How do I identify traffic patterns invoked by SQLi and XSS rules in AWS WAF?

2 minute read

I want to identify traffic patterns invoked by SQL injection (SQLi) and cross-site scripting (XSS) rules in AWS WAF.

Short description

To identify traffic patterns invoked by SQLi and XSS rules, you can create AWS WAF rules and turn on AWS WAF logging. You can send AWS logs to a log group from Amazon CloudWatch Logs or an Amazon Simple Storage Service (Amazon S3) bucket.

Resolution

AWS WAF logs include the patterns that triggered SQLi and XSS rules in the terminatingRuleMatchDetails log field. This helps to troubleshoot SQLi and XSS rules false positives. For more information, see Log fields and Log examples.

CloudWatch Logs Insights queries

If your AWS WAF logs are stored in Amazon CloudWatch Logs, you can use CloudWatch Logs Insights to run queries to identify traffic patterns.

Run a CloudWatch Logs Insights query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:

 fields @timestamp
| parse @message ',"terminatingRuleMatchDetails":[*],' as terminatingRuleMatchData
| filter (terminatingRuleMatchData like /XSS/ or terminatingRuleMatchData like /SQL/)
| display @timestamp, httpRequest.clientIp, httpRequest.country, terminatingRuleMatchData, httpRequest.requestId
| limit 100

Amazon Athena queries

If your AWS WAF logs are stored in Amazon S3, you can use Amazon Athena queries to identify traffic patterns.

Run an Amazon Athena query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:

SELECT
to_iso8601(from_unixtime(timestamp / 1000)) as timestamp,
terminatingRuleId,
action,
httpRequest.requestId as RequestID,
httpRequest.clientIp as ClientIP,
httpRequest.country as Country,
termmatchrules.conditionType as ConditionType,
termmatchrules.location as Location,
termmatchrules.matchedData as MatchedData
FROM waf_logs
CROSS JOIN UNNEST(terminatingRuleMatchDetails) as t(termmatchrules)
WHERE termmatchrules.conditionType in ('XSS', 'SQL_INJECTION')

For more information, see What are my options to analyze AWS WAF logs stored in CloudWatch or Amazon S3?

Related information

Analyzing AWS WAF Logs in Amazon CloudWatch Logs

How do I analyze AWS WAF logs in Amazon Athena?

How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests in AWS WAF?

Topics

Security, Identity, & Compliance

Relevant content

AWS WAF rate based rule
Accepted Answer
Ravi Shanker
asked 8 months ago
Fix waf body size rules in my AWS accounts
rePost-User-1480947
asked a year ago
How to Configure AWS WAF Rules for Optimal Protection of a WhatsApp Bot-Based Front-End in AWS App Runner?
yann_stoneman
asked 6 months ago
identifying attacker IP in WAF overview.
Accepted Answer
Yousuf
asked a year ago
Breach of WAS WAF rate based rule by Attacker
Ravi Shanker
asked 7 months ago
How do I create an AWS WAF rule to prevent SQLi and XSS?
AWS OFFICIALUpdated 2 years ago
Why does AWS WAF block my legitimate upload request?
AWS OFFICIALUpdated 13 days ago
How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests in AWS WAF?
AWS OFFICIALUpdated 2 months ago
How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?
AWS OFFICIALUpdated a year ago
How can I send AWS WAF log to both CloudWatch logs and S3?
EXPERT
Lei Pei
published 6 days ago