Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability in Real Time

Prerequisites

• You have connected the website you want to protect to WAF.
• You have enabled LTS for WAF logging.
• You have obtained the Spring rule ID.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
   Figure 1 Log stream name configured for attack logs
   

4. In the log group list, expand the WAF log group and choose log stream attack.
5. On the log stream details page, click in the upper right corner. On the page displayed, click the Cloud Structured Parsing tab.
6. Select JSON for log structuring. Then, click Select from existing events and select a log in the dialog box displayed on the right.
7. Click Intelligent Extraction to find the fields you want to analyze quickly. Enable these fields in the Quick Analysis column. After this, you can collect and analyze periodic logs.
   Figure 2 Log extraction field
   

8. Find the category field, click in the Alias column, change the field name, and click to save the settings.
   

   There is already a built-in category field in the system so you need to change the alias name of the category field, or your settings cannot be saved.

9. In the lower right corner of the list, click Save. LTS quickly analyzes and collects statistics on logs in the specified period.
10. In the navigation pane on the left, choose Visualization. Enter the following command and click Query to view the logs of the blocked Spring core RCE vulnerability.

    select rule, hit_data where rule IN('XX','XX','XX','XX',)

    Figure 3 Visualization query