Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability in Real Time

After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

This topic walks you through on how to enable the LTS quick analysis for WAF attack logs and use the Spring rule ID to quickly query and analyze the logs of the blocked Spring Core RCE vulnerabilities.

Prerequisites

You have connected the website you want to protect to WAF.
You have Enabling LTS for WAF Logging.
You have obtained the Spring rule ID.

Procedure

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
In the log group list, expand the WAF log group and choose log stream attack.
On the log stream details page, click in the upper right corner. On the page displayed, click the Cloud Structured Parsing tab.
Select JSON for log structuring. Then, click Select from existing events and select a log in the dialog box displayed on the right.
Click Intelligent Extraction to find the fields you want to analyze quickly. Enable these fields in the Quick Analysis column. After this, you can collect and analyze periodic logs.
Find the category field, click in the Alias column, change the field name, and click to save the settings.

There is already a built-in category field in the system so you need to change the alias name of the category field, or your settings cannot be saved.
In the lower right corner of the list, click Save. LTS quickly analyzes and collects statistics on logs in the specified period.
In the navigation pane on the left, choose Visualization. Enter the following command and click Query to view the logs of the blocked Spring core RCE vulnerability.
select rule, hit_data where rule IN('XX','XX','XX','XX',)