waf-fle icon indicating copy to clipboard operation
waf-fle copied to clipboard
verified publisher icon klaubert

No data in Rules Alert

Open wangxianwei opened this issue 10 years ago • 0 comments

Hi

I have deploed the WAF-FLE to receive the log from the mlogc. now I can get the data,but the column of Rules Alert in Events is blank and the Top Rules in HOME is also blank,I can get event from "the RAW Transaction download". any advice is appreicated!

--b1afcb61-A-- [10/Apr/2015:10:01:26 +0800] A1GcccAJA6AdjXAcAcGcAckc 192.168.1.250 56581 127.0.0.1 80 --b1afcb61-B-- GET /uploadfiles/member/ HTTP/1.1 Host: www.352.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: image/png,image/;q=0.8,/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.352.com/harborII/harborCoRequireAction!queryCooperateRequires.dox Cookie: JSESSIONID=; Connection: keep-alive

--b1afcb61-E--

403 Forbidden

403 Forbidden

nginx

--b1afcb61-F-- HTTP/1.1 403 Forbidden Content-Type: text/html; charset=utf-8 Content-Length: 162 Connection: keep-alive

--b1afcb61-K-- SecAction "phase:1,id:900001,t:none,setvar:tx.critical_anomaly_score=5,setvar:tx.error_anomaly_score=4,setvar:tx.warning_anomaly_score=3,setvar:tx.notice_anomaly_score=2,nolog,pass"

SecAction "phase:1,id:900002,t:none,setvar:tx.anomaly_score=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,nolog,pass"

SecAction "phase:1,id:900003,t:none,setvar:tx.inbound_anomaly_score_level=5,setvar:tx.outbound_anomaly_score_level=4,nolog,pass"

SecAction "phase:1,id:900006,t:none,setvar:tx.max_num_args=255,nolog,pass"

SecAction "phase:1,id:900012,t:none,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS',setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json,setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',nolog,pass"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^(.*)$" "phase:1,id:900018,t:none,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var},nolog,pass"

SecRule "&TX:REAL_IP" "@eq 0" "phase:1,id:900021,t:none,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr},nolog,pass"

--b1afcb61-Z--

wangxianwei avatar Apr 10 '15 02:04 wangxianwei