Skip to content

Wirefilter Language Reference

This guide provides a comprehensive reference for Peakhour's Wirefilter expression language, used to create precise security policies for your applications.

Before you begin: Understand the different Rule Phases where these expressions can be used.

Understanding Firewall Rule Structure

Firewall rules in Peakhour use Wirefilter syntax to create flexible, powerful security policies that evaluate incoming requests against multiple criteria.

Rule Components

Every firewall rule consists of:

  • Name: Descriptive identifier for the rule
  • Expression: Wirefilter condition that defines when the rule matches
  • Action: What happens when the expression evaluates to true (allow, deny, challenge, log)
  • Priority: Rule evaluation order (lower numbers = higher priority)
  • Status: Whether the rule is active or disabled

Mastering Wirefilter Expression Language

Basic Syntax and Operators

Comparison Operators

Comparison Operators: 

// Equality
ip.src eq 192.168.1.1
http.request.method == "GET"

// Inequality  
ip.geoip.country ne "US"
http.response.code != 200

// Numeric comparison
ip.geoip.asnum gt 15169
len(http.user_agent) < 50

// String operations
http.host contains "admin"
http.user_agent starts_with "Mozilla"
http.request.uri.path ends_with ".php"

Logical Operators

Logical Operators: 

// AND conditions
ssl == true and ip.geoip.country eq "US"

// OR conditions  
http.request.method in {"GET", "HEAD"} or user_agent.bot == true

// NOT conditions
not (ip.src in $trusted_ips) and user_agent.bot == false

// Complex grouping
(ip.geoip.country in {"CN", "RU"} or ip.src in $suspicious_ips) and 
not (http.user_agent contains "googlebot")

Available Request Fields

Complete Request Field Reference

HTTP Request Fields: 

http.host                    // Host header value
http.request.method          // GET, POST, PUT, etc.
http.request.uri            // Full URI with query parameters
http.request.uri.path       // Path portion only
http.request.uri.query      // Query string only
http.request.version        // HTTP version
http.user_agent             // User-Agent header
http.referer                // Referer header
ssl                         // TLS connection boolean

Network and Location Fields: 

ip.src                      // Client IP address
ip.geoip.country           // Two-letter country code
ip.geoip.asnum             // AS number (integer)

Bot Detection Fields: 

user_agent.bot             // Is detected as bot (boolean)
user_agent.bot.type        // Bot type: google, bing, facebook, etc.
user_agent.mobile          // Mobile device detection
user_agent.software        // Software classification
user_agent.type            // General type classification
bot.verified               // Bot verification status
bot.verification_state     // Verification state

Device Fingerprinting Fields: 

fingerprint.http           // HTTP fingerprint
fingerprint.http2          // HTTP/2 fingerprint
fingerprint.ml             // Machine learning scores
fingerprint.tcp            // TCP fingerprint
fingerprint.tls            // TLS fingerprint
fingerprint.tls.ja4        // JA4 TLS fingerprint
fingerprint.tls.v3         // TLS fingerprint with sorted ciphers

Peakhour-Specific Fields: 

peakhour.req.session       // Session identifier
peakhour.server.name       // Edge server name
peakhour.client.proxy      // Behind proxy detection
peakhour.waf.exposed_password  // WAF password detection

Built-in Functions

Function Reference

String Functions: 

starts_with(http.request.uri.path, "/api/")
ends_with(http.host, ".example.com")  
lower(http.host) eq "example.com"
len(http.user_agent) gt 500
concat("prefix-", ip.src)
to_string(ip.geoip.asnum)

Pattern Matching: 

// Wildcard matching
matches(http.request.uri, "*/admin/*")
matches(http.user_agent, "*bot*")

// Note: Use matches() for simple patterns, not full regex

Using Lists for Scalable Rules

Manage IP addresses, strings, and integers efficiently with lists.

  1. Create a List:
  2. Navigate to Rules > Lists
  3. Create a new list (e.g., IP List named trusted_office_ips)

  4. Add values (e.g., 203.0.113.0/24, 198.51.100.0/24)

  5. Use in Rules: 

    // Reference the list using a '$' prefix
ip.src in $trusted_office_ips

Special List Types

Peakhour provides dynamic, built-in lists for common security checks.

  • Anomaly Lists: Match against dynamic traffic patterns identified as anomalous by Peakhour. Prefixed with _anomaly_. 

    // Check if a client IP is in the list of clients exhibiting anomalous behavior
ip.src in $_anomaly_client_pages

  • Blocklists: Match against Peakhour's curated IP reputation blocklists. Prefixed with _blocklist_. 

    // Check if a source IP is on the dshield blocklist
ip.src in $_blocklist_dshield

Built-in Reputation Lists

Threat Intelligence Lists

Leverage Peakhour's threat intelligence:

// Block known attack sources
ip.src in $webattacks

// Block malware sources
ip.src in $malware  

// Block Tor exit nodes
ip.src in $tor

// Challenge datacenter IPs
ip.src in $datacenter

Expression Optimization

Write efficient expressions for better performance.

Inefficient: 

// Multiple separate conditions
http.user_agent contains "bot" or 
http.user_agent contains "crawler" or
http.user_agent contains "spider" or
http.user_agent contains "scraper"

Efficient: 

// Use lists or combined patterns
http.user_agent contains $bot_keywords
// or
lower(http.user_agent) matches "*bot*"

Troubleshooting Common Issues

Expression Syntax Errors

Problem: Rule validation fails Solutions:

  • Check operator spelling (eq not ==)
  • Ensure proper quotation of strings
  • Verify field names match available fields
  • Balance parentheses in complex expressions

Rules Not Matching

Problem: Expected traffic not caught by rules Solutions:

  • Use the rule simulator with actual request data
  • Check rule priority ordering
  • Verify field values are as expected
  • Test with simplified expressions first