I'm introducing WAF into my AWS load balancer for the first time to improve the security of my website.
I planned to run it in "count" mode for a while so I could analyse and find false positives before turning it on for real and blocking requests.
I have added two of the AWS managed rulesets and set them to COUNT, rule JSON as follows:
{
"Name": "ECSAWSManagedRulesCommonRuleSet",
"Priority": 10,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet"
}
},
"OverrideAction": {
"Count": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWSManagedRulesCommonRuleSetMetric"
}
}
{
"Name": "ECSAWSManagedRulesSQLiRuleSet",
"Priority": 11,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesSQLiRuleSet"
}
},
"OverrideAction": {
"Count": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWSManagedRulesCommonRuleSetMetric"
}
}
If I look at "top 10 rules" widget in the Traffic Overview tab in the AWS WAF console I can see various counts popping up for different rules, so I want to find them in cloudwatch to view request details. However when I try to filter by count it never finds any? Using this query:
fields @timestamp, @message
| filter webaclId = "redacted"
| filter action = "COUNT"
| sort @timestamp desc
| limit 20
When I came here I didn't check the comments but I finally found the answer myself, and then I saw the comments. To prevent other users such mistakes, here is the answer to find all the counted actions:
fields @timestamp, @message
| parse @message ',"nonTerminatingMatchingRules":[{"ruleId":"*","action":"*"' as rule, action
| filter action = "COUNT"
| sort @timestamp desc
| limit 20