华为云首页用户手册

云日志服务 LTS-在LTS页面分析华为云WAF日志:WAF攻击结构化模板日志详情

时间：2024-06-27 20:35:51

云日志服务 LTS 日志搜索与分析

WAF攻击结构化模板日志详情

WAF攻击日志示例

表3 结构化模板示例
模板名称	示例日志
WAF攻击日志	{"policy_id":"cd081ba3d6674000acc37d7e2a4b9140","hport":"80","body_bytes_sent":"163","hostid":"1736cc7331b74b198e2ef07555a970ce","rule":"040002","engine_ip":"10.63.36.208","pid":"2152","http_host":"www.testh.com","process_time":"1","reqid":"0000-0000-0000-20820220729193940-f34cf25e","time_iso8601":"2022-07-29T19:39:40+08:00","upstream_status":"504","hit_data":"public/../style/general.css","attack_stream_id":"98de5d5a-9f54-4d01-9882-eca7bec99d09","remote_ip":"10.63.46.110","attack":"lfi","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","host":"www.testh.com","action":"log","backend":{"protocol":"HTTP","alive":true,"port":80,"host":"100.93.2.229","weight":1,"type":"ip"},"id":"04-0000-0000-0000-20820220729193940-f34cf25e","sip":"10.63.46.110","projectid":"2a473356cca5487f8373be891bffc1cf","web_tag":"","attack-time":"2022-07-29T11:39:40.000Z","method":"GET","cookie":"{\"HWWAFSESTIME\":\"1659094780939\",\"HWWAFSESID\":\"e2cd0733b4712e4cc4\"}","level":2,"params":"{\"public\/..\/style\/general.css\":\"true\"}","x_real_ip":"","uri":"/","x_forwarded_for":"","cdn_src_ip":"","enterprise_project_id":"0","req_body":"","engine_id":"","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"f34cf25eb33ed82cd7261a8276a60c39","multipart":"null","header":"{\"host\":\"www.testh.com\",\"user-agent\":\"curl\/7.29.0\",\"accept\":\"\/\"}","location":"params","upstream_response_time":"30.000","time":"2022-07-29 19:39:40","category":"attack","sport":28408,"status":"504"}

表3 结构化模板示例

模板名称

示例日志

WAF攻击日志

{"policy_id":"cd081ba3d6674000acc37d7e2a4b9140","hport":"80","body_bytes_sent":"163","hostid":"1736cc7331b74b198e2ef07555a970ce","rule":"040002","engine_ip":"10.63.36.208","pid":"2152","http_host":"www.testh.com","process_time":"1","reqid":"0000-0000-0000-20820220729193940-f34cf25e","time_iso8601":"2022-07-29T19:39:40+08:00","upstream_status":"504","hit_data":"public/../style/general.css","attack_stream_id":"98de5d5a-9f54-4d01-9882-eca7bec99d09","remote_ip":"10.63.46.110","attack":"lfi","tenantid":"1d26cc8c86a840e28a4f8d0d07852f1d","host":"www.testh.com","action":"log","backend":{"protocol":"HTTP","alive":true,"port":80,"host":"100.93.2.229","weight":1,"type":"ip"},"id":"04-0000-0000-0000-20820220729193940-f34cf25e","sip":"10.63.46.110","projectid":"2a473356cca5487f8373be891bffc1cf","web_tag":"","attack-time":"2022-07-29T11:39:40.000Z","method":"GET","cookie":"{\"HWWAFSESTIME\":\"1659094780939\",\"HWWAFSESID\":\"e2cd0733b4712e4cc4\"}","level":2,"params":"{\"public\/..\/style\/general.css\":\"true\"}","x_real_ip":"","uri":"/","x_forwarded_for":"","cdn_src_ip":"","enterprise_project_id":"0","req_body":"","engine_id":"","group_id":"5d574e6a-87da-42bc-bfd4-ff61a1b336a4","requestid":"f34cf25eb33ed82cd7261a8276a60c39","multipart":"null","header":"{\"host\":\"www.testh.com\",\"user-agent\":\"curl\/7.29.0\",\"accept\":\"*\/*\"}","location":"params","upstream_response_time":"30.000","time":"2022-07-29 19:39:40","category":"attack","sport":28408,"status":"504"}

结构化字段及字段说明

表4 结构化字段
字段	示例	描述	类型
policy_id	cd081ba3d6674000acc37d7e2a4b9140	防护策略ID	string
hport	80	请求的服务器端口	string
body_bytes_sent	163	发送给客户端的响应体字节数	string
hostid	1736cc7331b74b198e2ef07555a970ce	防护域名 ID（upstream_id）	string
rule	040002	触发的规则ID或者自定义的策略类型描述	string
engine_ip	10.63.36.208	引擎 IP	string
pid	2152	进程ID	string
http_host	www.testh.com	请求的服务器域名	string
process_time	1	引擎的检测用时	string
reqid	0000-0000-0000-20820220729193940-f34cf25e	随机ID标识	string
time_iso8601	2022-07-29T19:39:40+08:00	日志的ISO 8601格式时间	string
upstream_status	504	后端服务器的响应码	string
hit_data	public/../style/general.css	触发恶意负载的字符串	string
attack_stream_id	98de5d5a-9f54-4d01-9882-eca7bec99d09	日志流ID	string
remote_ip	10.63.46.110	请求的客户端IP	string
attack	lfi	发生攻击的类型，仅在攻击日志中出现。 default：默认 sqli：SQL注入攻击 xss：跨站脚本攻击 webshell：WebShell攻击 robot：恶意爬虫 cmdi：命令注入攻击 rfi：远程文件包含 lfi：本地文件包含 illegal：非法请求 vuln：漏洞攻击 cc：命中CC防护规则 custom_custom：命中精准防护规则 custom_whiteip：命中IP黑白名单规则 custom_geoip：命中地理位置控制规则 antitamper：命中网页防篡改规则 anticrawler：命中JS挑战反爬虫规则 leakage：命中敏感信息泄露规则 followed_action：攻击惩罚，详见配置攻击惩罚标准。	string
tenantid	1d26cc8c86a840e28a4f8d0d07852f1d	防护域名的租户ID	string
host	www.testh.com	请求的服务器域名	string
action	log	WAF防护攻击动作。 block：拦截 log：仅记录 captcha：人机验证	string
backend.protocol	HTTP	当前后端协议	string
backend.alive	true	当前后端状态	string
backend.port	80	当前后端端口	long
backend.host	100.93.2.229	当前后端Host值	string
backend.weight	1	当前后端权重	long
backend.type	ip	当前后端Host类型	string
id	04-0000-0000-0000-20820220729193940-f34cf25e	请求ID标识	string
sip	10.63.46.110	请求的客户端IP	string
projectid	2a473356cca5487f8373be891bffc1cf	防护域名的项目ID	string
web_tag	-	网站名称	string
attack-time	2022-07-29T11:39:40.000Z	攻击时间	string
method	GET	请求方法	string
cookie	{"HWWAFSESTIME":"1659094780939","HWWAFSESID":"e2cd0733b4712e4cc4"}	Cookie内容	string
level	2	表示Web基础防护策略级别。 1：宽松 2：中等 3：严格	long
params	{"public\/..\/style\/general.css":"true"}	请求URI后的参数信息	string
x_real_ip	-	当WAF前部署代理时，真实的客户端IP	string
uri	/	请求URI	string
x_forwarded_for	-	请求头中x_forwarded_for的内容	string
cdn_src_ip	-	当WAF前部署CDN时CDN识别到的客户端IP	string
enterprise_project_id	0	请求域名所属企业项目ID	string
req_body	-	请求体	string
engine_id	-	WAF引擎标识	string
group_id	5d574e6a-87da-42bc-bfd4-ff61a1b336a4	group_id	string
requestid	f34cf25eb33ed82cd7261a8276a60c39	随机ID标识	string
multipart	null	multipart	string
header	{"host":"www.testh.com","user-agent":"curl\/7.29.0","accept":"\/"}	请求header信息	string
location	params	触发恶意负载的位置	string
upstream_response_time	30.000	后端服务器响应时间	string
time	2022-07-29 19:39:40	日志时间	string
waf_category	attack	WAF日志类别	string
sport	28408	客户端请求端口	long
status	504	请求的响应状态码	string