script Blocking (50+ Languages)
🐹Go
go-http-client, os.Exec, exec.Command, net.Dial, reverse shells
🐍Python
python-requests, python -c, exec(), eval(), subprocess, os.system, pickle, cpickle, __import__, reverse shells
📘Node.js
node-fetch, axios, superagent, child_process.exec, require('net'), vm.runInNewContext, reverse shells
🐘PHP
system(), exec(), shell_exec(), passthru(), popen(), proc_open(), eval(), assert(), create_function(), webshells (c99, r57, b374k)
💎Ruby
system(), exec(), IO.popen, TCPSocket, UNIXSocket, Kernel.exec, reverse shells
🐪Perl
system(), exec(), backticks (`), qx//, open(), IO::Socket, reverse shells
🐚Bash
bash -c, sh -c, zsh -c, dash -c, reverse shells (bash -i, nc -e), command substitution ($(), ``), pipe to sh
🪟PowerShell
Invoke-Expression, IEX, -EncodedCommand, -e, DownloadFile, Invoke-WebRequest, wget, Net.WebClient, AMSI bypass patterns
☕Java
Runtime.exec(), ProcessBuilder, JNDI injection (Log4Shell), Java deserialization, JDBC connection strings
📜JavaScript
eval(), Function(), setTimeout(), setInterval(), document.write(), location.replace(), fetch()
🔧Lua
os.execute(), io.popen(), loadfile(), dofile(), require() with dangerous modules
🦀Rust
std::process::Command, std::net::TcpStream, reverse shell patterns, unsafe code execution
🔷C#
Process.Start(), WebClient.DownloadString(), Assembly.Load(), reflection invocation, PowerShell assembly loading
📊R
system(), shell(), source(), eval(), parse(), unserialize()
🔢Julia
run(), eval(), include(), exec()
🍎Swift
Process(), shell() from Foundation, NSTask
🎯Kotlin
Runtime.exec(), ProcessBuilder, eval() in scripting mode
🔥Scala
scala.sys.process, Runtime.exec(), ProcessBuilder
✏️Groovy
execute(), Runtime.exec(), GroovyShell.evaluate()
📝Tcl
exec(), open |, source, eval
💧Elixir
System.cmd(), :os.cmd(), eval()
📞Erlang
os:cmd(), rpc:call()
λHaskell
System.Process.callCommand, System.Cmd.system, unsafePerformIO
🔗Clojure
(clojure.java.shell/sh), (eval), (load-string), Runtime.exec() interop
🎯Dart
Process.run(), Process.start(), Isolate.spawnUri()
🍏Objective-C
system(), popen(), NSTask
📜VBScript
CreateObject("WScript.Shell").Run, Execute, Eval
📊MATLAB
system(), eval(), run(), load() with malicious .mat
🗄️SQL Scripts
xp_cmdshell, sp_configure, exec master..xp_cmdshell, MySQL INTO OUTFILE, PostgreSQL COPY PROGRAM
📘TypeScript
child_process.exec, eval(), fetch(), axios (compiled to JS patterns)
⚡Zig
std.os.system, std.ChildProcess, execve patterns
🔷Nim
exec(), gorge(), staticExec(), osproc.startProcess()
💎Crystal
system(), Process.run(), eval()
🔷F#
System.Diagnostics.Process.Start, System.IO.File.WriteAllText (webshells)
🐫OCaml
Sys.command(), Unix.open_process, eval()
🎨Racket
system(), process, eval, dynamic-require
🌀Common Lisp
run-program, shell, eval, load
🔢Fortran
CALL SYSTEM(), EXECUTE_COMMAND_LINE()
💼COBOL
CALL 'SYSTEM', DISPLAY UPON CONSOLE (command injection)
📦Delphi
ShellExecute(), WinExec(), CreateProcess()
🔷Ada
Ada.Command_Line, System.Address_Image (information disclosure)
📜Prolog
shell(), open/3 with pipe, exec/1
📦Smalltalk
system: 'command', perform: #value:
λScheme
system, open-input-pipe, eval
📊VBA
Shell(), CreateObject("WScript.Shell").Run, Application.Run
🤖AutoIt
Run(), ShellExecute(), RunAs()
⌨️AutoHotkey
Run, RunWait, ComObjCreate("WScript.Shell")
🪟Windows Batch
cmd.exe /c, powershell.exe -c, certutil -urlcache, regsvr32.exe
⬇️cURL
curl command, wget, aria2, axel downloaders, data exfiltration patterns
📁FTP Clients
ftp, sftp, lftp commands with credential exfiltration
🔐SSH Clients
ssh commands, scp, rsync for tunneling or exfiltration
🗄️Database Clients
mysql, psql, sqlcmd, mssql-cli for data extraction
⚡Redis CLI
redis-cli with FLUSHALL, CONFIG SET, EVAL lua scripts
🍃MongoDB Client
mongo, mongosh with db.adminCommand(), eval()
09 Complete Examples
Example: SQL Injection Protection with Full Metadata
clofix
# ============================================
# MODULE: SQL Injection Detection
# RULE ID: SQL-001
# VERSION: 2.0.0
# AUTHOR: Security Team
# SEVERITY: critical
# DESCRIPTION: Detects UNION, Boolean, Time-based SQL injection
# CREATED: 2024-12-01T10:00:00Z
# EXPIRES: 2025-12-01T10:00:00Z
# DOMAINS: example.com, api.example.com
# ALLOWED-IPS: 192.168.1.0/24
# BLOCKED-COUNTRIES: RU, CN, KP
# RATE-LIMIT: 100
# RATE-WINDOW: 60s
# TAGS: owasp, sqli, critical
# OWASP: A03:2021-Injection
# ============================================
if body matches "union.*select|or.*=.*=|sleep\\(\\d+\\)" {
log attack "SQLI" "injection pattern"
block "SQL injection detected"
}
if param.id contains "' or '1'='1" {
block "Boolean SQL injection"
}
let req = rate(ip, "60s")
if req > 100 {
block "Rate limit exceeded"
}
allowExample: Complete Security Profile
clofix
# ============================================
# MODULE: Complete Security Profile
# RULE ID: ALL-001
# VERSION: 2.0.0
# AUTHOR: Security Team
# SEVERITY: mixed
# ============================================
# SQL Injection
if body matches "union.*select|or.*=.*=" {
log attack "SQLI" "injection"
block "SQL injection"
}
# XSS Protection
if body contains " 60 { block "Rate limit" }
# Geo Blocking
if country == "RU" { block "Country blocked" }
# Login Protection
if path == "/login" {
let attempts = rate("login:" + ip, "5m")
if attempts > 5 { block "Too many login attempts" }
}
# Response Hardening
add "X-Frame-Options: DENY"
add "X-Content-Type-Options: nosniff"
remove "Server"
allow 10 Deployment
bash
# Add a new rule
sudo tee /etc/clofix/cadre_modules/sqli/001-sql-injection.clofix << 'EOF'
if body matches "union.*select" { block "SQL injection" }
allow
EOF
# Reload engine instantly
curl -X POST http://localhost:8080/api/cadre/reload
# Check statistics
curl http://localhost:8080/api/cadre/stats📁 Directory Structure
/etc/clofix/cadre_modules/ ├── sqli/ └── 001-sql-injection.clofix ├── xss/ └── 001-xss-protection.clofix ├── bot/ └── 001-bot-detection.clofix └── geo/ └── 001-country-block.clofix
11 Best Practices
- Order matters - rules execute alphabetically; use numeric prefixes like
01_,02_to control priority. - Use rate limiting - always wrap login/OTP endpoints with
rate()to prevent brute‑force. - Log attacks - use
log attackfor structured logging and SIEM integration. - Set expiry dates - for temporary rules, add
Expires: YYYY-MM-DDTHH:MM:SSZto auto‑disable them. - Restrict domains - use
Domains: example.comto keep rules scoped to specific applications. - Test before deploying - use
curlto simulate attacks and verify rule behaviour.
Need Help? For CloFix WAF support or CADRE Script questions, visit our Support page or contact us.
12 Contribute to CADRE
🤝
Contribute Rules
Help make CADRE the most comprehensive WAF rule engine. Share your security rules, attack patterns, and detection modules with the community.
📧 Email: support@clofix.com🐙 GitHub: github.com/clofix19/clofix-cadre-engine
🌟
Get Involved
Ways to contribute:
- ✓ Submit new attack detection rules
- ✓ Report false positives/negatives
- ✓ Improve documentation
- ✓ Share deployment examples
- ✓ Create language packs
⭐ Star us on GitHub
Support the project by giving us a star!
Support the project by giving us a star!
📢 All contributions are welcome! Whether you're a security researcher, developer, or just passionate about web security.
GitHub Repository → Email Us →