Hi Taka,
Buffer overflows are best dealt with at the application layer by limiting what is allowed as input.
Azure WAF is good for blocking specific field matches relative to your web site.
That would not include SSI injection as far as I'm aware - again this may be better dealt with at the application layer by limiting input.
I think of Azure waf as a limited set of features built on mod_security (the 'core rule set').
If you want the full power of mod security you could set it up as a separate VM and have much more capabilities, but this requires advanced knowledge of mod_sec.
If you need these sorts of advanced features I personally would consider a more flexible waf solution like F5 or Imperva.
References:
custom-waf-rules-overview
https://en.wikipedia.org/wiki/ModSecurity