更新时间:2024-05-11 GMT+08:00
WAF安全日志中心
WAF安全日志中心仪表盘主要展示攻击网站、攻击来源地区、攻击类型、攻击拦截情况等。
背景信息
Web应用防火墙(Web Application Firewall, WAF),通过对HTTP(S)请求进行检测,识别并阻断SQL注入、跨站脚本攻击、网页木马上传、命令/代码注入、文件包含、敏感文件访问、第三方应用漏洞攻击、CC攻击、恶意爬虫扫描、跨站请求伪造等攻击,保护Web服务安全稳定。
分析网站被攻击情况
- 登录云日志服务控制台,在左侧导航栏中选择“仪表盘 ”。
- 在仪表盘模板下方,选择“WAF仪表盘模板>WAF安全日志中心”仪表盘,查看图表详情。
WAF安全日志中心仪表盘中的重要图表说明如下所示:
- 被攻击网站图展示被攻击的网站数量以及前一天同时段的趋势对比,所关联的查询分析语句如下所示:
SELECT diff [ 1 ] AS "VALUE", COALESCE ( diff [ 1 ]- diff [ 2 ], 0 ) AS "BEFORE" FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT count( DISTINCT "host" ) AS "DATA" FROM log WHERE action != '' )) - 攻击来源国家图展示攻击来源的IP隶属不同国家的数量,所关联的查询分析语句如下所示:
SELECT diff [ 1 ] AS "VALUE" , COALESCE ( diff [ 1 ]- diff [ 2 ], 0 ) AS "BEFORE" FROM ( SELECT compare ( "DATA", 86400 ) AS diff FROM ( SELECT count( DISTINCT ip_to_country ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END) ) AS "DATA" FROM log WHERE action != '' ) ) - Web攻击拦截图展示所选时间段Web攻击拦截次数以及前一天同时段的趋势对比,所关联的查询分析语句如下所示:
SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( diff [ 1 ] AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( round( diff [ 1 ]/ 1000, 1 ) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000000.0, 1 ) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000.0 / 1000000, 1 ) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( round( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000, 1 ) AS VARCHAR ), ' 万亿次' ) END AS "value" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE action = '' ) ) - CC攻击拦截图展示时间段内攻击次数以及与前一天同时段的数据变化,所关联的查询分析语句如下所示:
SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( diff [ 1 ] AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( round( diff [ 1 ]/ 1000, 1 ) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000000.0, 1 ) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000.0 / 1000000, 1 ) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( round( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000, 1 ) AS VARCHAR ), ' 万亿次' ) END AS "value" , CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE attack != 'default') ) - 攻击者UV图展示攻击者数量情况,所关联的查询分析语句如下所示:
SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( cast ( diff [ 1 ] AS INTEGER ) AS VARCHAR ), ' 个' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( round( diff [ 1 ]/ 1000, 1 ) AS VARCHAR ), ' 千个' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000000.0, 1 ) AS VARCHAR ), ' 百万个' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000.0 / 1000000, 1 ) AS VARCHAR ), ' 十亿' ) ELSE concat( cast( round( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000, 1 ) AS VARCHAR ), ' 万亿' ) END AS "value", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS ratio FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( DISTINCT CASE WHEN sip = '-' THEN remote_ip ELSE sip END ) AS "data" FROM log )) - 攻击拦截图展示所选时间段内的攻击拦截次数以及与前一天同时段数据的趋势对比,所关联的查询分析语句如下所示:
SELECT CASE WHEN diff [ 1 ] < 1000 THEN concat( cast( diff [ 1 ] AS VARCHAR ), ' 次' ) WHEN diff [ 1 ] < 1000 * 1000 THEN concat( cast( round( diff [ 1 ]/ 1000, 1 ) AS VARCHAR ), ' 千次' ) WHEN diff [ 1 ] < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000000.0, 1 ) AS VARCHAR ), ' 百万次' ) WHEN diff [ 1 ]/ 1000.0 < 1000000000 THEN concat( cast( round( diff [ 1 ]/ 1000.0 / 1000000, 1 ) AS VARCHAR ), ' 十亿次' ) ELSE concat( cast( round( diff [ 1 ]/ 1000.0 / 1000 / 1000 / 1000, 1 ) AS VARCHAR ), ' 万亿次' ) END AS "value", CASE WHEN diff [ 2 ]= 0 THEN 0 ELSE round( diff [ 3 ]- 1, 2 ) END AS "ratio" FROM ( SELECT compare ( "data", 86400 ) AS diff FROM ( SELECT count( 1 ) AS "data" FROM log WHERE action != '') ) - CC攻击展示攻击者的国内ip分布,所关联的查询分析语如下所示:
SELECT ip_to_province (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS province, count( 1 ) AS "攻击次数" WHERE attack != 'default' and ip_to_country(CASE WHEN sip = '-' THEN remote_ip ELSE sip END) = '中国' GROUP BY province - 攻击类型分布图展示不同攻击类型随时间的攻击次数分布,所关联的查询分析语句如下所示:
SELECT time_format( MILLIS_TO_TIMESTAMP( TIMESTAMP_TO_MILLIS(__time) - MOD(TIMESTAMP_TO_MILLIS(__time), 3600)), 'HH:mm' ) AS dt, count( 1 ) AS cnt, CASE WHEN action = 'block' THEN '拦截' WHEN action = 'log' THEN '仅记录' WHEN action = 'captcha' THEN '人机验证' END AS attack FROM log WHERE action != '' GROUP BY TIMESTAMP_TO_MILLIS(__time) - MOD(TIMESTAMP_TO_MILLIS(__time), 3600), attack ORDER BY cnt DESC
- Web攻击图展示Web攻击的来源IP在国内的地域分布情况,所关联的查询分析语句如下所示:
SELECT ip_to_province ( CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS province, count( 1 ) AS "攻击次数" WHERE action = 'block' and ip_to_country(CASE WHEN sip = '-' THEN remote_ip ELSE sip END) = '中国' GROUP BY province - CC攻击(世界)图展示CC攻击的来源IP在全世界的地域分布情况,所关联的查询分析语句如下所示:
SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS country, count( 1 ) AS "攻击次数" WHERE attack != 'default' GROUP BY country - Web攻击(世界)图展示Web攻击的来源IP在全世界的地域分布情况,所关联的查询分析语句如下所示:
SELECT ip_to_country (CASE WHEN sip = '-' THEN remote_ip ELSE sip END) AS country, count( 1 ) AS "攻击次数" WHERE action = 'block' GROUP BY country
父主题: WAF日志中心
