search

amazon-archives / aws-waf-sample

This repository contains example scripts and sets of rules for the AWS WAF service. Please be aware that the applicability of these examples to specific workloads may vary.
MIT No Attribution
512 stars 235 forks source link

Does the IP of the requester get added to the block list when sql injection rule matches the request? #32

Open ravsau opened 5 years ago

ravsau commented 5 years ago

Or is there a way to accomplish that?

vladvataws commented 5 years ago

The blacklist in these example only relates to detecting bad bots using the honeypot trap. When SQL injection rules are matched, only the action indicated by the rule is taken (typically block). There is no additional action that is taken for the originating IP address.

If you wish to collect the requester IP addresses for rules that get matched, to add them to an requester wide blacklist, you will need to log the Web ACL traffic, process the logs and add the IP to the blacklist yourself. Logs are sent to Amazon Kinesis Data Firehose and delivered to several potential destinations from there, including Amazon S3. This way, logs can be delivered to S3, and from there you can use AWS Lambda to process the logs and blacklist IP addresses as needed.

ravsau commented 5 years ago

@vladvataws thanks for the response. I've started logging now I'll look to write a lambda function that parses and adds sql injection attacher to the block IP list.