F5 rules for AWS WAF - F5-CVE_Managed rule group Logs
Hello,
I've contacted AWS support regarding the WAF and your specific rule group, and AWS suggested I reach out here for specific questions regarding the F5 managed rule. I asked the following question:
We started to get exploit attempts on our production app, and were looking at the best way to block these attempts via a WAF rule.
This was caught from our app error checking vendor Rollbar:
ActionDispatch::Http::MimeNegotiation::InvalidType: "%{#context['com.opensymphony.xwork2.dispatcher.httpservletresponse'].addheader('gig54250'" is not a valid MIME type
ActionDispatch::Http::MimeNegotiation::InvalidType: "%{#context['com.opensymphony.xwork2.dispatcher.httpservletresponse'].addheader('5rvke1gt'" is not a valid MIME type (Most recent call first)
Exploit information:
https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.html
support rep advised:
I understand you observed attack attempts in your application that are exploiting the Apache Struts vulnerability (CVE-2017-5638) and are looking for a way to block these attempts via AWS WAF.
Kindly note that for the Apache Struts Vulnerability there is no AWS Managed rule available, however, you can make use of a marketplace rule group - "Common Vulnerabilities & Exposures (CVE) Rules" which are under "F5 managed rule groups"
We are currently subscribed to the F5 Common Vulnerabilities & Exposures (CVE) Rules, and have all of the rules turned on "Use action defined in the rule" e.g. not set to count. I see in CloudWatch metrics there are data points that show up for F5-CVE_Managed BlockedRequests, but I'm not seeing any logs in CloudWatch for that rule group. I want to be able to see more details in CloudWatch logs that corespond with the blocks in CloudWatch metrics, and it doesn't seem that this rulegroup is sending any logs to cloudwatch and only metrics. Especialy as noted from your documetation https://support.f5.com/csp/article/K21015971
Monitoring rule groups and rules
All rules and rule groups come with CloudWatch metrics that report the number of requests that matched a rule or rule group. When you use multiple rule groups, these metrics help discern which rules are being matched
Long story long, I need to be able to see in CloudWatch logs more details of what the rule group is blocking, and a query to do see that information.
Thank you!