This topic provides examples of alert configurations based on log query and analysis results in Web Application Firewall (WAF). You can add charts to custom dashboards and configure alerts based on the parameters in this topic.
This topic describes the alert configuration parameters of the original alerting feature in Log Service. If you use the new alerting feature, you can configure alerts based on the query statements and parameter settings that are recommended in this topic and the description that is provided in Configure an alert monitoring rule in Simple Log Service.
Abnormal percentage of 4xx status codes
The following parameter settings are recommended for this type of alerting:
Chart Name: Percentage of 4xx status codes. Blocked requests are not counted.
Query Statement:
user_id: ID of your Alibaba Cloud account and not real_client_ip: Blocked IP addresses | SELECT user_id, host AS "Domain name", Rate_2XX AS "Percentage of 2xx status codes", Rate_3XX AS "Percentage of 3xx status codes", Rate_4XX AS "Percentage of 4xx status codes", Rate_5XX AS "Percentage of 5xx status codes", countall AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_4XX DESC LIMIT 5
The chart contains the following fields:
aveQPS
,Percentage of 2xx status codes
,Percentage of 3xx status codes
,Percentage of 4xx status codes
, andPercentage of 5xx status codes
. aveQPS indicates the queries per second (QPS) of the domain name. To show status code changes caused by system workloads instead of external reasons, the 444 and 405 status codes that are triggered by WAF-blocked HTTP flood attacks or web attacks are not counted inPercentage of 4xx status codes
. You can select one or more of these fields to configure alerts. For example, you can specifyaveQPS>10 && Percentage of 2xx status codes<60
. If the QPS of a specified domain name is higher than 10 and the percentage of requests whose status code is 2xx in all requests is less than 60% during a specified period, an alert is triggered.Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.countall>3000&& $0.Percentage of 4xx status codes>80
Notification Triggering Threshold: 2
Notification Interval: 10 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].Domain name} - Service: WAF - Requests in the last 5 minutes:${Results[0].RawResults[0].countall} - Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} % - Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} % - Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} % - Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %
Abnormal percentage of 5xx status codes
The following parameter settings are recommended for this type of alerting:
Chart Name: Percentage of 5xx status codes
Query Statement:
user_id: ID of your Alibaba Cloud account and not real_client_ip: Blocked IP addresses | select user_id, host AS "Domain name", Rate_2XX AS "Percentage of 2xx status codes", Rate_3XX AS "Percentage of 3xx status codes", Rate_4XX AS "Percentage of 4xx status codes", Rate_5XX AS "Percentage of 5xx status codes", countall AS "Requests in a specified relative time range", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_5XX DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.countall>3000&& $0.Percentage of 5xx status codes>80
Notification Triggering Threshold: 2
Notification Interval: 10 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].Domain name} - Service: WAF - Requests in the last 5 minutes:${Results[0].RawResults[0].countall} - Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} % - Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} % - Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} % - Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %
Abnormal QPS
The following parameter settings are recommended for this type of alerting:
Chart Name: Top 5 domain names that have the highest QPS
Query Statement:
user_id: ID of your Alibaba Cloud account and not real_client_ip: Blocked IP addresses | SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 as "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) as status_2XX, count_if( status >= 300 and status < 400 ) as status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) as status_4XX, count_if( status >= 500 and status < 600 ) as status_5XX, COUNT(*) as countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY aveQPS DESC LIMIT 5
Time Range: 1 minute (relative)
Frequency: 1 minute
Trigger Condition:
$0.aveQPS>=50
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF - Average QPS in the last 1 minute: ${Results[0].RawResults[0].aveQPS} - Percentage of 2xx status codes: ${Results[0].RawResults[0].Rate_2XX}% - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}% - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}% - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%
Abrupt increase in QPS
The following parameter settings are recommended for this type of alerting:
Chart Name: Abrupt increase in QPS
Query Statement:
user_id: ID of your Alibaba Cloud account | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, in_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100 -100, 0 ) AS in_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP by host, user_id ) GROUP by host, user_id ) WHERE c [3] > 1.1 and ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY in_ratio DESC LIMIT 5
Time Range: 1 minute (relative)
Frequency: 1 minute
Trigger Condition:
$0.now1mqps>50&& $0.in_ratio>300
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps} - Abrupt increase rate of QPS: ${Results[0].RawResults[0].in_ratio}% - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}% - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}% - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}% - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%
Abrupt decrease in QPS
Chart Name: Abrupt decrease in QPS
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP BY host, user_id ) GROUP BY host, user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if ( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY de_ratio DESC LIMIT 5
The chart contains the following fields:
now1mqps
,past1mqps
,de_ratio
, andhost
. now1mqps indicates the average QPS of the current minute. past1mqps indicates the average QPS of the last minute. de_ratio indicates the QPS decrease rate. You can select one or more of these fields to configure alerts.Time Range: 1 minute (relative)
Frequency: 1 minute
Trigger Condition:
$0.now1mqps>10&& $0.de_ratio>50
Notification Triggering Threshold: 2
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF (International) - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps} - Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}% - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}% - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}% - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}% - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%
Requests blocked by access control list (ACL) policies in the last 5 minutes
The following parameter settings are recommended for this type of alerting:
Chart Name: Requests blocked by ACL policies
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "Requests blocked by the Protection Rules Engine", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "Requests blocked by HTTP flood protection policies", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "Requests blocked by ACL policies", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "Requests blocked by scan protection policies", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "Requests blocked by ACL policies" >= 0 AND "Requests blocked by the Protection Rules Engine" >= 0 AND "Requests blocked by HTTP flood protection policies" >= 0 AND "Requests blocked by scan protection policies" >= 0 AND totalblock > 10 ) ORDER BY "Requests blocked by ACL policies" DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.totalblock>=500&&($0.Requests blocked by ACL policies>=500)
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock} - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies} - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine} - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies} - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}
Requests blocked by the Protection Rules Engine in the last 5 minutes
The following parameter settings are recommended for this type of alerting:
Chart Name: Requests blocked by the Protection Rules Engine
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "Requests blocked by the Protection Rules Engine", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "Requests blocked by HTTP flood protection policies", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "Requests blocked by ACL policies", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "Requests blocked by scan protection policies", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "Requests blocked by ACL policies" >= 0 AND "Requests blocked by the Protection Rules Engine" >= 0 AND "Requests blocked by HTTP flood protection policies" >= 0 AND "Requests blocked by scan protection policies" >= 0 AND totalblock > 10 ) ORDER BY "Requests blocked by the Protection Rules Engine" DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.totalblock>=500&&($0.Requests blocked by the Protection Rules Engine>=500)
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock} - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies} - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine} - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies} - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}
Requests blocked by HTTP flood protection policies in the last 5 minutes
The following parameter settings are recommended for this type of alerting:
Chart Name: Requests blocked by HTTP flood protection policies
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "Requests blocked by the Protection Rules Engine", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "Requests blocked by HTTP flood protection policies", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "Requests blocked by ACL policies", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "Requests blocked by scan protection policies", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "Requests blocked by ACL policies" >= 0 AND "Requests blocked by the Protection Rules Engine" >= 0 AND "Requests blocked by HTTP flood protection policies" >= 0 AND "Requests blocked by scan protection policies" >= 0 AND totalblock > 10 ) ORDER BY "Requests blocked by HTTP flood protection policies" DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.totalblock>=500&&($0.Requests blocked by HTTP flood protection policies>=500)
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock} - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies} - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine} - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies} - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}
Requests blocked by scan protection policies in the last 5 minutes
The following parameter settings are recommended for this type of alerting:
Chart Name: Requests blocked by scan protection policies
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "Requests blocked by the Protection Rules Engine", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "Requests blocked by HTTP flood protection policies", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "Requests blocked by ACL policies", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "Requests blocked by scan protection policies", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "Requests blocked by ACL policies" >= 0 AND "Requests blocked by the Protection Rules Engine" >= 0 AND "Requests blocked by HTTP flood protection policies" >= 0 AND "Requests blocked by scan protection policies" >= 0 AND totalblock > 10 ) ORDER BY "Requests blocked by scan protection policies" DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.totalblock>=500&&($0.Requests blocked by scan protection policies>=500)
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF (International) - Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock} - Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies} - Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine} - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies} - Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}
Attacks from a single IP address
The following parameter settings are recommended for this type of alerting:
Chart Name: Attacks from a single IP address
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT user_id, real_client_ip, concat( 'Requests blocked by ACL policies:', cast(aclblock AS varchar(10)), ' ', 'Requests blocked by the Protection Rules Engine:', cast(wafblock AS varchar(10)), ' ', 'Requests blocked by HTTP flood protection policies:', cast(aclblock AS varchar(10)) ) AS blockNum, totalblock, allRequest FROM ( SELECT user_id, real_client_ip, count_if( final_plugin = 'acl' AND final_action = 'block' ) AS aclblock, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS wafblock, count_if( final_plugin = 'cc' AND final_action = 'block' ) AS ccblock, count_if( ( final_plugin = 'acl' AND final_action = 'block' ) OR ( final_plugin = 'waf' AND final_action = 'block' ) OR ( final_plugin = 'cc' AND final_action = 'block' ) ) AS totalblock, COUNT(*) AS allRequest FROM log GROUP BY user_id, real_client_ip HAVING totalblock > 1 ORDER BY totalblock DESC LIMIT 5 )
The chart contains the following fields:
real_client_ip
,blockNum
,totalblock
, andallRequest
. blockNum includesRequests blocked by ACL policies
,Requests blocked by the Protection Rules Engine
, andRequests blocked by HTTP flood protection policies
. real_client_ip indicates the IP address from which attacks are launched. totalblock indicates the total number of blocked requests. allRequest indicates the total number of requests. You can select one or more of these fields to configure alerts.Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.totalblock >=500
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Service: WAF - Top 3 IP addresses from which attacks are mot frequently launched in the last 5 minutes: - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum}) - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum}) - ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})
Large number of domain names that are under attacks from a single IP address
The following parameter settings are recommended for this type of alerting:
Chart Name: Large number of domain names attacked by a single IP address
Query Statement:
user_id: ID of your Alibaba Cloud account and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5
The chart contains the following fields:
real_client_ip
,totalblock
, anddomainnum
. real_client_ip indicates the attack IP address. totalblock indicates the total number of blocked requests. domainnum indicates the number of domain names attacked by this IP address. You can select one or more of these fields to configure alerts. For example, you can specifytotalblock>500&& domainnum>5
. If the total number of attacks launched from an IP address reaches 500 and the number of domain names that are under the attacks exceeds 5 in the specified time range, an alert is triggered.Time Range: 5 minutes (relative)
Frequency: 1 minute
Trigger Condition:
$0.domainnum>=10
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Service: WAF - Attack IP address: ${Results[0].RawResults[0].real_client_ip} - Attacked domain names: ${Results[0].RawResults[0].domainnum} - Attack requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock} - Handle the alert at the earliest opportunity.
Abnormal average latency in the last 5 minutes
The following parameter settings are recommended for this type of alerting:
Chart Name: Abnormal average latency
Query Statement:
user_id: ID of your Alibaba Cloud account and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5
Time Range: 5 minutes (relative)
Frequency: 5 minutes
Trigger Condition:
$0.request_time>1000&& $0.requestnum>30
Notification Triggering Threshold: 2
Notification Interval: 10 minutes
Content:
- [Time]: ${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain name: ${Results[0].RawResults[0].host} - Service: WAF (International) - [Trigger Condition]: ${condition} - Top 3 domain names that have the longest latency in the last 5 minutes. Unit of latency: milliseconds. - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}
Abrupt decrease in traffic
The following parameter settings are recommended for this type of alerting:
Chart Name: Abrupt decrease in traffic
Query Statement:
user_id: ID of your Alibaba Cloud account SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio FROM ( SELECT compare(t, 60) AS c, user_id FROM ( SELECT COUNT(*) AS t, user_id FROM log GROUP BY user_id ) GROUP BY user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, count_if( status >= 200 AND status < 300 ) AS status_2XX, count_if( status >= 300 AND status < 400 ) AS status_3XX, count_if ( status >= 400 AND status < 500 AND status <> 444 AND status <> 405 ) AS status_4XX, count_if( status >= 500 AND status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY user_id ) ) WHERE countall > 0 ) t2 ON t1.user_id = t2.user_id ) ORDER BY de_ratio DESC LIMIT 5
Time Range: 1 minute (relative)
Frequency: 1 minute
Trigger Condition:
$0.de_ratio>50&& $0.now1mqps>20
Notification Triggering Threshold: 1
Notification Interval: 5 minutes
Content:
- [Time]: ${FireTime} - [UID]:${Results[0].RawResults[0].user_id} - Service: WAF - Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps} - [Trigger condition (abrupt decrease rate of traffic & QPS)]:${condition} - Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}% - Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}% - Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}% - Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}% - Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%