Closed attobyte closed 5 years ago
Hi @attobyte
We've added this REQUEST_PER_MINUTE_LIMIT for those who need to set a threshold bellow 2000 req per 5 min or want to implement other customizations that are not supported by AWS WAF Rate Based Rule ... If you set this environment variable, the log parser function will also process logs like HTTP flood protection.
Need to tipple check but it was supposed to be optional (that's why we have a check 'REQUEST_PER_MINUTE_LIMIT' in environ
before accessing it). If the variable is not defined, it will process logs only searching for error rate (Scanner & Probe protection).
Thank you for the clarification, I did figure out some of this after I opened the issue.
What actually confused me and why I started down this path was I didn't find #44 until later and of course I didn't see the comment in the code. :)
I am returning a 403 Error page from a ALB rule and I didn't notice errors were only being counted for target_status_code
and not elb_status_code
.
I do see why the change was made to use target_status_code
as the LogParser would block everything WAF had blocked.
One potential work around might be use elb_status_code
field along with actions_executed
field. That field in the logs seems to have WAF and forward, redirect, or fixed-response when the request is sent on to the target. It seems to only have WAF when blocked at WAF or the ALB. Would need more testing
Thanks for your comments. I consider the issue closed and thank you for your work on this template.
log-parser.py
lambda function requires the Env variableREQUEST_PER_MINUTE_LIMIT
to function correctly.The
LambdaWAFLogParserFunction
withinaws-waf-security-automations.template
is missing theREQUEST_PER_MINUTE_LIMIT
ENV variable.Also the
aws-waf-security-automations.template
is missing a parameter to set theREQUEST_PER_MINUTE_LIMIT
for theLambdaWAFLogParserFunction
.