I want to identify traffic patterns invoked by SQL injection (SQLi) and cross-site scripting (XSS) rules in AWS WAF.
Short description
To identify traffic patterns invoked by SQLi and XSS rules, you can create AWS WAF rules and turn on AWS WAF logging. You can send AWS logs to a log group from Amazon CloudWatch Logs or an Amazon Simple Storage Service (Amazon S3) bucket.
Resolution
AWS WAF logs include the patterns that triggered SQLi and XSS rules in the terminatingRuleMatchDetails log field. This helps to troubleshoot SQLi and XSS rules false positives. For more information, see Log fields and Log examples.
CloudWatch Logs Insights queries
If your AWS WAF logs are stored in Amazon CloudWatch Logs, you can use CloudWatch Logs Insights to run queries to identify traffic patterns.
Run a CloudWatch Logs Insights query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:
fields @timestamp
| parse @message ',"terminatingRuleMatchDetails":[*],' as terminatingRuleMatchData
| filter (terminatingRuleMatchData like /XSS/ or terminatingRuleMatchData like /SQL/)
| display @timestamp, httpRequest.clientIp, httpRequest.country, terminatingRuleMatchData, httpRequest.requestId
| limit 100
Amazon Athena queries
If your AWS WAF logs are stored in Amazon S3, you can use Amazon Athena queries to identify traffic patterns.
Run an Amazon Athena query with the terminatingRuleMatchDetails log field to identify traffic patterns. The following query returns the timestamp, the client IP address, the origin country, the details of the match, and the request ID:
SELECT
to_iso8601(from_unixtime(timestamp / 1000)) as timestamp,
terminatingRuleId,
action,
httpRequest.requestId as RequestID,
httpRequest.clientIp as ClientIP,
httpRequest.country as Country,
termmatchrules.conditionType as ConditionType,
termmatchrules.location as Location,
termmatchrules.matchedData as MatchedData
FROM waf_logs
CROSS JOIN UNNEST(terminatingRuleMatchDetails) as t(termmatchrules)
WHERE termmatchrules.conditionType in ('XSS', 'SQL_INJECTION')
For more information, see What are my options to analyze AWS WAF logs stored in CloudWatch or Amazon S3?
Related information
Analyzing AWS WAF Logs in Amazon CloudWatch Logs
How do I analyze AWS WAF logs in Amazon Athena?
How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests in AWS WAF?