Apresentação de uma nova experiência de console para o AWS WAF
Agora você pode usar a experiência atualizada para acessar a funcionalidade do AWS WAF em qualquer lugar no console. Consulte mais detalhes em Trabalhar com a experiência atualizada do console.
Exemplos de log para tráfego do pacote de proteção (ACL da Web)
Esta seção fornece exemplos de registro em log de tráfego do pacote de proteção (ACL da Web).
exemplo Regra baseada em intervalos 1: configuração da regra com uma chave, definida como Header:dogname
{ "Name": "RateBasedRule", "Priority": 1, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "CUSTOM_KEYS", "CustomKeys": [ { "Header": { "Name": "dogname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateBasedRule" } }
exemplo Regra baseada em intervalos 1: entrada de log para solicitação bloqueada pela regra baseada em intervalos
{ "timestamp":1683355579981, "formatVersion":1, "webaclId": ..., "terminatingRuleId":"RateBasedRule", "terminatingRuleType":"RATE_BASED", "action":"BLOCK", "terminatingRuleMatchDetails":[ ], "httpSourceName":"APIGW", "httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest", "ruleGroupList":[ ], "rateBasedRuleList":[ { "rateBasedRuleId": ..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ { "key":"HEADER", "name":"dogname", "value":"ella" } ] } ], "nonTerminatingMatchingRules":[ ], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{ "clientIp":"52.46.82.45", "country":"FR", "headers":[ { "name":"X-Forwarded-For", "value":"52.46.82.45" }, { "name":"X-Forwarded-Proto", "value":"https" }, { "name":"X-Forwarded-Port", "value":"443" }, { "name":"Host", "value":"rjvegx5guh.execute-api.eu-west-3.amazonaws.com" }, { "name":"X-Amzn-Trace-Id", "value":"Root=1-645566cf-7cb058b04d9bb3ee01dc4036" }, { "name":"dogname", "value":"ella" }, { "name":"User-Agent", "value":"RateBasedRuleTestKoipOneKeyModulePV2" }, { "name":"Accept-Encoding", "value":"gzip,deflate" } ], "uri":"/CanaryTest", "args":"", "httpVersion":"HTTP/1.1", "httpMethod":"GET", "requestId":"Ed0AiHF_CGYF-DA=" } }
exemplo Regra baseada em intervalos 2: configuração de regras com duas chaves, definidas como Header:dogname e Header:catname
{ "Name": "RateBasedRule", "Priority": 1, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "CUSTOM_KEYS", "CustomKeys": [ { "Header": { "Name": "dogname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } }, { "Header": { "Name": "catname", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateBasedRule" } }
exemplo Regra baseada em intervalos 2: entrada de log para solicitação bloqueada pela regra baseada em intervalos
{ "timestamp":1633322211194, "formatVersion":1, "webaclId":..., "terminatingRuleId":"RateBasedRule", "terminatingRuleType":"RATE_BASED", "action":"BLOCK", "terminatingRuleMatchDetails":[ ], "httpSourceName":"APIGW", "httpSourceId":"EXAMPLE11:rjvegx5guh:CanaryTest", "ruleGroupList":[ ], "rateBasedRuleList":[ { "rateBasedRuleId":..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ { "key":"HEADER", "name":"dogname", "value":"ella" }, { "key":"HEADER", "name":"catname", "value":"goofie" } ] } ], "nonTerminatingMatchingRules":[ ], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest":{ "clientIp":"52.46.82.35", "country":"FR", "headers":[ { "name":"X-Forwarded-For", "value":"52.46.82.35" }, { "name":"X-Forwarded-Proto", "value":"https" }, { "name":"X-Forwarded-Port", "value":"443" }, { "name":"Host", "value":"23llbyn8v3.execute-api.eu-west-3.amazonaws.com" }, { "name":"X-Amzn-Trace-Id", "value":"Root=1-64556629-17ac754c2ed9f0620e0f2a0c" }, { "name":"catname", "value":"goofie" }, { "name":"dogname", "value":"ella" }, { "name":"User-Agent", "value":"Apache-HttpClient/UNAVAILABLE (Java/11.0.19)" }, { "name":"Accept-Encoding", "value":"gzip,deflate" } ], "uri":"/CanaryTest", "args":"", "httpVersion":"HTTP/1.1", "httpMethod":"GET", "requestId":"EdzmlH5OCGYF1vQ=" } }
exemplo Saída de log para uma regra que foi acionada na detecção de SQLi (encerramento)
{ "timestamp": 1576280412771, "formatVersion": 1, "webaclId": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE", "terminatingRuleId": "STMTest_SQLi_XSS", "terminatingRuleType": "REGULAR", "action": "BLOCK", "terminatingRuleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "HEADER", "matchedData": [ "10", "AND", "1" ] } ], "httpSourceName": "-", "httpSourceId": "-", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "httpRequest": { "clientIp": "1.1.1.1", "country": "AU", "headers": [ { "name": "Host", "value": "localhost:1989" }, { "name": "User-Agent", "value": "curl/7.61.1" }, { "name": "Accept", "value": "*/*" }, { "name": "x-stm-test", "value": "10 AND 1=1" } ], "uri": "/myUri", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "rid" }, "labels": [ { "name": "value" } ] }
exemplo Saída de log para uma regra que foi acionada na detecção de SQLi (não encerramento)
{ "timestamp":1592357192516 ,"formatVersion":1 ,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9" ,"terminatingRuleId":"Default_Action" ,"terminatingRuleType":"REGULAR" ,"action":"ALLOW" ,"terminatingRuleMatchDetails":[] ,"httpSourceName":"-" ,"httpSourceId":"-" ,"ruleGroupList":[] ,"rateBasedRuleList":[] ,"nonTerminatingMatchingRules": [{ "ruleId":"TestRule" ,"action":"COUNT" ,"ruleMatchDetails": [{ "conditionType":"SQL_INJECTION" ,"sensitivityLevel": "HIGH" ,"location":"HEADER" ,"matchedData":[ "10" ,"and" ,"1"] }] }] ,"httpRequest":{ "clientIp":"3.3.3.3" ,"country":"US" ,"headers":[ {"name":"Host","value":"localhost:1989"} ,{"name":"User-Agent","value":"curl/7.61.1"} ,{"name":"Accept","value":"*/*"} ,{"name":"myHeader","myValue":"10 AND 1=1"} ] ,"uri":"/myUri","args":"" ,"httpVersion":"HTTP/1.1" ,"httpMethod":"GET" ,"requestId":"rid" }, "labels": [ { "name": "value" } ] }
exemplo Saída de log para várias regras acionadas dentro de um grupo de regras (RuleA-XSS é de encerramento e Rule-B é de não encerramento)
{ "timestamp":1592361810888, "formatVersion":1, "webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9" ,"terminatingRuleId":"RG-Reference" ,"terminatingRuleType":"GROUP" ,"action":"BLOCK", "terminatingRuleMatchDetails": [{ "conditionType":"XSS" ,"location":"HEADER" ,"matchedData":["<","frameset"] }] ,"httpSourceName":"-" ,"httpSourceId":"-" ,"ruleGroupList": [{ "ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b" ,"terminatingRule":{ "ruleId":"RuleA-XSS" ,"action":"BLOCK" ,"ruleMatchDetails":null } ,"nonTerminatingMatchingRules": [{ "ruleId":"RuleB-SQLi" ,"action":"COUNT" ,"ruleMatchDetails": [{ "conditionType":"SQL_INJECTION" ,"sensitivityLevel": "LOW" ,"location":"HEADER" ,"matchedData":[ "10" ,"and" ,"1"] }] }] ,"excludedRules":null }] ,"rateBasedRuleList":[] ,"nonTerminatingMatchingRules":[] ,"httpRequest":{ "clientIp":"3.3.3.3" ,"country":"US" ,"headers": [ {"name":"Host","value":"localhost:1989"} ,{"name":"User-Agent","value":"curl/7.61.1"} ,{"name":"Accept","value":"*/*"} ,{"name":"myHeader1","value":"<frameset onload=alert(1)>"} ,{"name":"myHeader2","value":"10 AND 1=1"} ] ,"uri":"/myUri" ,"args":"" ,"httpVersion":"HTTP/1.1" ,"httpMethod":"GET" ,"requestId":"rid" }, "labels": [ { "name": "value" } ] }
exemplo Saída de log para uma regra que foi acionada para a inspeção de corpo da solicitação com o tipo de conteúdo JSON
O AWS WAF atualmente relata a localização da inspeção de corpo JSON como UNKNOWN.
{ "timestamp": 1576280412771, "formatVersion": 1, "webaclId": "arn:aws:wafv2:ap-southeast-2:123456789012:regional/webacl/test/111", "terminatingRuleId": "STMTest_SQLi_XSS", "terminatingRuleType": "REGULAR", "action": "BLOCK", "terminatingRuleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "LOW", "location": "UNKNOWN", "matchedData": [ "10", "AND", "1" ] } ], "httpSourceName": "ALB", "httpSourceId": "alb", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted":null, "responseCodeSent":null, "httpRequest": { "clientIp": "1.1.1.1", "country": "AU", "headers": [], "uri": "", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "POST", "requestId": "null" }, "labels": [ { "name": "value" } ] }
exemplo Saída de log para uma regra CAPTCHA em relação a uma solicitação da web com um token CAPTCHA válido e não expirado
A lista de logs a seguir é para uma solicitação da web que correspondeu a uma regra com uma ação CAPTCHA. A solicitação da web tem um token CAPTCHA válido e não expirado e só é percebida como uma correspondência de CAPTCHA pelo AWS WAF, semelhante ao comportamento da ação Count. Essa correspondência de CAPTCHA está indicada em nonTerminatingMatchingRules.
{ "timestamp": 1632420429309, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "123456789012:b34myvfw0b:pen-test", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [ { "ruleId": "captcha-rule", "action": "CAPTCHA", "ruleMatchDetails": [], "captchaResponse": { "responseCode": 0, "solveTimestamp": 1632420429 } } ], "requestHeadersInserted": [ { "name": "x-amzn-waf-test-header-name", "value": "test-header-value" } ], "responseCodeSent": null, "httpRequest": { "clientIp": "72.21.198.65", "country": "US", "headers": [ { "name": "X-Forwarded-For", "value": "72.21.198.65" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-614cc24d-5ad89a09181910c43917a888" }, { "name": "cache-control", "value": "max-age=0" }, { "name": "sec-ch-ua", "value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"Windows\"" }, { "name": "upgrade-insecure-requests", "value": "1" }, { "name": "user-agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36" }, { "name": "accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, { "name": "sec-fetch-site", "value": "same-origin" }, { "name": "sec-fetch-mode", "value": "navigate" }, { "name": "sec-fetch-user", "value": "?1" }, { "name": "sec-fetch-dest", "value": "document" }, { "name": "referer", "value": "https://b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com/pen-test/pets" }, { "name": "accept-encoding", "value": "gzip, deflate, br" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "cookie", "value": "aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg==" } ], "uri": "/pen-test/pets", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "GINMHHUgoAMFxug=" } }
exemplo Saída de log para uma regra CAPTCHA em relação a uma solicitação da web que não tem um token CAPTCHA
A lista de logs a seguir é para uma solicitação da web que correspondeu a uma regra com uma ação CAPTCHA. A solicitação da web não tinha um token CAPTCHA e foi bloqueada pelo AWS WAF.
{ "timestamp": 1632420416512, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/captcha-web-acl/585e38b5-afce-4d2a-b417-14fb08b66c67", "terminatingRuleId": "captcha-rule", "terminatingRuleType": "REGULAR", "action": "CAPTCHA", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "123456789012:b34myvfw0b:pen-test", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": 405, "httpRequest": { "clientIp": "72.21.198.65", "country": "US", "headers": [ { "name": "X-Forwarded-For", "value": "72.21.198.65" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "b34myvfw0b.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-614cc240-18b57ff33c10e5c016b508c5" }, { "name": "sec-ch-ua", "value": "\"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"Windows\"" }, { "name": "upgrade-insecure-requests", "value": "1" }, { "name": "user-agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.54 Safari/537.36" }, { "name": "accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "sec-fetch-mode", "value": "navigate" }, { "name": "sec-fetch-user", "value": "?1" }, { "name": "sec-fetch-dest", "value": "document" }, { "name": "accept-encoding", "value": "gzip, deflate, br" }, { "name": "accept-language", "value": "en-US,en;q=0.9" } ], "uri": "/pen-test/pets", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "GINKHEssoAMFsrg=" }, "captchaResponse": { "responseCode": 405, "solveTimestamp": 0, "failureReason": "TOKEN_MISSING" } }
