查詢封鎖的要求或位址 - Amazon Athena

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

查詢封鎖的要求或位址

本節中的範例會查詢封鎖的要求或位址。

範例
– 擷取遭到指定規則類型封鎖的前 100 個 IP 地址

以下查詢會擷取並計算在指定日期範圍內,已遭到 RATE_BASED 終止規則封鎖的前 100 個 IP 地址。

SELECT COUNT(httpRequest.clientIp) as count,
httpRequest.clientIp
FROM waf_logs
WHERE terminatingruletype='RATE_BASED' AND action='BLOCK' and "date" >= '2021/03/01'
AND "date" < '2021/03/31'
GROUP BY httpRequest.clientIp
ORDER BY count DESC
LIMIT 100
範例
– 計算來自指定國家/地區遭到封鎖的請求次數

以下查詢會計算來自愛爾蘭 (IE) 的 IP 地址,並遭 RATE_BASED 終止規則封鎖的請求次數。

SELECT 
  COUNT(httpRequest.country) as count, 
  httpRequest.country 
FROM waf_logs
WHERE 
  terminatingruletype='RATE_BASED' AND 
  httpRequest.country='IE'
GROUP BY httpRequest.country
ORDER BY count
LIMIT 100;
範例
– 計算遭封鎖的請求次數 (依特定屬性分組)

下列查詢會計算要求遭封鎖的次數,結果依 Web ACL、 RuleId、ClientIP 和HTTP要求分組。URI

SELECT 
  COUNT(*) AS count,
  webaclid,
  terminatingruleid,
  httprequest.clientip,
  httprequest.uri
FROM waf_logs
WHERE action='BLOCK'
GROUP BY webaclid, terminatingruleid, httprequest.clientip, httprequest.uri
ORDER BY count DESC
LIMIT 100;
範例
– 計算與特定終止規則 ID 相符的次數。

以下查詢會計算與特定終止規則 ID (WHERE terminatingruleid='e9dd190d-7a43-4c06-bcea-409613d9506e') 相符的次數。然後,查詢會依「Web」、「動作」ACL、「用戶端 IP」和 HTTP「要求」來群組結果。URI

SELECT 
  COUNT(*) AS count,
  webaclid,
  action,
  httprequest.clientip,
  httprequest.uri
FROM waf_logs
WHERE terminatingruleid='e9dd190d-7a43-4c06-bcea-409613d9506e'
GROUP BY webaclid, action, httprequest.clientip, httprequest.uri
ORDER BY count DESC
LIMIT 100;
範例
– 擷取指定日期範圍內遭到封鎖的前 100 個 IP 地址

以下查詢會擷取在指定日期範圍內,已遭到封鎖的前 100 個 IP 地址。該查詢也會列出 IP 地址遭到封鎖的次數。

SELECT "httprequest"."clientip", "count"(*) "ipcount", "httprequest"."country"
FROM waf_logs
WHERE "action" = 'BLOCK' and "date" >= '2021/03/01'
AND "date" < '2021/03/31'
GROUP BY "httprequest"."clientip", "httprequest"."country"
ORDER BY "ipcount" DESC limit 100