Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log all requests through backend_public WAF ACL #1822

Merged
merged 1 commit into from
Mar 6, 2024
Merged

Conversation

robinjam
Copy link
Contributor

@robinjam robinjam commented Mar 4, 2024

Trello card

Rationale: We recently added support (#1819) for JA3 denylisting on the backend_public ACL, but the only place we currently log JA3 fingerprints is in the WAF logs. Currently the backend_public ACL is configured to only log requests that were blocked or counted, so we have no way to find the JA3 fingerprints of traffic that was allowed, but that we want to add to the JA3 denylist.

This will increase the number of requests being logged by this ACL, but the amount is around the same order of magnitude as the volume of requests we already block (and therefore log) in the cache_public ACL. The aws-waf-logs-backend-public-production log group only has 1 month of retention.

@robinjam robinjam changed the title Log all requests to backend_public WAF ACL Log all requests through backend_public WAF ACL Mar 4, 2024
@robinjam robinjam force-pushed the backend-log-all-reqs branch from 58f172e to 87dcd41 Compare March 4, 2024 14:13
Rationale: We recently added support for JA3 denylisting on the
backend_public ACL, but the only place we log JA3 fingerprints is in the
WAF logs. Currently the backend_public ACL is configured to only log
requests that were blocked or counted, so we have no way to find the JA3
fingerprints of traffic that was allowed, but that we want to add to the
JA3 denylist.

This will increase the number of requests being logged by this ACL, but
the amount is around the same order of magnitude as the volume of
requests we already block (and therefore log) in the cache_public ACL.
The `aws-waf-logs-backend-public-production` log group only has 1 month
of retention.
@robinjam robinjam force-pushed the backend-log-all-reqs branch from 87dcd41 to 613fa7b Compare March 4, 2024 14:15
@robinjam robinjam requested a review from sihugh March 4, 2024 14:15
@robinjam robinjam merged commit 1d14961 into main Mar 6, 2024
2 checks passed
@robinjam robinjam deleted the backend-log-all-reqs branch March 6, 2024 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants