WAF Logs
About
What are WAF Logs?
Through the WAF Logs tab, log control can be performed for vServices in Monitor or Block Mode. Learning processes can continue via WAF Logs. WAF Logs are permanently stored on TR7 ASP devices and do not disappear unless manually deleted. Thus, past blocked requests can be easily found and examined using appropriate filters. For each log in WAF Logs, all details of the blocked request such as Unique ID, Date, Host Information, HTTP Method, Path, Query, Attacker IP (Client IP), Attacker Network, IP Provider, Attacker Location, User-Agent Information, WAF Duration, HTTP Headers, and Request Body are individually recorded.
Applicable vServices
- HTTP
- L7 TCP
- Network
TR7 ASP Web GUI
Viewing WAF Logs
The monitor screen of the vService, whose logs will be checked on the TR7 ASP web interface, opens. Then click on the Logs tab.
WAF Logs is selected on the screen that appears and the Get Logs button is clicked to view the logs.
TR7 ASP Web GUI
WAF Logs Listing Screen
- 1 (Information to be Displayed in the Table)
In the table with the list of WAF Logs, it is selected which information will be shown or not.
Information that can be selected and selected by default;
- Source
- Host
- Path
- IP Provider
- Attacker Location
- Learning Suggestion
- Date
- Method
- Attacker IP
- Attacker Network
- Attacker User-Agent
- 2 (Log Type Selection)
WAF Logs are selected to display WAF Logs.
- 3 (Line Limit)
After clicking the Get Logs button, the maximum number of lines of WAF Logs to be displayed on the TR7 ASP web interface is entered.
- 4 (Time Range)
The time interval to display WAF Logs is selected.
- 5 (Learn Attack)
By selecting the WAF Logs that are not detected as malicious requests and clicking the Learn Attack button, exceptions for the relevant attack types are taught. When the related requests are repeated after the teaching process is done, the traffic continues without being stuck in the WAF. For details on the settings of the teaching process and how it is done click here.
- 6 (Only not Learned)
By selecting Only not Learned, WAF Logs that have not been taught before are listed from the logs. In this way, only not learned logs are listed while checking the log, making it easier to manage.
- 7 (Hide Blacklist IPs)
Selecting by Hide Blacklist IPs, logs blocked due to blacklist are not listed. Thus, teaching from an incorrect log is prevented. Only logs that are not blocked due to blacklist are listed.
- 8 (Filter)
Filtering operations can be performed on WAF Logs by selecting the Filter. The following filtering operations can be performed.
List of information to be filtered;
- Unique ID
- Host
- Path
- Attacker IP
- HTTP(s) Method
- Attack Area
- Argument Name
- Country
- Attack ID
- 9 (Get Logs)
The logs are listed according to the filtering operations performed by clicking the Get Logs button and the time range selection.
- 10 (Search)
It is used to search for all expressions in the table.
- 11 (RegExp Search)
Used to regexp search for all expressions in the table.
- 12 (Column Based Search)
Used to column based search for all expressions in the table.
- 13 (Page Info)
In the drop-down list, there is information about how many WAF Logs there are and how many WAF Logs are listed.
- 14 (Page Size)
In the drop-down list, the maximum number of WAF Logs to be listed is selected. You can switch between pages with arrow icons.
- Preview of Selected WAF Log
Clicking on any WAF Log on the "WAF Logs" screen opens a window on the right of the screen where the details of the relevant log are displayed.
Descriptions are listed below.
- 1 (WAF Artificial Intelligence (AI) Analysis)
By clicking the WAF Artificial Intelligence Analysis button, information such as the affected operating systems and the affected platforms of the attack types captured in the log can be viewed. In addition, CVE references for the relevant attack types can be accessed.
- 2 (Unique ID)
The unique number information generated by TR7 ASP of the relevant attack is displayed. The unique number can be viewed by the client in blocked requests. With this number, the related request can be found easily by filtering the WAF Logs.
- 3 (Date)
The date and time information of the relevant attack is displayed.
- 4 (Host Group)
Which host group the relevant attack corresponds to is displayed. To get details about Virtual Host Groups click here.
- 5 (Host)
The Host header information of the client of the relevant attack at the time of request is displayed.
- 6 (HTTP(s) Method)
The HTTP Method information that the client made the request for the relevant attack is displayed.
- 7 (Path)
The Path information that the client of the relevant attack has made a request is displayed.
- 8 (Query)
The Query information that the client made a request for the relevant attack is displayed. If no query is sent in the relevant request, this tab will not be displayed.
- 9 (Attacker IP)
The IP Address information of the client belonging to the relevant attack is displayed. By clicking on the Actions button, the relevant IP address is added to the Blacklist manually on the basis of the vService or in the general IP Intelligence.
IP addresses added to the Blacklist can be viewed by following the "WAF Management > Checks > Blacklist Protection" steps and deleted from the Blacklist on this screen.
- 10 (Attack Network)
Network information where the IP address of the client belonging to the relevant attack is found is displayed.
- 11 (IP Provider)
The IP Provider information of the client's IP address of the relevant attack is displayed.
- 12 (Attacker Location)
The Location information of the client's IP address of the relevant attack is displayed.
- 13 (Attacker User-Agent)
The User-Agent header information of the client of the relevant attack at the time of request is displayed.
- 14 (WAF Time)
The information of the blocking time of the request belonging to the relevant attack by the WAF is displayed.
- 15 (HTTP Headers)
Header information that the client of the relevant attack has made a request is displayed. If Header is not sent in the relevant request, this tab will not be displayed.
- 16 (Body)
The Request Body information of the relevant attack, which the client has made a request, is displayed. If the body is not sent in the relevant request, this tab will not be displayed.
- 17 (Learn Attack)
By selecting the Learning Suggestions captured in the relevant attack and clicking the Learn Attack button, the attacks are taught according to the information selected from the WAF Advanced Settings.
Follow the steps "WAF Management > Edit WAF Advanced Settings".
- Page Independent > Teaching is done on the default rule.
- Data Based > If there is a variable in the requested path, a path-based rule is created and teaching is performed. If there is no variable in the requested path, instruction is performed on the default rule.
- Comprehensive > Regardless of whether there is a variable in the requested path or not, path-based rules are created for each path and teaching is done.
18 (Blocked Attack Details)
- 1 (Edit Corresponding Rule)
The editing window of the rule in which the relevant attack was caught opens.
- 2 (Learn Attack)
The Teaching Suggestion captured in the relevant attack is taught according to the information selected from the WAF Settings when the Learn Attack button is clicked.
- 3 (Corresponding Rule)
Information is displayed by which rule the relevant attack was caught.
- 4 (Attack Type)
Information on which TR7 ASP WAF rule the relevant attack is attached to is displayed.
- 5 (Attack ID)
The ID information of the relevant attack on the TR7 ASP WAF is displayed.
- 6 (Attack Area)
Information on which control field the relevant attack is attached to and the name of the inserted argument are displayed.
- 7 (Argument)
The argument information captured in the relevant attack is displayed.
- 8 (Description)
The description of the relevant attack is displayed.
- 9 (Learning Suggestion)
The information about what to do in the Teaching Operation for the relevant attack is displayed.