Open ravsau opened 5 years ago
The blacklist in these example only relates to detecting bad bots using the honeypot trap. When SQL injection rules are matched, only the action indicated by the rule is taken (typically block). There is no additional action that is taken for the originating IP address.
If you wish to collect the requester IP addresses for rules that get matched, to add them to an requester wide blacklist, you will need to log the Web ACL traffic, process the logs and add the IP to the blacklist yourself. Logs are sent to Amazon Kinesis Data Firehose and delivered to several potential destinations from there, including Amazon S3. This way, logs can be delivered to S3, and from there you can use AWS Lambda to process the logs and blacklist IP addresses as needed.
@vladvataws thanks for the response. I've started logging now I'll look to write a lambda function that parses and adds sql injection attacher to the block IP list.
Or is there a way to accomplish that?