• NGINX App Protect (WAF) 에 대한 기본 로깅 구성 확인 및 확인 
    • 로깅 관련 NGINX Config
    • WAF Logging Protile 
    • WAF Log 


  • NAP Logging Sample Config
http {
  app_protect_enable on;
  app_protect_security_log_enable on;
  app_protect_security_log "/etc/app_protect/conf/log_default.json" /var/log/nginx/waf.log;
....

  • NAP Logging File 생성 
touch /var/log/nginx/waf.log

## Test 
chmod 777 /var/log/nginx/waf.log 

## Service NGINX
chown nginx:nginx /var/log/nginx/waf.log
  • NGINX Restart
systemctl restart nginx 

  • WAF Logging Profile
[root@ip-10-10-10-101 conf]# cat log_default.json
{
    "filter": {
        "request_type": "illegal"
    },

    "content": {
        "format": "default",
        "max_request_size": "any",
        "max_message_size": "32k"
    }
}


  • Sample 공격 이후 로그 상태 확인 
[root@ip-10-10-10-101 app_protect]# tail -f /var/log/nginx/waf.log
attack_type="Abuse of Functionality,Cross Site Scripting (XSS),Other Application Activity,HTTP Parser Attack",blocking_exception_reason="N/A",date_time="2023-10-19 15:02:31",dest_port="80",ip_client="175.209.152.102",is_truncated="false",method="GET",policy_name="app_protect_default_policy",protocol="HTTP",request_status="blocked",response_code="0",severity="N/A",sig_cves="N/A,N/A",sig_ids="200001475,200000098",sig_names="XSS script tag end (Parameter) (2),XSS script tag (Parameter)",sig_set_names="{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures}",src_port="5017",sub_violations="HTTP protocol compliance failed:Host header contains IP address",support_id="16202664903905108041",threat_campaign_names="N/A",unit_hostname="ip-10-10-10-101.ap-northeast-2.compute.internal",uri="/",violation_rating="5",vs_name="1-localhost:1-/",x_forwarded_for_header_value="N/A",outcome="REJECTED",outcome_reason="SECURITY_WAF_VIOLATION",violations="HTTP protocol compliance failed,Illegal meta character in parameter name,Attack signature detected,Violation Rating Threat detected",json_log="{""id"":""16202664903905108041"",""violations"":[{""enforcementState"":{""isBlocked"":false,""isAlarmed"":true,""isLearned"":false},""violation"":{""name"":""VIOL_PARAMETER_NAME_METACHAR""},""policyEntity"":{""parameters"":[{""name"":""*"",""level"":""global"",""type"":""wildcard""}]},""observedEntity"":{""name"":""PHNjcmlwdD4="",""location"":""query""},""metachar"":""0x3c"",""charsetType"":""parameter-value""},{""enforcementState"":{""isBlocked"":false,""isAlarmed"":true,""isLearned"":false},""violation"":{""name"":""VIOL_PARAMETER_NAME_METACHAR""},""policyEntity"":{""parameters"":[{""name"":""*"",""level"":""global"",""type"":""wildcard""}]},""observedEntity"":{""name"":""PHNjcmlwdD4="",""location"":""query""},""metachar"":""0x3e"",""charsetType"":""parameter-value""},{""enforcementState"":{""isBlocked"":true,""isAlarmed"":true,""isInStaging"":false,""isLearned"":false,""isLikelyFalsePositive"":false},""violation"":{""name"":""VIOL_ATTACK_SIGNATURE""},""signature"":{""name"":""XSS script tag end (Parameter) (2)"",""signatureId"":200001475,""accuracy"":""high"",""risk"":""high"",""hasCve"":false},""snippet"":{""buffer"":""PHNjcmlwdD49"",""offset"":1,""length"":7},""policyEntity"":{""parameters"":[{""name"":""*"",""level"":""global"",""type"":""wildcard""}]},""observedEntity"":{""name"":""PHNjcmlwdD4="",""location"":""query""}},{""enforcementState"":{""isBlocked"":true,""isAlarmed"":true,""isInStaging"":false,""isLearned"":false,""isLikelyFalsePositive"":false},""violation"":{""name"":""VIOL_ATTACK_SIGNATURE""},""signature"":{""name"":""XSS script tag (Parameter)"",""signatureId"":200000098,""accuracy"":""high"",""risk"":""high"",""hasCve"":false},""snippet"":{""buffer"":""PHNjcmlwdD49"",""offset"":0,""length"":7},""policyEntity"":{""parameters"":[{""name"":""*"",""level"":""global"",""type"":""wildcard""}]},""observedEntity"":{""name"":""PHNjcmlwdD4="",""location"":""query""}},{""enforcementState"":{""isBlocked"":false},""violation"":{""name"":""VIOL_HTTP_PROTOCOL""},""policyEntity"":{""blocking-settings"":{""http-protocols"":{""description"":""Host header contains IP address""}}}},{""enforcementState"":{""isBlocked"":true},""violation"":{""name"":""VIOL_RATING_THREAT""}}],""enforcementAction"":""block"",""method"":""GET"",""clientPort"":5017,""clientIp"":""175.209.152.102"",""host"":""ip-10-10-10-101.ap-northeast-2.compute.internal"",""responseCode"":0,""serverIp"":""0.0.0.0"",""serverPort"":80,""requestStatus"":""blocked"",""url"":""Lw=="",""virtualServerName"":""1-localhost:1-/"",""enforcementState"":{""isBlocked"":true,""isAlarmed"":true,""rating"":5,""attackType"":[{""name"":""Abuse of Functionality""},{""name"":""Cross Site Scripting (XSS)""},{""name"":""Other Application Activity""},{""name"":""HTTP Parser Attack""}]},""requestDatetime"":""2023-10-19T15:02:31Z"",""rawRequest"":{""actualSize"":495,""httpRequest"":""R0VUIC8/JTNDc2NyaXB0JTNFIEhUVFAvMS4xDQpIb3N0OiAxNS4xNjUuMTAwLjIxNw0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV83KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTE4LjAuMC4wIFNhZmFyaS81MzcuMzYNCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZToga28tS1Isa287cT0wLjksZW4tVVM7cT0wLjgsZW47cT0wLjcNCg0K"",""isTruncated"":false},""requestPolicy"":{""fullPath"":""app_protect_default_policy""}}",violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-f000000000000000-0</alarm><learn>0-0-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>PHNjcmlwdD4=</name><auto_detected_type>alpha-numeric</auto_detected_type><value></value><location>query</location><expected_location></expected_location><is_base64_decoded>false</is_base64_decoded><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>PHNjcmlwdD49</buffer><offset>1</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>PHNjcmlwdD49</buffer><offset>0</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTUuMTY1LjEwMC4yMTc=</http_sub_violation></violation><violation><viol_index>25</viol_index><viol_name>VIOL_PARAMETER_NAME_METACHAR</viol_name><param_name>PHNjcmlwdD4=</param_name><wildcard_entity>*</wildcard_entity><enforcement_level>global</enforcement_level><metachar_index>60</metachar_index><metachar_index>62</metachar_index><staging>0</staging><is_base64_decoded>false</is_base64_decoded></violation><violation><viol_index>93</viol_index><viol_name>VIOL_RATING_THREAT</viol_name></violation></request-violations></BAD_MSG>",bot_signature_name="N/A",bot_category="N/A",bot_anomalies="N/A",enforced_bot_anomalies="N/A",client_class="Browser",client_application="Chrome",client_application_version="118",request="GET /?%3Cscript%3E HTTP/1.1\r\nHost: 15.165.100.217\r\nConnection: keep-alive\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7\r\n\r\n",transport_protocol="HTTP/1.1"