Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability in Real Time
After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.
This topic walks you through on how to enable the LTS quick analysis for WAF attack logs and use the Spring rule ID to quickly query and analyze the logs of the blocked Spring Core RCE vulnerabilities.
- You have connected the website you want to protect to WAF.
- You have enabled LTS for WAF logging.
- You have obtained the Spring rule ID.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
Figure 1 Log management page
- In the log group list, expand the WAF log group and choose log stream attack.
- In the navigation pane on the left, choose Log Configuration. Then, click the Log Structuring tab.
Figure 2 Log Structuring
- Select JSON for log structuring. Then, click Select from existing events and select a log in the dialog box displayed on the right.
- Click Intelligent Extraction to find the fields you want to analyze quickly. Enable these fields in the Quick Analysis column. After this, you can collect and analyze periodic logs.
Figure 3 Log extraction field
- Find the category field, click in the Alias column, change the field name, and click to save the settings.
There is already a built-in category field in the system so you need to change the alias name of the category field, or your settings cannot be saved.
- In the lower right corner of the list, click Save. LTS quickly analyzes and collects statistics on logs in the specified period.
- In the navigation pane on the left, choose Visualization. Enter the following command and click Query to view the logs of the blocked Spring core RCE vulnerability.
select rule, hit_data where rule IN('XX','XX','XX','XX',)
Figure 4 Visualization query
- XX indicates the rule ID of the Spring core RCE vulnerability. Obtain the rule ID before you query.
- The Visualization module is available only to whitelisted users in CN North-Beijing 4.
Was this page helpful?Provide feedback
For any further questions, feel free to contact us through the chatbot.Chatbot