Skip to content

What are TR7 WAF Logs? How are They Analyzed?

About

What Are WAF Logs? How to Review Them?

In vServices operating in Monitor or Block Mode, WAF logs can be reviewed, and learning processes can continue based on these logs. WAF Logs are permanently stored on TR7 ASP devices, and they do not disappear unless manually deleted. This allows blocked requests from the past to be easily found and examined using appropriate filters. WAF Logs store all the details of blocked requests for each log individually, including Unique ID, Date, Host Information, HTTP Method, Path, Matching path rules, Query, Attacker IP, Attacker Network, IP Provider, Attacker Location, User-Agent, WAF Time, HTTP Headers, and Body.

Interface

WAF Logs

Step > 1

First, follow the steps "Monitor Mode > Related vService > Logs > WAF Logs". The WAF blocked requests will be displayed on the opened screen.

Step > 2

Click the "Get Logs" button for the selected period to list the logs of requests blocked by WAF according to the relevant rule sets or signatures.

Step > 3

When you click on any WAF log, a window will open on the right side of the screen showing the details of that log.

Click the "WAF Artificial Intelligence Analysis" button to view information about attack types captured in the log, such as Affected OS, Affected Platforms, etc. Additionally, CVE references for the related attack types can be accessed.

The "Unique ID" displayed on the screen is the unique number generated by TR7 ASP for the related attack. This number is visible to the client in blocked requests. The log can be filtered using this unique number to easily find the related request.

The date and time of the attack are displayed on the WAF log screen. Additionally, the Host group corresponding to the attack is shown. The Host header information of the client during the request, along with the HTTP method, is also visible. The requested Path and Query (if available) are shown; if no query was sent, this section is hidden. Also, the rule that corresponds to the request can be checked from this screen. The client’s IP address is displayed, and by clicking the "Actions" button, the IP can be manually added to the Blacklist either on a vService basis or through general IP Intelligence.

Furthermore, the Network, IP Provider, and Location information of the client's IP address are displayed. The User-Agent header information, blocking time of the request, and the Header and Body sent by the client can also be viewed. If no Header or Body was sent with the request, those sections are hidden.

The captured Learning Suggestions for the attack can be selected, and when the "Learn Attack" button is clicked, the attacks are taught based on the information selected in "WAF Management > Advanced Settings > Rule creation policy":

  • Page Independent: Learning is performed on the Any paths rule.
  • Data Based: If a variable exists in the requested path, a path-based rule is created for teaching. If there is no variable, learning is done on the Any paths rule.
  • Comprehensive: Whether a variable exists or not, path-based rules are created for each path.

When you click on any "Learning suggestion" for a blocked request, detailed information about the attack can be viewed on this screen. "Edit corresponding Rule" can be clicked to manually make changes.