AWSWAFLog
- Richard Siman
Overview
AWS Web Application Firewall (WAF) lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. You can protect the following resource types: Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AWS AppSync GraphQL API, Amazon Cognito user pool and AWS App Runner service. AWS WAF will let you control access to your content based on the conditions that you set such as blocking requests that originate from IP addresses or the values of query strings.
AWS WAF is a web application firewall that helps protect web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF uses security rules that block common attack patterns, such as SQL injection, cross-site scripting, or items in the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge.
Collection
AWS WAF service can be configured to enable logging and publish logs to Amazon CloudWatch Logs log group.
While AWS CloudWatch Logs log group can be configured to have a subscription filter and have it deliver the published event logs received to Amazon Kinesis Data Stream.
Then Snare Central can be configured to periodically call AWS API to pull and get the log data stored in AWS Kinesis Data Stream.
Sample Log Event
Table Fields
Field | Description |
|---|---|
DATE | timestamp - The date extracted from converting the timestamp integer representing milliseconds in UTC since the epoch (1970-01-01 00:00:00 UTC) to "2006-01-02T15:04:05Z" in YYYY-MM-DD format. |
TIME | timestamp - The time extracted from converting the timestamp integer representing milliseconds in UTC since the epoch (1970-01-01 00:00:00 UTC) to "2006-01-02T15:04:05Z" in HH:MM:SS format. |
SYSTEM | Host - The host value extracted under httpRequest/headers/name=”Host","value":"localhost:1985", removing the port value if present. |
TABLE | AWSWAFLog |
COLLECTIONDATETIME | Snare Central’s local date and time of the actual log collection from AWS Kinesis Data Stream in RFC3339Nano format. |
CWLDATETIME | AWS CloudWatch Log’s timestamp when it receives the event log from other AWS services in RFC3339Nano format. |
DATETIME | timestamp - The date and time extracted from converting the timestamp integer representing milliseconds in UTC since the epoch (1970-01-01 00:00:00 UTC) to "2006-01-02T15:04:05Z" in RFC3339Nano format. |
ACTION | action - The action that was applied to the request. Allow and Block are terminating rule actions, Count is a non-terminating rule action while CAPTCHA and Challenge are non-terminating if the request includes a valid token and terminating if it doesn't. |
ARGS | args - The query string. |
CLIENTIP | clientIp - The IP address of the client sending the request. |
COUNTRY | country - The source country of the request. If AWS WAF is unable to determine the country of origin, it sets this field to "-". |
HTTPMETHOD | httpMethod - The HTTP method in the request. |
HTTPSOURCEID | httpSourceId - The ID of the associated resource. |
HTTPSOURCENAME | httpSourceName - The source of the request. Possible values are CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, APPSYNC for AWS AppSync, COGNITOIDP for Amazon Cognito, and APPRUNNER for App Runner. |
NONTERMINATINGMATCHINGRULES | nonTerminatingMatchingRules - The list of non-terminating rules that match the request. Contains: action - The action that AWS WAF applied to the request. overriddenAction - Used only for rule group rules that have a rule action override in place in the web ACL. ruleId - The ID of the rule that matched the request and was non-terminating. ruleMatchDetails - Detailed information about the rule that matched the request. This field is only populated for SQL injection and cross-site scripting (XSS) match rule statements. A matching rule might require a match for more than one inspection criteria, so these match details are provided as an array of match criteria. |
PORT | X-Forwarded-Port - the X-Forwarded-Port value extracted under httpRequest/headers/name="X-Forwarded-Port","value":"1985" or extracted from host value httpRequest/headers/name="Host","value":"localhost:1985" port part. |
RESPONSECODESENT | responseCodeSent - The response code sent with a custom response. |
REQUESTID | requestId - The ID of the request, which is generated by the underlying host service. For Application Load Balancer, this is the trace ID. |
RULEGROUPLIST | ruleGroupList - The list of rule groups that acted on this request, with match information. |
TERMINATINGRULEID | terminatingRuleId - The ID of the rule that terminated the request. If nothing terminates the request, the value is Default_Action |
TERMINATINGRULEMATCHDETAILS | terminatingRuleMatchDetails - Detailed information about the terminating rule that matched the request. During the inspection of a web request, at the first rule that matches the request and that has a terminating action, AWS WAF stops the inspection and applies the action so the web request might contain other threats, in addition to the one that's reported in the log for the matching terminating rule. |
TERMINATINGRULETYPE | terminatingRuleType - The type of rule that terminated the request. Possible values: RATE_BASED, REGULAR, GROUP, and MANAGED_RULE_GROUP. |
URI | uri - The URI of the request. |
USERAGENT | User-Agent / user-agent - The agent through which the request was made. |
WEBACLID | webaclId - The GUID of the web ACL. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP. |
Notes
Log fields for web ACL traffic - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced