This topic describes the log fields supported by Web Application Firewall (WAF).

Table for field retrieval

The following table describes the log fields that are supported by WAF. You can use the names of fields to query specific fields.

First letter of a field name Field
a
b
c
d
f final-related fields: final_action | final_plugin | final_rule_id | final_rule_type
h
i Bot threat intelligence-related fields: intelligence_action | intelligence_rule_id | intelligence_test
m Field for matched domain names that are protected by WAF: matched_host
n Positive security model-related fields: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test
q Query string field: querystring
r
s
t Request time field: time
u
w

The following table describes all actions that are supported by WAF.

Value of the action field Description
block Indicates the block action. WAF blocks a request from the client and returns the 405 error page to the client.
captcha_strict Indicates strict slider CAPTCHA verification. WAF returns a page used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request from the client. If the client fails strict slider CAPTCHA verification, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request.
captcha Indicates common slider CAPTCHA verification. WAF returns a page used for slider CAPTCHA verification to the client. If the client passes common slider CAPTCHA verification, WAF allows the requests from the client within a specific time range. During this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails common slider CAPTCHA verification, WAF blocks the requests from the client.
sigchl Indicates dynamic token authentication. Web requests are signed. When the client sends a request, the Web SDK issued by WAF generates a signature for the request. The signature is forwarded together with the request. If the signature is generated and verified, the request is sent to the origin server. If the signature fails to be generated or verified, a code block for the client to obtain a dynamic token is returned and the request must be signed again.
js Indicates JavaScript verification. WAF returns JavaScript code to the client. The JavaScript code is automatically executed by the browsers that the client uses. If the client passes JavaScript verification, WAF allows requests from the client within a specific time range. During this time range, the client can bypass the verification. By default, the time range is 30 minutes. If the client fails JavaScript verification, WAF blocks requests from the client.
pass Indicates the Allow action. WAF allows the request from the client and forwards the request to the origin server.
captcha_strict_pass Indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
captcha_pass Indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
sigchl_pass Indicates that the client passes dynamic token authentication and WAF allows the requests from the client.
js_pass Indicates that the client passes JavaScript verification and WAF allows the requests from the client.
mask Indicates that WAF masks the sensitive data that is returned from the origin server and returns the result to the client. Only the data leak prevention feature supports this action.
continue Indicates the allow action. The specific meaning of the continue field varies based on the protection features. For more information, see the descriptions of the normalized_action and wxbb_action fields.

Required fields

Required fields refer to the fields that must be contained in WAF logs.

Field Description Sample value
acl_rule_type The type of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. Valid values:
  • custom: indicates a rule that is created for the custom protection policy (ACL) feature.
  • blacklist: indicates a rule that is created for the blacklist feature.
custom
bypass_matched_ids The ID of the rule that is triggered to allow requests. The rule can be a whitelist rule or a custom protection rule that allows requests.

If multiple rules are triggered at the same time to allow requests, this field records the IDs of all the rules. Multiple IDs are separated by commas (,).

283531
cc_rule_type The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values:
  • custom: indicates a rule that is created for the custom protection policy (HTTP Flood Protection) feature.
  • system: indicates an HTTP flood protection rule.
custom
content_type The type of the requested content. application/x-www-form-urlencoded
final_action The action that WAF performs on the request. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • sigchl: indicates that dynamic token authentication is performed.
  • js: indicates that JavaScript verification is performed.

For more information about WAF protection actions, see Description of the action field.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows requests or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

The following actions are listed in descending order of priority: block, strict slider CAPTCHA verification, common slider CAPTCHA verification, dynamic token authentication, and JavaScript verification.

block
final_plugin The protection feature that performs the action specified by final_action on the request. Valid values:
  • waf: indicates the protection rules engine feature.
  • deeplearning: indicates the deep learning engine feature.
  • dlp: indicates the data leakage prevention feature.
  • account: indicates the account security feature.
  • normalized: indicates the positive security model feature
  • acl: indicates the blacklist feature or the custom protection policy (ACL) feature.
  • cc: indicates the HTTP flood protection feature or the custom protection policy (HTTP Flood Protection) feature.
  • antiscan: indicates the scan protection feature.
  • scene: indicates the scenario-specific configuration feature.
  • antifraud: indicates the data risk control feature.
  • bot_intelligence: indicates the bot threat intelligence feature.
  • algorithm: indicates the typical bot behavior identification feature.
  • wxbb: indicates the app protection feature.

To configure the preceding protection features, log on to the Web Application Firewall console and choose Protection Settings > Website Protection in the left-side navigation pane. For more information about WAF protection features, see Overview of website protection.

If a request does not trigger a protection feature, the field is not recorded. For example, if a request matches a rule that allows requests or a client passes slider CAPTCHA verification or JavaScript verification, the field is not recorded.

If a request triggers multiple protection features at the same time, the field is recorded, and the field includes only the protection feature that performs the action specified by final_action.

waf
final_rule_id The ID of the rule that is applied to the request. The rule defines the action that is recorded in the final_action field. 115341
final_rule_type The subtype of the rule that is applied to the request. The rule is indicated by final_rule_id.

For example, final_plugin:waf supports final_rule_type:sqli and final_rule_type:xss.

xss/webshell
host The Host header field of the request, which indicates the domain name or IP address to be accessed. api.example.com
http_referer The Referer header field of the request, which indicates the source URL information about the request.

If the request does not contain the source URL information, the value of the field is displayed as a hyphen (-).

http://example.com
http_user_agent The User-Agent field of the request header. This field contains information about the browser and operating system. Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)
http_x_forwarded_for The X-Forwarded_For (XFF) field of the request header. This field is used to identify the originating IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device. 47.100.XX.XX
https Indicates whether the request is an HTTPS request. Valid values:
  • on: HTTPS request
  • off: HTTP request
on
matched_host The domain name that is matched by WAF. The domain name is added to WAF for protection.
Note Wildcard domains can be added to WAF, and WAF may match a wildcard domain. For example, if the domain name *.aliyun.com is added to WAF and www.aliyun.com is requested, WAF matches the domain name *.aliyun.com.
*.aliyun.com
querystring The query string in the request. The query string refers to the part that follows the question mark (?) in the requested URL. title=tm_content%3Darticle&pid=123
real_client_ip The originating IP address of the client that initiates the request. WAF identifies the originating IP address based on the analysis of the request.

If WAF cannot identify the originating IP address of the client, the value of the field is displayed as a hyphen (-). For example, if a proxy server is used or the IP field in the request header is invalid, WAF cannot identify the actual IP address of the client.

192.0.XX.XX
remote_addr The IP address that is used to connect to WAF.

If WAF is directly connected to a client, this field records the originating IP address of the client. If a Layer 7 proxy, such as Alibaba Cloud CDN (CDN), is deployed in front of WAF, this field records the IP address of the proxy.

198.51.XX.XX
remote_port The port that is used to connect to WAF.

If WAF is directly connected to a client, this field records the port of the client. If a Layer 7 proxy, such as CDN, is deployed in front of WAF, this field records the port of the proxy.

80
request_length The number of bytes in the request. The request includes the request line, request header, and request body. Unit: bytes. 111111
request_method The request method. GET
request_path The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL. The relative path does not include the query string. /news/search.php
request_time_msec The time that is taken by WAF to process the request. Unit: milliseconds. 44
request_traceid The unique identifier that is generated by WAF for each request. 7837b11715410386943437009ea1f0
server_protocol The protocol and version that are used by the origin server to respond to the request forwarded by WAF. HTTP/1.1
status The HTTP status code that is returned by WAF to the client. Example: 200, which indicates that the request is received and accepted. 200
time The point in time at which the request is initiated. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ss+08:00 format. The time must be in UTC. 2018-05-02T16:03:59+08:00
upstream_addr The IP address and port number of the origin server. The format is IP address:Port. Multiple pairs of IP addresses and ports are separated by commas (,). 198.51.XX.XX:443
upstream_response_time The time that the origin server requires to respond to the request forwarded by WAF. Unit: seconds. 0.044
upstream_status The HTTP status code that is sent by the origin server as a response to the request from WAF. Example: 200, which indicates that the request is received and accepted. 200

Optional fields

You can include optional fields in WAF logs based on your business requirements. WAF logs record only the optional fields that you enable.

If you enable optional fields, WAF logs occupy more storage space. If you have sufficient log storage capacity, we recommend that you enable more optional fields. This helps you to analyze logs in a more comprehensive manner. For more information about how to configure optional fields, see Modify log settings.

Field Description Sample value
account_action The action that is performed on the request after an account security rule is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block
account_rule_id The ID of the account security rule that is triggered. 151235
account_test The protection mode that is used for the request after an account security rule is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
acl_action The action that is performed on the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the requests from the client.

For more information about WAF protection actions, see Description of the action field.

block
acl_rule_id The ID of the rule that is triggered. The rule is created for the blacklist or custom protection policy (ACL) feature. 151235
acl_test The protection mode that is used for the request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
algorithm_action The action that is performed on the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the requests from the client.

For more information about WAF protection actions, see Description of the action field.

block
algorithm_rule_id The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature. 151235
algorithm_test The protection mode that is used for the request after a rule created for the typical bot behavior identification feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
antifraud_action The action that is performed on the request after a rule created for the data risk control feature is triggered. Valid values:
  • pass: indicates that the request is allowed.
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.

For more information about WAF protection actions, see Description of the action field.

block
antifraud_test The protection mode that is used for the request after a rule created for the data risk control feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
antiscan_action The action that is performed on the request after a rule created for the scan protection feature is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block
antiscan_rule_id The ID of the rule that is triggered. The rule is created for the scan protection feature. 151235
antiscan_rule_type The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values:
  • highfreq: indicates a rule that blocks IP addresses from which web attacks are frequently initiated.
  • dirscan: indicates a rule that defends against directory traversal attacks.
  • scantools: indicates a rule that blocks the IP addresses of scanners.
  • collaborative: indicates a collaborative defense rule.
highfreq
antiscan_test The protection mode that is used for the request after a rule created for the scan protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
block_action
Notice This field is no longer valid due to WAF upgrades. This field is replaced with the field final_plugin. If the block_action field is used in your services, replace the field with final_plugin at the earliest opportunity.
The WAF protection feature that is triggered to block the request. Valid values:
  • tmd: indicates HTTP flood protection. The value is equivalent to the cc value of final_plugin.
  • waf: indicates web attack protection. The value is equivalent to the waf value of final_plugin.
  • acl: indicates the custom protection policy feature. The value is equivalent to the acl value of final_plugin.
  • deeplearning: indicates the deep learning engine feature. The value is equivalent to the deeplearning value of final_plugin.
  • antiscan: indicates scan protection. The value is equivalent to the antiscan value of final_plugin.
  • antifraud: indicates data risk control. The value is equivalent to the antifraud value of final_plugin.
  • antibot: indicates bot management. The value is equivalent to the intelligence, algorithm, wxbb, and scene values of final_plugin.
waf
body_bytes_sent The number of bytes in the response body that the server returns to the client. The number of bytes of the response header is not counted. Unit: bytes. 1111
cc_action The action that is performed on the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the requests from the client.

For more information about WAF protection actions, see Description of the action field.

block
cc_rule_id The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. 151234
cc_test The protection mode that is used for the request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
deeplearning_action The action that is performed on the request after a rule created for the deep learning engine feature is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block
deeplearning_rule_id The ID of the rule that is triggered. The rule is created for the deep learning engine feature. 151238
deeplearning_rule_type The type of the rule that is triggered. The rule is created for the deep learning engine feature. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • other: indicates other protection rules.
xss
deeplearning_test The protection mode that is used for the request after a rule created for the deep learning engine feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
dlp_action The action that is performed on the request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • mask: indicates that sensitive data is masked.

For more information about WAF protection actions, see Description of the action field.

mask
dlp_rule_id The ID of the rule that is triggered. The rule is created for the data leakage prevention feature. 151245
dlp_test The protection mode that is used for the request after a rule created for the data leakage prevention feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
intelligence_action The action that is performed on the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha_strict: indicates that strict slider CAPTCHA verification is performed.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_strict_pass: indicates that the client passes strict slider CAPTCHA verification and WAF allows the request from the client.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the requests from the client.

For more information about WAF protection actions, see Description of the action field.

block
intelligence_rule_id The ID of the rule that is triggered. The rule is created for the bot threat intelligence feature. 152234
intelligence_test The protection mode that is used for the request after a rule created for the bot threat intelligence feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
normalized_action The action that is performed on the request after a rule created for the positive security model feature is triggered. Valid values:
  • block: indicates that the request is blocked.
  • continue: indicates that the request is allowed.

For more information about WAF protection actions, see Description of the action field.

block
normalized_rule_id The ID of the rule that is triggered. The rule is created for the positive security model feature. 151266
normalized_rule_type The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values:
  • User-Agent: indicates a User-Agent-based baseline rule. If the User-Agent field of a request header does not conform to the baseline, an attack may occur. This description applies to other rule types.
  • Referer: indicates a Referer-based baseline rule.
  • URL: indicates a URL-based baseline rule.
  • Cookie: indicates a cookie-based baseline rule.
  • Body: indicates a request body-based baseline rule.
User-Agent
normalized_test The protection mode that is used for the request after a rule created for the positive security model feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
region The ID of the region where the WAF instance resides. Valid values:
  • cn: the Chinese mainland
  • int: outside the Chinese mainland
cn
request_body The request body. i am the request body, encrypted or not!
scene_action The action that is performed on the request after a rule created for scenario-specific configuration is triggered. Valid values:
  • block: indicates that the request is blocked.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • sigchl: indicates that dynamic token authentication is performed.
  • js: indicates that JavaScript verification is performed.
  • captcha_pass: indicates that the client passes common slider CAPTCHA verification and WAF allows the requests from the client.
  • sigchl_pass: indicates that the client passes dynamic token authentication and WAF allows the requests from the client.
  • js_pass: indicates that the client passes JavaScript verification and WAF allows the requests from the client.

For more information about WAF protection actions, see Description of the action field.

block
scene_id The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration. 151235
scene_rule_id The ID of the rule that is triggered. The rule is created for scenario-specific configuration. 153678
scene_rule_type The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values:
  • bot_aialgo: indicates an intelligent protection rule.
  • js: indicates a rule that blocks script-based bots.
  • intelligence: indicates a rule that blocks attacks based on bot threat intelligence or data center blacklists.
  • sdk: indicates a rule that checks for abnormal signatures of SDK-integrated apps and abnormal device behaviors.
  • cc: indicates an IP address-based throttling rule or a custom session-based throttling rule.
  • sigchl: indicates a dynamic token authentication rule.
bot_aialgo
sigchl_invalid_type The reason why the request is considered abnormal by dynamic token authentication rules. Valid values:
  • sigchl_invalid_sig: indicates that signature verification fails. The following information describes the common causes of the failure:
    • A request does not carry a signature.
    • The parameter that is passed when a signature is added is different from the parameter received by WAF.
  • sigchl_is_replay: indicates that the signature timestamp is abnormal. A replay attack may occur.
  • sigchl_is_driver: indicates that the request is considered as a WebDriver attack request.
sigchl_invalid_sig
scene_test The protection mode that is used for the request after a rule created for scenario-specific configuration is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
server_port The requested destination port. 443
ssl_cipher The cipher suite that is used in the request. ECDHE-RSA-AES128-GCM-SHA256
ssl_protocol The SSL or TLS protocol and version that are used in the request. TLSv1.2
ua_browser The name of the browser that initiates the request.
Notice Since December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
ie9
ua_browser_family The family to which the browser belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
internet explorer
ua_browser_type The type of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
web_browser
ua_browser_version The version of the browser that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
9.0
ua_device_type The device type of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
computer
ua_os The operating system of the client that initiates the request.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
windows_7
ua_os_family The family to which the operating system of the client belongs.
Notice From December 15, 2021, this field is no longer supported by WAF. This field is not recorded even if you select the field on the Log Settings page. We recommend that you use the required field http_user_agent to obtain the information about the User-Agent field of the request. For more information, see http_user_agent.
windows
user_id The ID of the Alibaba Cloud account to which the WAF instance belongs. 17045741********
waf_action The action that is performed on the request after a rule created for the protection rules engine feature is triggered. The value is fixed as block, which indicates that the request is blocked.

For more information about WAF protection actions, see Description of the action field.

block
waf_rule_id The ID of the rule that is triggered. The rule is created for the protection rules engine feature. 113406
waf_rule_type The type of the rule that is triggered. The rule is created for the protection rules engine feature. Valid values:
  • xss: indicates a rule that defends against XSS attacks.
  • code_exec: indicates a rule that defends against specific attacks. The attacks exploit code execution vulnerabilities.
  • webshell: indicates a rule that defends against webshell uploads.
  • sqli: indicates a rule that defends against SQL injection.
  • lfilei: indicates a rule that defends against local file inclusion.
  • rfilei: indicates a rule that defends against remote file inclusion.
  • other: indicates other protection rules.
xss
waf_test The protection mode that is used for the request after a rule created for the protection rules engine feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false
wxbb_action The action that is performed on the request after a rule created for the app protection feature is triggered. Valid values:
  • block: indicates that the request is blocked because the signature fails verification.
  • captcha: indicates that common slider CAPTCHA verification is performed.
  • js: indicates that JavaScript verification is performed.
  • continue: indicates that the request is allowed because the signature passes verification.

For more information about WAF protection actions, see Description of the action field.

block
wxbb_invalid_wua The reason why requests are considered abnormal based on the rule created for the app protection feature. Valid values:
  • wxbb_simulator: indicates that a simulator is used.
  • wxbb_proxy: indicates that a proxy is used.
  • wxbb_root: indicates that a rooted device is used.
  • wxbb_hook: indicates that hooking is used.
  • wxbb_antireplay: indicates that replay attacks occur. The replay attacks use the signature string wToken.
  • wxbb_virtual: indicates that multiboxing is configured for Anti-Bot SDK-integrated apps.
  • wxbb_debugged: indicates that the device is in debug mode.
  • wxbb_invalid_sign: indicates that signature verification fails.
    The following information describes the common causes of the failure:
    • A request does not carry a signature.
    • The parameter that is passed when a signature is added is different from the parameter received by WAF. For example, the parameter a= 1&b=2 is passed, but the parameter received by WAF is b= 2&a=1. The content of the passed parameter is not encoded, but the content received by WAF is Base64-encoded.
wxbb_invalid_sign
wxbb_rule_id The ID of the rule that is triggered. The rule is created for the app protection feature. 156789
wxbb_test The protection mode that is used for the request after a rule created for the app protection feature is triggered. Valid values:
  • true: indicates the observation mode. In this mode, logs are recorded. However, protection actions such as block are not triggered.
  • false: indicates the prevention mode. In this mode, WAF performs protection actions such as block on the request that matches the protection rule.
false