文档首页/ 云防火墙 CFW/ API参考/ API/ 日志管理/ 查询攻击日志
更新时间:2024-10-31 GMT+08:00
在线调试
CLI示例
查看PDF
分享

查询攻击日志

功能介绍

查询攻击日志

调用方法

请参见如何调用API

URI

GET /v1/{project_id}/cfw/logs/attack

表1 路径参数

参数

是否必选

参数类型

描述

project_id

String

项目ID, 可以从调API处获取,也可以从控制台获取。项目ID获取方式
表2 Query参数

参数

是否必选

参数类型

描述

start_time

Long

开始时间,以毫秒为单位的时间戳,如1718936272648

end_time

Long

结束时间,以毫秒为单位的时间戳,如1718936272648

src_ip

String

源IP

src_port

Integer

源端口号

dst_ip

String

目的IP

dst_port

Integer

目的端口号

protocol

String

协议类型,包含TCP, UDP,ICMP,ICMPV6等。

app

String

规则应用类型包括:“HTTP”,"HTTPS","TLS1",“DNS”,“SSH”,“MYSQL”,“SMTP”,“RDP”,“RDPS”,“VNC”,“POP3”,“IMAP4”,“SMTPS”,“POP3S”,“FTPS”,“ANY”,“BGP”等。

log_id

String

文档ID,第一页为空,其他页不为空,其他页可取上一次查询最后一条数据的log_id

next_date

Long

下个日期,当是第一页时为空,不是第一页时不为空,其他页可取上一次查询最后一条数据的event_time

offset

Integer

偏移量:指定返回记录的开始位置,必须为数字,取值范围为大于0,首页时为空,非首页时不为空

limit

Integer

每页显示个数,范围为1-1024

fw_instance_id

String

防火墙id,可通过防火墙ID获取方式获取

action

String

动作包含permit,deny

direction

String

方向,包含in2out,out2in

attack_type

String

入侵事件类型

attack_rule

String

入侵事件规则

level

String

威胁等级,包括CRITICAL、HIGH、MEDIUM、LOW

enterprise_project_id

String

企业项目ID,用户根据组织规划企业项目,对应的ID为企业项目ID,可通过如何获取企业项目ID获取,用户未开启企业项目时为0

dst_host

String

目标主机

log_type

String

日志类型包括:internet,vpc,nat

attack_rule_id

String

入侵事件id

src_region_name

String

源region名称

dst_region_name

String

目的region名称

src_province_name

String

源省份名称

dst_province_name

String

目的省份名称

src_city_name

String

源城市名称

dst_city_name

String

目的城市名称

请求参数

表3 请求Header参数

参数

是否必选

参数类型

描述

X-Auth-Token

String

用户Token。可通过如何获取用户Token获取。

响应参数

状态码: 200

表4 响应Body参数

参数

参数类型

描述

data

data object

查询攻击日志返回值数据
表5 data

参数

参数类型

描述

total

Integer

返回攻击数据总数

limit

Integer

每页显示个数,范围为1-1024

records

Array of records objects

攻击日志记录列表
表6 records

参数

参数类型

描述

direction

String

方向,包含in2out,out2in

action

String

动作包含permit,deny

event_time

Long

事件时间,以毫秒为单位的时间戳,如1718936272648

attack_type

String

攻击类型

attack_rule

String

攻击规则

level

String

威胁等级,包括CRITICAL、HIGH、MEDIUM、LOW

source

String

来源

packet_length

Long

报文长度

attack_rule_id

String

攻击规则id

hit_time

Long

命中时间,以毫秒为单位的时间戳,如1718936272648

log_id

String

日志ID

src_ip

String

源IP

src_port

Integer

源端口

dst_ip

String

目的IP

dst_port

Integer

目的端口

protocol

String

协议类型,包含TCP, UDP,ICMP,ICMPV6等。

packet

String

攻击日志报文

app

String

规则应用类型包括:“HTTP”,"HTTPS","TLS1",“DNS”,“SSH”,“MYSQL”,“SMTP”,“RDP”,“RDPS”,“VNC”,“POP3”,“IMAP4”,“SMTPS”,“POP3S”,“FTPS”,“ANY”,“BGP”等。

packetMessages

Array of PacketMessage objects

攻击报文信息

src_region_id

String

源区域id

src_region_name

String

源区域名称

dst_region_id

String

目的区域id

dst_region_name

String

目的区域名称

src_province_id

String

源省份id

src_province_name

String

源省份名称

src_city_id

String

源城市id

src_city_name

String

源城市名称

dst_province_id

String

目的省份id

dst_province_name

String

目的省份名称

dst_city_id

String

目的城市id

dst_city_name

String

目的城市名称
表7 PacketMessage

参数

参数类型

描述

hex_index

String

16进制index

hexs

Array of strings

16进制数列

utf8_String

String

utf_8字符串

状态码: 400

表8 响应Body参数

参数

参数类型

描述

error_code

String

错误码

error_msg

String

错误描述

请求示例

查询项目id为9d80d070b6d44942af73c9c3d38e0429防火墙id为2af58b7c-893c-4453-a984-bdd9b1bd6318初始时间为1663567058000,结束时间为1664171765000的第一页数据,查询条数为10条

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/cfw/logs/attack?fw_instance_id=2af58b7c-893c-4453-a984-bdd9b1bd6318&start_time=1663567058000&end_time=1664171765000&limit=10

响应示例

状态码: 200

查询攻击日志返回值

{
  "data" : {
    "limit" : 10,
    "records" : [ {
      "action" : "deny",
      "app" : "HTTP",
      "attack_rule" : "Tool Nmap Web Server Probe Detected",
      "attack_rule_id" : "336154",
      "attack_type" : "Web Attack",
      "direction" : "out2in",
      "dst_ip" : "100.95.148.49",
      "dst_port" : 8080,
      "event_time" : 1664146216000,
      "level" : "MEDIUM",
      "log_id" : "15591",
      "packet" : "+hZUZMhV+hY/AaHMCABFKABpXPNAADAGof1kVe6QZF+UMcTQH5B0wdaz888+uoAYAOVyNQAAAQEICjrmikVb9JLCR0VUIC9uaWNlJTIwcG9ydHMlMkMvVHJpJTZFaXR5LnR4dCUyZWJhayBIVFRQLzEuMA0KDQo=",
      "packetMessages" : [ {
        "hex_index" : "00000000",
        "hexs" : [ "fa", "16", "54", "64", "c8", "55", "fa", "16", "3f", "01", "a1", "cc", "08", "00", "45", "28" ],
        "utf8_String" : ".\u0016Td.U.\u0016?.....E("
      }, {
        "hex_index" : "00000010",
        "hexs" : [ "00", "69", "5c", "f3", "40", "00", "30", "06", "a1", "fd", "64", "55", "ee", "90", "64", "5f" ],
        "utf8_String" : ".i\\.@.0...dU.d_"
      }, {
        "hex_index" : "00000020",
        "hexs" : [ "94", "31", "c4", "d0", "1f", "90", "74", "c1", "d6", "b3", "f3", "cf", "3e", "ba", "80", "18" ],
        "utf8_String" : ".1..\u001F.t.ֳ..>..."
      }, {
        "hex_index" : "00000030",
        "hexs" : [ "00", "e5", "72", "35", "00", "00", "01", "01", "08", "0a", "3a", "e6", "8a", "45", "5b", "f4" ],
        "utf8_String" : "..r5......:.E[."
      }, {
        "hex_index" : "00000040",
        "hexs" : [ "92", "c2", "47", "45", "54", "20", "2f", "6e", "69", "63", "65", "25", "32", "30", "70", "6f" ],
        "utf8_String" : "..GET /nice%20po"
      }, {
        "hex_index" : "00000050",
        "hexs" : [ "72", "74", "73", "25", "32", "43", "2f", "54", "72", "69", "25", "36", "45", "69", "74", "79" ],
        "utf8_String" : "rts%2C/Tri%6Eity"
      }, {
        "hex_index" : "00000060",
        "hexs" : [ "2e", "74", "78", "74", "25", "32", "65", "62", "61", "6b", "20", "48", "54", "54", "50", "2f" ],
        "utf8_String" : ".txt%2ebak HTTP/"
      }, {
        "hex_index" : "00000070",
        "hexs" : [ "31", "2e", "30", "0d", "0a", "0d", "0a" ],
        "utf8_String" : "1.0\r.\r."
      } ],
      "packet_length" : 119,
      "protocol" : "TCP",
      "source" : "0",
      "src_ip" : "100.85.238.144",
      "src_port" : 50384,
      "src_province_id" : "source province id",
      "src_province_name" : "source province name",
      "src_city_id" : "source city id",
      "src_city_name" : "source city name",
      "dst_province_id" : "dst province id",
      "dst_province_name" : "dst province name",
      "dst_city_id" : "dst city id",
      "dst_city_name" : "dst city name"
    } ],
    "total" : 1
  }
}

状态码: 400

Bad Request

{
  "error_code" : "00500002",
  "error_msg" : "时间间距错误"
}

SDK代码示例

SDK代码示例如下。

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.cfw.v1.region.CfwRegion;
import com.huaweicloud.sdk.cfw.v1.*;
import com.huaweicloud.sdk.cfw.v1.model.*;


public class ListAttackLogsSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CfwClient client = CfwClient.newBuilder()
                .withCredential(auth)
                .withRegion(CfwRegion.valueOf("<YOUR REGION>"))
                .build();
        ListAttackLogsRequest request = new ListAttackLogsRequest();
        try {
            ListAttackLogsResponse response = client.listAttackLogs(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcfw.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CfwClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CfwRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListAttackLogsRequest()
        response = client.list_attack_logs(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := cfw.NewCfwClient(
        cfw.CfwClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListAttackLogsRequest{}
	response, err := client.ListAttackLogs(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

更多

更多编程语言的SDK代码示例,请参见API Explorer的代码示例页签,可生成自动对应的SDK代码示例。

状态码

状态码

描述

200

查询攻击日志返回值

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

错误码

请参见错误码

父主题: 日志管理

相关文档