All Products
Search
Document Center

Web Application Firewall:Examples of alert configurations based on WAF logs

Last Updated:Feb 05, 2024

This topic provides examples of alert configurations based on log query and analysis results in Web Application Firewall (WAF). You can add charts to custom dashboards and configure alerts based on the parameters in this topic.

Important

This topic describes the alert configuration parameters of the original alerting feature in Log Service. If you use the new alerting feature, you can configure alerts based on the query statements and parameter settings that are recommended in this topic and the description that is provided in Configure an alert monitoring rule in Simple Log Service.

Abnormal percentage of 4xx status codes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Percentage of 4xx status codes. Blocked requests are not counted.

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    and not real_client_ip: Blocked IP addresses |
    SELECT
      user_id,
      host AS "Domain name",
      Rate_2XX AS "Percentage of 2xx status codes",
      Rate_3XX AS "Percentage of 3xx status codes",
      Rate_4XX AS "Percentage of 4xx status codes",
      Rate_5XX AS "Percentage of 5xx status codes",
      countall AS "aveQPS",
      status_2XX,
      status_3XX,
      status_4XX,
      status_5XX,
      countall
    FROM(
        SELECT
          user_id,
          host,
          round(
            round(status_2XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_2XX,
          round(
            round(status_3XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_3XX,
          round(
            round (status_4XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_4XX,
          round(
            round(status_5XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_5XX,
          status_2XX,
          status_3XX,
          status_4XX,
          status_5XX,
          countall
        FROM(
            SELECT
              user_id,
              host,
              count_if(
                status >= 200
                and status < 300
              ) AS status_2XX,
              count_if(
                status >= 300
                and status < 400
              ) AS status_3XX,
              count_if(
                status >= 400
                and status < 500
                and status <> 444
                and status <> 405
              ) AS status_4XX,
              count_if(
                status >= 500
                and status < 600
              ) AS status_5XX,
              COUNT(*) AS countall
            FROM          log
            GROUP BY
              host,
              user_id
          )
      )
    WHERE
      countall > 120
    ORDER BY
      Rate_4XX DESC
    LIMIT
      5

    The chart contains the following fields: aveQPS, Percentage of 2xx status codes, Percentage of 3xx status codes, Percentage of 4xx status codes, and Percentage of 5xx status codes. aveQPS indicates the queries per second (QPS) of the domain name. To show status code changes caused by system workloads instead of external reasons, the 444 and 405 status codes that are triggered by WAF-blocked HTTP flood attacks or web attacks are not counted in Percentage of 4xx status codes. You can select one or more of these fields to configure alerts. For example, you can specify aveQPS>10 && Percentage of 2xx status codes<60. If the QPS of a specified domain name is higher than 10 and the percentage of requests whose status code is 2xx in all requests is less than 60% during a specified period, an alert is triggered.

  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.countall>3000&& $0.Percentage of 4xx status codes>80

  • Notification Triggering Threshold: 2

  • Notification Interval: 10 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].Domain name}
    - Service: WAF
    - Requests in the last 5 minutes:${Results[0].RawResults[0].countall}
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} %
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} %
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} %
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %

Abnormal percentage of 5xx status codes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Percentage of 5xx status codes

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    and not real_client_ip: Blocked IP addresses |
    select
      user_id,
      host AS "Domain name",
      Rate_2XX AS "Percentage of 2xx status codes",
      Rate_3XX AS "Percentage of 3xx status codes",
      Rate_4XX AS "Percentage of 4xx status codes",
      Rate_5XX AS "Percentage of 5xx status codes",
      countall AS "Requests in a specified relative time range",
      status_2XX,
      status_3XX,
      status_4XX,
      status_5XX,
      countall
    FROM(
        SELECT
          user_id,
          host,
          round(
            round(status_2XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_2XX,
          round(
            round(status_3XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_3XX,
          round(
            round (status_4XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_4XX,
          round(
            round(status_5XX * 1.0000 / countall, 4) * 100,
            2
          ) AS Rate_5XX,
          status_2XX,
          status_3XX,
          status_4XX,
          status_5XX,
          countall
        FROM(
            SELECT
              user_id,
              host,
              count_if(
                status >= 200
                and status < 300
              ) AS status_2XX,
              count_if(
                status >= 300
                and status < 400
              ) AS status_3XX,
              count_if(
                status >= 400
                and status < 500
              ) AS status_4XX,
              count_if(
                status >= 500
                and status < 600
              ) AS status_5XX,
              COUNT(*) AS countall
            FROM          log
            GROUP BY
              host,
              user_id
          )
      )
    WHERE
      countall > 120
    ORDER BY
      Rate_5XX DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.countall>3000&& $0.Percentage of 5xx status codes>80

  • Notification Triggering Threshold: 2

  • Notification Interval: 10 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].Domain name}
    - Service: WAF
    - Requests in the last 5 minutes:${Results[0].RawResults[0].countall}
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} %
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} %
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} %
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %

Abnormal QPS

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Top 5 domain names that have the highest QPS

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    and not real_client_ip: Blocked IP addresses |
    SELECT
      user_id,
      host,
      Rate_2XX,
      Rate_3XX,
      Rate_4XX,
      Rate_5XX,
      countall / 60 as "aveQPS",
      status_2XX,
      status_3XX,
      status_4XX,
      status_5XX,
      countall
    FROM(
        SELECT
          user_id,
          host,
          round(
            round(status_2XX * 1.0000 / countall, 4) * 100,
            2
          ) as Rate_2XX,
          round(
            round(status_3XX * 1.0000 / countall, 4) * 100,
            2
          ) as Rate_3XX,
          round(
            round (status_4XX * 1.0000 / countall, 4) * 100,
            2
          ) as Rate_4XX,
          round(
            round(status_5XX * 1.0000 / countall, 4) * 100,
            2
          ) as Rate_5XX,
          status_2XX,
          status_3XX,
          status_4XX,
          status_5XX,
          countall
        FROM(
            SELECT
              user_id,
              host,
              count_if(
                status >= 200
                and status < 300
              ) as status_2XX,
              count_if(
                status >= 300
                and status < 400
              ) as status_3XX,
              count_if(
                status >= 400
                and status < 500
                and status <> 444
                and status <> 405
              ) as status_4XX,
              count_if(
                status >= 500
                and status < 600
              ) as status_5XX,
              COUNT(*) as countall
            FROM          log
            GROUP BY
              host,
              user_id
          )
      )
    WHERE
      countall > 120
    ORDER BY
      aveQPS DESC
    LIMIT
      5
  • Time Range: 1 minute (relative)

  • Frequency: 1 minute

  • Trigger Condition: $0.aveQPS>=50

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF
    - Average QPS in the last 1 minute: ${Results[0].RawResults[0].aveQPS}
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].Rate_2XX}%
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%

Abrupt increase in QPS

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Abrupt increase in QPS

  • Query Statement:

    user_id: ID of your Alibaba Cloud account |
    SELECT
      t1.user_id,
      t1.now1mQPS,
      t1.past1mQPS,
      in_ratio,
      t1.host,
      t2.Rate_2XX,
      Rate_3XX,
      Rate_4XX,
      Rate_5XX,
      aveQPS
    FROM  (
        (
          SELECT
            user_id,
            round(c [1] / 60, 0) AS now1mQPS,
            round(c [2] / 60, 0) AS past1mQPS,
            round(
              round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100 -100,
              0
            ) AS in_ratio,
            host
          FROM        (
              SELECT
                compare(t, 60) AS c,
                host,
                user_id
              FROM            (
                  SELECT
                    COUNT(*) AS t,
                    host,
                    user_id
                  FROM                log
                  GROUP by
                    host,
                    user_id
                )
              GROUP by
                host,
                user_id
            )
          WHERE
            c [3] > 1.1
            and (
              c [1] > 180
              or c [2] > 180
            )
        ) t1
        JOIN (
          SELECT
            user_id,
            host,
            Rate_2XX,
            Rate_3XX,
            Rate_4XX,
            Rate_5XX,
            countall / 60 AS "aveQPS",
            status_2XX,
            status_3XX,
            status_4XX,
            status_5XX,
            countall
          FROM        (
              SELECT
                user_id,
                host,
                round(
                  round(status_2XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_2XX,
                round(
                  round(status_3XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_3XX,
                round(
                  round(status_4XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_4XX,
                round(
                  round(status_5XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_5XX,
                status_2XX,
                status_3XX,
                status_4XX,
                status_5XX,
                countall
              FROM            (
                  SELECT
                    user_id,
                    host,
                    count_if(
                      status >= 200
                      and status < 300
                    ) AS status_2XX,
                    count_if(
                      status >= 300
                      and status < 400
                    ) AS status_3XX,
                    count_if(
                      status >= 400
                      and status < 500
                      and status <> 444
                      and status <> 405
                    ) AS status_4XX,
                    count_if(
                      status >= 500
                      and status < 600
                    ) AS status_5XX,
                    COUNT(*) AS countall
                  FROM                log
                  GROUP BY
                    host,
                    user_id
                )
            )
          WHERE
            countall > 1
        ) t2 on t1.host = t2.host
      )
    ORDER BY
      in_ratio DESC
    LIMIT
      5
  • Time Range: 1 minute (relative)

  • Frequency: 1 minute

  • Trigger Condition: $0.now1mqps>50&& $0.in_ratio>300

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF
    - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
    - Abrupt increase rate of QPS: ${Results[0].RawResults[0].in_ratio}%
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%

Abrupt decrease in QPS

  • Chart Name: Abrupt decrease in QPS

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      t1.user_id,
      t1.now1mQPS,
      t1.past1mQPS,
      de_ratio,
      t1.host,
      t2.Rate_2XX,
      Rate_3XX,
      Rate_4XX,
      Rate_5XX,
      aveQPS
    FROM  (
        (
          SELECT
            user_id,
            round(c [1] / 60, 0) AS now1mQPS,
            round(c [2] / 60, 0) AS past1mQPS,
            round(
              100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100,
              2
            ) AS de_ratio,
            host
          FROM        (
              SELECT
                compare(t, 60) AS c,
                host,
                user_id
              FROM            (
                  SELECT
                    COUNT(*) AS t,
                    host,
                    user_id
                  FROM                log
                  GROUP BY
                    host,
                    user_id
                )
              GROUP BY
                host,
                user_id
            )
          WHERE
            c [3] < 0.9
            AND (
              c [1] > 180
              or c [2] > 180
            )
        ) t1
        JOIN (
          SELECT
            user_id,
            host,
            Rate_2XX,
            Rate_3XX,
            Rate_4XX,
            Rate_5XX,
            countall / 60 AS "aveQPS",
            status_2XX,
            status_3XX,
            status_4XX,
            status_5XX,
            countall
          FROM        (
              SELECT
                user_id,
                host,
                round(
                  round(status_2XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_2XX,
                round(
                  round(status_3XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_3XX,
                round(
                  round(status_4XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_4XX,
                round(
                  round(status_5XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_5XX,
                status_2XX,
                status_3XX,
                status_4XX,
                status_5XX,
                countall
              FROM            (
                  SELECT
                    user_id,
                    host,
                    count_if(
                      status >= 200
                      and status < 300
                    ) AS status_2XX,
                    count_if(
                      status >= 300
                      and status < 400
                    ) AS status_3XX,
                    count_if (
                      status >= 400
                      and status < 500
                      and status <> 444
                      and status <> 405
                    ) AS status_4XX,
                    count_if(
                      status >= 500
                      and status < 600
                    ) AS status_5XX,
                    COUNT(*) AS countall
                  FROM                log
                  GROUP BY
                    host,
                    user_id
                )
            )
          WHERE
            countall > 1
        ) t2 on t1.host = t2.host
      )
    ORDER BY
      de_ratio DESC
    LIMIT
      5

    The chart contains the following fields: now1mqps, past1mqps, de_ratio, and host. now1mqps indicates the average QPS of the current minute. past1mqps indicates the average QPS of the last minute. de_ratio indicates the QPS decrease rate. You can select one or more of these fields to configure alerts.

  • Time Range: 1 minute (relative)

  • Frequency: 1 minute

  • Trigger Condition: $0.now1mqps>10&& $0.de_ratio>50

  • Notification Triggering Threshold: 2

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF (International)
    - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
    - Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}%
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%

Requests blocked by access control list (ACL) policies in the last 5 minutes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Requests blocked by ACL policies

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      user_id,
      host,
      count_if(
        final_plugin = 'waf'
        AND final_action = 'block'
      ) AS "Requests blocked by the Protection Rules Engine",
      count_if(
        final_plugin = 'cc'
        AND final_action = 'block'
      ) AS "Requests blocked by HTTP flood protection policies",
      count_if(
        final_plugin = 'acl'
        AND final_action = 'block'
      ) AS "Requests blocked by ACL policies",
      count_if(
        final_plugin = 'antiscan'
        AND final_action = 'block'
      ) AS "Requests blocked by scan protection policies",
      count_if(
        (final_plugin = 'waf'
        AND final_action = 'block')
        OR (final_plugin = 'cc'
        AND final_action = 'block')
        OR (final_plugin = 'acl'
        AND final_action = 'block')
        OR (final_plugin = 'antiscan'
        AND final_action = 'block')
      ) AS totalblock
    GROUP BY
      host,
      user_id
    HAVING
      (
        "Requests blocked by ACL policies" >= 0
        AND "Requests blocked by the Protection Rules Engine" >= 0
        AND "Requests blocked by HTTP flood protection policies" >= 0
        AND "Requests blocked by scan protection policies" >= 0
        AND totalblock > 10
      )
    ORDER BY
      "Requests blocked by ACL policies" DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.totalblock>=500&&($0.Requests blocked by ACL policies>=500)

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF
    - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
    - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}

Requests blocked by the Protection Rules Engine in the last 5 minutes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Requests blocked by the Protection Rules Engine

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      user_id,
      host,
      count_if(
        final_plugin = 'waf'
        AND final_action = 'block'
      ) AS "Requests blocked by the Protection Rules Engine",
      count_if(
        final_plugin = 'cc'
        AND final_action = 'block'
      ) AS "Requests blocked by HTTP flood protection policies",
      count_if(
        final_plugin = 'acl'
        AND final_action = 'block'
      ) AS "Requests blocked by ACL policies",
      count_if(
        final_plugin = 'antiscan'
        AND final_action = 'block'
      ) AS "Requests blocked by scan protection policies",
      count_if(
        (final_plugin = 'waf'
        AND final_action = 'block')
        OR (final_plugin = 'cc'
        AND final_action = 'block')
        OR (final_plugin = 'acl'
        AND final_action = 'block')
        OR (final_plugin = 'antiscan'
        AND final_action = 'block')
      ) AS totalblock
    GROUP BY
      host,
      user_id
    HAVING
      (
        "Requests blocked by ACL policies" >= 0
        AND "Requests blocked by the Protection Rules Engine" >= 0
        AND "Requests blocked by HTTP flood protection policies" >= 0
        AND "Requests blocked by scan protection policies" >= 0
        AND totalblock > 10
      )
    ORDER BY
      "Requests blocked by the Protection Rules Engine" DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.totalblock>=500&&($0.Requests blocked by the Protection Rules Engine>=500)

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF
    - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
    - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}

Requests blocked by HTTP flood protection policies in the last 5 minutes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Requests blocked by HTTP flood protection policies

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      user_id,
      host,
      count_if(
        final_plugin = 'waf'
        AND final_action = 'block'
      ) AS "Requests blocked by the Protection Rules Engine",
      count_if(
        final_plugin = 'cc'
        AND final_action = 'block'
      ) AS "Requests blocked by HTTP flood protection policies",
      count_if(
        final_plugin = 'acl'
        AND final_action = 'block'
      ) AS "Requests blocked by ACL policies",
      count_if(
        final_plugin = 'antiscan'
        AND final_action = 'block'
      ) AS "Requests blocked by scan protection policies",
      count_if(
        (final_plugin = 'waf'
        AND final_action = 'block')
        OR (final_plugin = 'cc'
        AND final_action = 'block')
        OR (final_plugin = 'acl'
        AND final_action = 'block')
        OR (final_plugin = 'antiscan'
        AND final_action = 'block')
      ) AS totalblock
    GROUP BY
      host,
      user_id
    HAVING
      (
        "Requests blocked by ACL policies" >= 0
        AND "Requests blocked by the Protection Rules Engine" >= 0
        AND "Requests blocked by HTTP flood protection policies" >= 0
        AND "Requests blocked by scan protection policies" >= 0
        AND totalblock > 10
      )
    ORDER BY
      "Requests blocked by HTTP flood protection policies" DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.totalblock>=500&&($0.Requests blocked by HTTP flood protection policies>=500)

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF
    - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
    - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}

Requests blocked by scan protection policies in the last 5 minutes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Requests blocked by scan protection policies

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      user_id,
      host,
      count_if(
        final_plugin = 'waf'
        AND final_action = 'block'
      ) AS "Requests blocked by the Protection Rules Engine",
      count_if(
        final_plugin = 'cc'
        AND final_action = 'block'
      ) AS "Requests blocked by HTTP flood protection policies",
      count_if(
        final_plugin = 'acl'
        AND final_action = 'block'
      ) AS "Requests blocked by ACL policies",
      count_if(
        final_plugin = 'antiscan'
        AND final_action = 'block'
      ) AS "Requests blocked by scan protection policies",
      count_if(
        (final_plugin = 'waf'
        AND final_action = 'block')
        OR (final_plugin = 'cc'
        AND final_action = 'block')
        OR (final_plugin = 'acl'
        AND final_action = 'block')
        OR (final_plugin = 'antiscan'
        AND final_action = 'block')
      ) AS totalblock
    GROUP BY
      host,
      user_id
    HAVING
      (
        "Requests blocked by ACL policies" >= 0
        AND "Requests blocked by the Protection Rules Engine" >= 0
        AND "Requests blocked by HTTP flood protection policies" >= 0
        AND "Requests blocked by scan protection policies" >= 0
        AND totalblock > 10
      )
    ORDER BY
      "Requests blocked by scan protection policies" DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.totalblock>=500&&($0.Requests blocked by scan protection policies>=500)

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF (International)
    - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
    - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}

Attacks from a single IP address

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Attacks from a single IP address

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      user_id,
      real_client_ip,
      concat(
        'Requests blocked by ACL policies:',
        cast(aclblock AS varchar(10)),
        ' ',
        'Requests blocked by the Protection Rules Engine:',
        cast(wafblock AS varchar(10)),
        '
    ',
        'Requests blocked by HTTP flood protection policies:',
        cast(aclblock AS varchar(10))
      ) AS blockNum,
      totalblock,
      allRequest
    FROM  (
        SELECT
          user_id,
          real_client_ip,
          count_if(
            final_plugin = 'acl'
            AND final_action = 'block'
          ) AS aclblock,
          count_if(
            final_plugin = 'waf'
            AND final_action = 'block'
          ) AS wafblock,
          count_if(
            final_plugin = 'cc'
            AND final_action = 'block'
          ) AS ccblock,
          count_if(
            (
              final_plugin = 'acl'
              AND final_action = 'block'
            )
            OR (
              final_plugin = 'waf'
              AND final_action = 'block'
            )
            OR (
              final_plugin = 'cc'
              AND final_action = 'block'
            )
          ) AS totalblock,
          COUNT(*) AS allRequest
        FROM      log
        GROUP BY
          user_id,
          real_client_ip
        HAVING
          totalblock > 1
        ORDER BY
          totalblock DESC
        LIMIT
          5
      )

    The chart contains the following fields: real_client_ip, blockNum, totalblock, and allRequest. blockNum includes Requests blocked by ACL policies, Requests blocked by the Protection Rules Engine, and Requests blocked by HTTP flood protection policies. real_client_ip indicates the IP address from which attacks are launched. totalblock indicates the total number of blocked requests. allRequest indicates the total number of requests. You can select one or more of these fields to configure alerts.

  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.totalblock >=500

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Service: WAF
    - Top 3 IP addresses from which attacks are mot frequently launched in the last 5 minutes:
    - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum})
    - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum})
    - ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})

Large number of domain names that are under attacks from a single IP address

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Large number of domain names attacked by a single IP address

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    and not upstream_status :504
    and not upstream_addr :'-'
    and request_time_msec < 5000
    and upstream_status :200
    and not ua_browser :bot |
    SELECT
      user_id,
      host,
      upstream_time,
      request_time,
      requestnum
    FROM  (
        SELECT
          user_id,
          host,
          round(avg(upstream_response_time), 2) * 1000 AS upstream_time,
          round(avg(request_time_msec), 2) AS request_time,
          COUNT(*) AS requestnum
        FROM      log
        GROUP BY
          host,
          user_id
      )
    WHERE
      requestnum > 30
    ORDER BY
      request_time DESC
    LIMIT
      5

    The chart contains the following fields: real_client_ip, totalblock, and domainnum. real_client_ip indicates the attack IP address. totalblock indicates the total number of blocked requests. domainnum indicates the number of domain names attacked by this IP address. You can select one or more of these fields to configure alerts. For example, you can specify totalblock>500&& domainnum>5. If the total number of attacks launched from an IP address reaches 500 and the number of domain names that are under the attacks exceeds 5 in the specified time range, an alert is triggered.

  • Time Range: 5 minutes (relative)

  • Frequency: 1 minute

  • Trigger Condition: $0.domainnum>=10

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Service: WAF
    - Attack IP address: ${Results[0].RawResults[0].real_client_ip}
    - Attacked domain names: ${Results[0].RawResults[0].domainnum}
    - Attack requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Handle the alert at the earliest opportunity.

Abnormal average latency in the last 5 minutes

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Abnormal average latency

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    and not upstream_status :504
    and not upstream_addr :'-'
    and request_time_msec < 5000
    and upstream_status :200
    and not ua_browser :bot |
    SELECT
      user_id,
      host,
      upstream_time,
      request_time,
      requestnum
    FROM  (
        SELECT
          user_id,
          host,
          round(avg(upstream_response_time), 2) * 1000 AS upstream_time,
          round(avg(request_time_msec), 2) AS request_time,
          COUNT(*) AS requestnum
        FROM      log
        GROUP BY
          host,
          user_id
      )
    WHERE
      requestnum > 30
    ORDER BY
      request_time DESC
    LIMIT
      5
  • Time Range: 5 minutes (relative)

  • Frequency: 5 minutes

  • Trigger Condition: $0.request_time>1000&& $0.requestnum>30

  • Notification Triggering Threshold: 2

  • Notification Interval: 10 minutes

  • Content:

    - [Time]: ${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Service: WAF (International)
    - [Trigger Condition]: ${condition}
    - Top 3 domain names that have the longest latency in the last 5 minutes. Unit of latency: milliseconds.
    - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} 
    - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} 
    - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}

Abrupt decrease in traffic

The following parameter settings are recommended for this type of alerting:

  • Chart Name: Abrupt decrease in traffic

  • Query Statement:

    user_id: ID of your Alibaba Cloud account
    SELECT
      t1.user_id,
      t1.now1mQPS,
      t1.past1mQPS,
      de_ratio,
      t2.Rate_2XX,
      Rate_3XX,
      Rate_4XX,
      Rate_5XX,
      aveQPS
    FROM  (
        (
          SELECT
            user_id,
            round(c [1] / 60, 0) AS now1mQPS,
            round(c [2] / 60, 0) AS past1mQPS,
            round(
              100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100,
              2
            ) AS de_ratio
          FROM        (
              SELECT
                compare(t, 60) AS c,
                user_id
              FROM            (
                  SELECT
                    COUNT(*) AS t,
                    user_id
                  FROM                log
                  GROUP BY
                    user_id
                )
              GROUP BY
                user_id
            )
          WHERE
            c [3] < 0.9
            AND (
              c [1] > 180
              or c [2] > 180
            )
        ) t1
        JOIN (
          SELECT
            user_id,
            Rate_2XX,
            Rate_3XX,
            Rate_4XX,
            Rate_5XX,
            countall / 60 AS "aveQPS",
            status_2XX,
            status_3XX,
            status_4XX,
            status_5XX,
            countall
          FROM        (
              SELECT
                user_id,
                round(
                  round(status_2XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_2XX,
                round(
                  round(status_3XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_3XX,
                round(
                  round(status_4XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_4XX,
                round(
                  round(status_5XX * 1.0000 / countall, 4) * 100,
                  2
                ) AS Rate_5XX,
                status_2XX,
                status_3XX,
                status_4XX,
                status_5XX,
                countall
              FROM            (
                  SELECT
                    user_id,
                    count_if(
                      status >= 200
                      AND status < 300
                    ) AS status_2XX,
                    count_if(
                      status >= 300
                      AND status < 400
                    ) AS status_3XX,
                    count_if (
                      status >= 400
                      AND status < 500
                      AND status <> 444
                      AND status <> 405
                    ) AS status_4XX,
                    count_if(
                      status >= 500
                      AND status < 600
                    ) AS status_5XX,
                    COUNT(*) AS countall
                  FROM                log
                  GROUP BY
                    user_id
                )
            )
          WHERE
            countall > 0
        ) t2 ON t1.user_id = t2.user_id
      )
    ORDER BY
      de_ratio DESC
    LIMIT
      5
  • Time Range: 1 minute (relative)

  • Frequency: 1 minute

  • Trigger Condition: $0.de_ratio>50&& $0.now1mqps>20

  • Notification Triggering Threshold: 1

  • Notification Interval: 5 minutes

  • Content:

    - [Time]: ${FireTime}
    - [UID]:${Results[0].RawResults[0].user_id}
    - Service: WAF
    - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
    - [Trigger condition (abrupt decrease rate of traffic & QPS)]:${condition}
    - Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}%
    - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
    - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
    - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
    - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%