Enabling Alarm Notification¶
This section describes how to enable notification for attack logs. Once this function is enabled, WAF sends attack logs to users by email or SMS.
Prerequisites¶
Login credentials have been obtained.
The SMN service has been enabled.
Procedure¶
Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Choose Security > Web Application Firewall. In the navigation pane on the left, choose Events.
Click the Notify tab and configure alarm notification parameters by referring to Table 1. Figure 1 shows an example.
¶ Parameter
Description
Notification ID
Alarm event ID
Notification
Whether to enable notification
: enabled.
: disabled.
Notification Topic
Click the drop-down list to select an available topic or click View Topic to create a topic.
For more information, see the Simple Message Notification User Guide.
Threshold
Alarm threshold
Note
Alarm notifications are sent when the number of attacks is greater than or equal to the threshold within the configured period.
Event Type
By default, All is selected. You can also click Customize to specify event types.
For details about event types, see Table 2.
¶ Event Type
Description
Challenge Collapsar
CC attack. When you find out that your website is experiencing slowed processing and high bandwidth usage, it may have been under CC attacks.
Command Injection
Command injection. It is a technique used by hackers to execute system commands on a server by chaining commands and bypassing blacklists to invoke web application interfaces.
Custom
Events logged by one or more precise protection rules
Illegal Request
Invalid requests. For example, more than 512 parameters are used.
SQL Injection
SQL injection. It is a common web attack whereby attackers inject malicious SQL commands into database query strings to deceive the server into executing them. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system.
Local File Inclusion
Local file inclusion (LFI) allows attackers to access files on a local server or download sensitive configurations. The vulnerability occurs due to the use of user-supplied input without proper validation.
Scanner & Crawler
Scanner and crawler attack events
AntiTamper
Events logged by one or more web tamper protection rules
Remote File Inclusion
Remote file inclusion
Miscellaneous
Other types of attacks, such as a combination of SQL injection and command injection attacks or certain CVE vulnerabilities
Cross Site Scripting
XSS. It is a type of attacks that exploits security vulnerabilities in web applications. XSS enables attackers to inject auto-executed malicious codes into web pages to steal users' information when they visit the pages.
Black/White IP
Events logged by one or more blacklist or whitelist rules
Webshell
A web shell is an attack script. After intruding into a website, an attacker adds an .asp, .php, .jsp, or .cgi script file with normal web page files. Then, the attacker accesses the file from a web browser and uses it as a backdoor to obtain a command execution environment for controlling the web server. For this reason, web shells are also called backdoor tools.
Click Save.