Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.
Log-Beispiele für ACL Web-Traffic
Dieser Abschnitt enthält Beispiele für die Protokollierung von ACL Web-Traffic.
Beispiel Ratenbasierte Regel 1: Regelkonfiguration mit einem Schlüssel, eingestellt auf Header:dogname
{ "Name": "RateBasedRule", "Priority": 1, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "CUSTOM_KEYS", "CustomKeys": [ { "Header": { "Name": "dogname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateBasedRule" } }
Beispiel Ratenbasierte Regel 1: Protokolleintrag für eine Anfrage, die durch eine ratenbasierte Regel blockiert wurde
{ "timestamp":1683355579981, "formatVersion":1, "webaclId": ..., "terminatingRuleId":"RateBasedRule", "terminatingRuleType":"RATE_BASED", "action":"BLOCK", "terminatingRuleMatchDetails":[ ], "httpSourceName":"APIGW", "httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest", "ruleGroupList":[ ], "rateBasedRuleList":[ { "rateBasedRuleId": ..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ { "key":"HEADER", "name":"dogname", "value":"ella" } ] } ], "nonTerminatingMatchingRules":[ ], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{ "clientIp":"52.46.82.45", "country":"FR", "headers":[ { "name":"X-Forwarded-For", "value":"52.46.82.45" }, { "name":"X-Forwarded-Proto", "value":"https" }, { "name":"X-Forwarded-Port", "value":"443" }, { "name":"Host", "value":"rjvegx5guh.execute-api.eu-west-3.amazonaws.com" }, { "name":"X-Amzn-Trace-Id", "value":"Root=1-645566cf-7cb058b04d9bb3ee01dc4036" }, { "name":"dogname", "value":"ella" }, { "name":"User-Agent", "value":"RateBasedRuleTestKoipOneKeyModulePV2" }, { "name":"Accept-Encoding", "value":"gzip,deflate" } ], "uri":"/CanaryTest", "args":"", "httpVersion":"HTTP/1.1", "httpMethod":"GET", "requestId":"Ed0AiHF_CGYF-DA=" } }
Beispiel Ratenbasierte Regel 2: Regelkonfiguration mit zwei Schlüsseln, eingestellt auf und Header:dogname
Header:catname
{ "Name": "RateBasedRule", "Priority": 1, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "CUSTOM_KEYS", "CustomKeys": [ { "Header": { "Name": "dogname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } }, { "Header": { "Name": "catname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateBasedRule" } }
Beispiel Ratenbasierte Regel 2: Protokolleintrag für eine Anfrage, die durch eine ratenbasierte Regel blockiert wurde
{ "timestamp":1633322211194, "formatVersion":1, "webaclId":..., "terminatingRuleId":"RateBasedRule", "terminatingRuleType":"RATE_BASED", "action":"BLOCK", "terminatingRuleMatchDetails":[ ], "httpSourceName":"APIGW", "httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest", "ruleGroupList":[ ], "rateBasedRuleList":[ { "rateBasedRuleId":..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ { "key":"HEADER", "name":"dogname", "value":"ella" }, { "key":"HEADER", "name":"catname", "value":"goofie" } ] } ], "nonTerminatingMatchingRules":[ ], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{ "clientIp":"52.46.82.35", "country":"FR", "headers":[ { "name":"X-Forwarded-For", "value":"52.46.82.35" }, { "name":"X-Forwarded-Proto", "value":"https" }, { "name":"X-Forwarded-Port", "value":"443" }, { "name":"Host", "value":"23llbyn8v3.execute-api.eu-west-3.amazonaws.com" }, { "name":"X-Amzn-Trace-Id", "value":"Root=1-64556629-17ac754c2ed9f0620e0f2a0c" }, { "name":"catname", "value":"goofie" }, { "name":"dogname", "value":"ella" }, { "name":"User-Agent", "value":"Apache-HttpClient/UNAVAILABLE (Java/11.0.19)" }, { "name":"Accept-Encoding", "value":"gzip,deflate" } ], "uri":"/CanaryTest", "args":"", "httpVersion":"HTTP/1.1", "httpMethod":"GET", "requestId":"EdzmlH5OCGYF1vQ=" } }
Beispiel Protokollausgabe für eine Regel, die bei Entdeckung ausgelöst wurde (beendet) SQLi
{ "timestamp": 1576280412771, "formatVersion": 1, "webaclId": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE", "terminatingRuleId": "STMTest_SQLi_XSS", "terminatingRuleType": "REGULAR", "action": "BLOCK", "terminatingRuleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "HEADER", "matchedData": [ "10", "AND", "1" ] } ], "httpSourceName": "-", "httpSourceId": "-", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "httpRequest": { "clientIp": "1.1.1.1", "country": "AU", "headers": [ { "name": "Host", "value": "localhost:1989" }, { "name": "User-Agent", "value": "curl/7.61.1" }, { "name": "Accept", "value": "*/*" }, { "name": "x-stm-test", "value": "10 AND 1=1" } ], "uri": "/myUri", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "rid" }, "labels": [ { "name": "value" } ] }
Beispiel Protokollausgabe für eine Regel, die bei SQLi Entdeckung ausgelöst wurde (nicht terminierend)
{ "timestamp":1592357192516 ,"formatVersion":1 ,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9" ,"terminatingRuleId":"Default_Action" ,"terminatingRuleType":"REGULAR" ,"action":"ALLOW" ,"terminatingRuleMatchDetails":[] ,"httpSourceName":"-" ,"httpSourceId":"-" ,"ruleGroupList":[] ,"rateBasedRuleList":[] ,"nonTerminatingMatchingRules": [{ "ruleId":"TestRule" ,"action":"COUNT" ,"ruleMatchDetails": [{ "conditionType":"SQL_INJECTION" ,"sensitivityLevel": "HIGH" ,"location":"HEADER" ,"matchedData":[ "10" ,"and" ,"1"] }] }] ,"httpRequest":{ "clientIp":"3.3.3.3" ,"country":"US" ,"headers":[ {"name":"Host","value":"localhost:1989"} ,{"name":"User-Agent","value":"curl/7.61.1"} ,{"name":"Accept","value":"*/*"} ,{"name":"myHeader","myValue":"10 AND 1=1"} ] ,"uri":"/myUri","args":"" ,"httpVersion":"HTTP/1.1" ,"httpMethod":"GET" ,"requestId":"rid" }, "labels": [ { "name": "value" } ] }
Beispiel Protokollausgabe für mehrere Regeln, die innerhalb einer Regelgruppe ausgelöst wurden (Regel A- beendet und Regel B XSS ist nicht terminierend)
{ "timestamp":1592361810888, "formatVersion":1, "webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9" ,"terminatingRuleId":"RG-Reference" ,"terminatingRuleType":"GROUP" ,"action":"BLOCK", "terminatingRuleMatchDetails": [{ "conditionType":"XSS" ,"location":"HEADER" ,"matchedData":["<","frameset"] }] ,"httpSourceName":"-" ,"httpSourceId":"-" ,"ruleGroupList": [{ "ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b" ,"terminatingRule":{ "ruleId":"RuleA-XSS" ,"action":"BLOCK" ,"ruleMatchDetails":null } ,"nonTerminatingMatchingRules": [{ "ruleId":"RuleB-SQLi" ,"action":"COUNT" ,"ruleMatchDetails": [{ "conditionType":"SQL_INJECTION" ,"sensitivityLevel": "LOW" ,"location":"HEADER" ,"matchedData":[ "10" ,"and" ,"1"] }] }] ,"excludedRules":null }] ,"rateBasedRuleList":[] ,"nonTerminatingMatchingRules":[] ,"httpRequest":{ "clientIp":"3.3.3.3" ,"country":"US" ,"headers": [ {"name":"Host","value":"localhost:1989"} ,{"name":"User-Agent","value":"curl/7.61.1"} ,{"name":"Accept","value":"*/*"} ,{"name":"myHeader1","value":"<frameset onload=alert(1)>"} ,{"name":"myHeader2","value":"10 AND 1=1"} ] ,"uri":"/myUri" ,"args":"" ,"httpVersion":"HTTP/1.1" ,"httpMethod":"GET" ,"requestId":"rid" }, "labels": [ { "name": "value" } ] }
Beispiel Protokollausgabe für eine Regel, die die Überprüfung des Anforderungstexts mit Inhaltstyp ausgelöst hat JSON
AWS WAF meldet derzeit den Standort für die JSON Körperinspektion alsUNKNOWN
.
{ "timestamp": 1576280412771, "formatVersion": 1, "webaclId": "arn:aws:wafv2:ap-southeast-2:123456789012:regional/webacl/test/111", "terminatingRuleId": "STMTest_SQLi_XSS", "terminatingRuleType": "REGULAR", "action": "BLOCK", "terminatingRuleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "LOW", "location": "UNKNOWN", "matchedData": [ "10", "AND", "1" ] } ], "httpSourceName": "ALB", "httpSourceId": "alb", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest": { "clientIp": "1.1.1.1", "country": "AU", "headers": [], "uri": "", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "POST", "requestId": "null" }, "labels": [ { "name": "value" } ] }
Beispiel Protokollausgabe für eine CAPTCHA Regel anhand einer Webanforderung mit einem gültigen, noch nicht abgelaufenen Token CAPTCHA
Die folgende Protokollliste bezieht sich auf eine Webanforderung, die einer Regel entsprach CAPTCHA Aktion. Die Webanfrage hat ein gültiges und nicht abgelaufenes CAPTCHA Token und wird nur CAPTCHA von AWS WAF, ähnlich dem Verhalten für Count Aktion. Diese CAPTCHA-Übereinstimmung wird unter nonTerminatingMatchingRules
aufgezeichnet.
{ "timestamp": 1632420429309, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "123456789012:b34myvfw0b:pen-test", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [ { "ruleId": "captcha-rule", "action": "CAPTCHA", "ruleMatchDetails": [], "captchaResponse": { "responseCode": 0, "solveTimestamp": 1632420429 } } ], "requestHeadersInserted": [ { "name": "x-amzn-waf-test-header-name", "value": "test-header-value" } ], "responseCodeSent": null, "httpRequest": { "clientIp": "72.21.198.65", "country": "US", "headers": [ { "name": "X-Forwarded-For", "value": "72.21.198.65" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-614cc24d-5ad89a09181910c43917a888" }, { "name": "cache-control", "value": "max-age=0" }, { "name": "sec-ch-ua", "value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"Windows\"" }, { "name": "upgrade-insecure-requests", "value": "1" }, { "name": "user-agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36" }, { "name": "accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, { "name": "sec-fetch-site", "value": "same-origin" }, { "name": "sec-fetch-mode", "value": "navigate" }, { "name": "sec-fetch-user", "value": "?1" }, { "name": "sec-fetch-dest", "value": "document" }, { "name": "referer", "value": "https://b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com/pen-test/pets" }, { "name": "accept-encoding", "value": "gzip, deflate, br" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "cookie", "value": "aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg==" } ], "uri": "/pen-test/pets", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "GINMHHUgoAMFxug=" } }
Beispiel Protokollausgabe für eine CAPTCHA Regel anhand einer Webanforderung, die kein CAPTCHA Token hat
Die folgende Protokollliste bezieht sich auf eine Webanforderung, die einer Regel mit entspricht CAPTCHA Aktion. Die Webanfrage hatte kein CAPTCHA Token und wurde blockiert von AWS WAF.
{ "timestamp": 1632420416512, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67", "terminatingRuleId": "captcha-rule", "terminatingRuleType": "REGULAR", "action": "CAPTCHA", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "123456789012:b34myvfw0b:pen-test", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": 405, "httpRequest": { "clientIp": "72.21.198.65", "country": "US", "headers": [ { "name": "X-Forwarded-For", "value": "72.21.198.65" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-614cc240-18b57ff33c10e5c016b508c5" }, { "name": "sec-ch-ua", "value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"Windows\"" }, { "name": "upgrade-insecure-requests", "value": "1" }, { "name": "user-agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36" }, { "name": "accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "sec-fetch-mode", "value": "navigate" }, { "name": "sec-fetch-user", "value": "?1" }, { "name": "sec-fetch-dest", "value": "document" }, { "name": "accept-encoding", "value": "gzip, deflate, br" }, { "name": "accept-language", "value": "en-US,en;q=0.9" } ], "uri": "/pen-test/pets", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "GINKHEssoAMFsrg=" }, "captchaResponse": { "responseCode": 405, "solveTimestamp": 0, "failureReason": "TOKEN_MISSING" } }