How do I identify traffic patterns invoked by SQLi and XSS rules in AWS WAF?

2 minute read
0

I want to identify traffic patterns invoked by SQL injection (SQLi) and cross-site scripting (XSS) rules in AWS WAF.

Short description

To identify traffic patterns invoked by SQLi and XSS rules, you can create AWS WAF rules and turn on AWS WAF logging. You can send AWS logs to a log group from Amazon CloudWatch Logs or an Amazon Simple Storage Service (Amazon S3) bucket.

Resolution

AWS WAF logs include the patterns that triggered SQLi and XSS rules in the terminatingRuleMatchDetails log field. This helps to troubleshoot SQLi and XSS rules false positives. For more information, see Log fields and Log examples.

CloudWatch Logs Insights queries

If your AWS WAF logs are stored in Amazon CloudWatch Logs, you can use CloudWatch Logs Insights to run queries to identify traffic patterns.

Run a CloudWatch Logs Insights query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:

 fields @timestamp
| parse @message ',"terminatingRuleMatchDetails":[*],' as terminatingRuleMatchData
| filter (terminatingRuleMatchData like /XSS/ or terminatingRuleMatchData like /SQL/)
| display @timestamp, httpRequest.clientIp, httpRequest.country, terminatingRuleMatchData, httpRequest.requestId
| limit 100 

Amazon Athena queries

If your AWS WAF logs are stored in Amazon S3, you can use Amazon Athena queries to identify traffic patterns.

Run an Amazon Athena query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:

SELECT
to_iso8601(from_unixtime(timestamp / 1000)) as timestamp,
terminatingRuleId,
action,
httpRequest.requestId as RequestID,
httpRequest.clientIp as ClientIP,
httpRequest.country as Country,
termmatchrules.conditionType as ConditionType,
termmatchrules.location as Location,
termmatchrules.matchedData as MatchedData
FROM waf_logs
CROSS JOIN UNNEST(terminatingRuleMatchDetails) as t(termmatchrules)
WHERE termmatchrules.conditionType in ('XSS', 'SQL_INJECTION')

For more information, see What are my options to analyze AWS WAF logs stored in CloudWatch or Amazon S3?

Related information

Analyzing AWS WAF Logs in Amazon CloudWatch Logs

How do I analyze AWS WAF logs in Amazon Athena?

How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests in AWS WAF?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago