Enabling Alarm Notification

This section describes how to enable notification for attack logs. Once this function is enabled, WAF sends attack logs to users by email or SMS.

Prerequisites

  • Login credentials have been obtained.

  • The SMN service has been enabled.

Procedure

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Choose Security > Web Application Firewall. In the navigation pane on the left, choose Events.

  4. Click the Notify tab and configure alarm notification parameters by referring to Table 1. Figure 1 shows an example.

    **Figure 1** Configuring alarm notification

    Figure 1 Configuring alarm notification

    Table 1 Notification setting parameters

    Parameter

    Description

    Notification ID

    Alarm event ID

    Notification

    Whether to enable notification

    • image2: enabled.

    • image3: disabled.

    Notification Topic

    Click the drop-down list to select an available topic or click View Topic to create a topic.

    For more information, see the Simple Message Notification User Guide.

    Threshold

    Alarm threshold

    Note

    Alarm notifications are sent when the number of attacks is greater than or equal to the threshold within the configured period.

    Event Type

    By default, All is selected. You can also click Customize to specify event types.

    For details about event types, see Table 2.

    Table 2 List of event types

    Event Type

    Description

    Challenge Collapsar

    CC attack. When you find out that your website is experiencing slowed processing and high bandwidth usage, it may have been under CC attacks.

    Command Injection

    Command injection. It is a technique used by hackers to execute system commands on a server by chaining commands and bypassing blacklists to invoke web application interfaces.

    Custom

    Events logged by one or more precise protection rules

    Illegal Request

    Invalid requests. For example, more than 512 parameters are used.

    SQL Injection

    SQL injection. It is a common web attack whereby attackers inject malicious SQL commands into database query strings to deceive the server into executing them. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system.

    Local File Inclusion

    Local file inclusion (LFI) allows attackers to access files on a local server or download sensitive configurations. The vulnerability occurs due to the use of user-supplied input without proper validation.

    Scanner & Crawler

    Scanner and crawler attack events

    AntiTamper

    Events logged by one or more web tamper protection rules

    Remote File Inclusion

    Remote file inclusion

    Miscellaneous

    Other types of attacks, such as a combination of SQL injection and command injection attacks or certain CVE vulnerabilities

    Cross Site Scripting

    XSS. It is a type of attacks that exploits security vulnerabilities in web applications. XSS enables attackers to inject auto-executed malicious codes into web pages to steal users' information when they visit the pages.

    Black/White IP

    Events logged by one or more blacklist or whitelist rules

    Webshell

    A web shell is an attack script. After intruding into a website, an attacker adds an .asp, .php, .jsp, or .cgi script file with normal web page files. Then, the attacker accesses the file from a web browser and uses it as a backdoor to obtain a command execution environment for controlling the web server. For this reason, web shells are also called backdoor tools.

  5. Click Save.