Skip to content

Collector Configuration Manual for "Alibaba Cloud-CLOUDFW"

Before reading this, please read the following first:

Before using this collector, you must install the 'Integration Core Package' and its associated third-party dependency packages.

1. Configuration Structure

The configuration structure of this collector is as follows:

Field Type Required Description
regions list Required List of regions to collect data from
regions[#] str Required Region ID. For example: 'cn-hangzhou'
See the full table in the appendix

2. Configuration Example

Specifying a Region

Collecting data from Hangzhou region.

Python
1
2
3
collector_configs = {
    'regions': [ 'cn-hangzhou' ]
}

3. Data Reporting Format

After data synchronization, you can view the data in the 'LOGs' section of TrueWatch.

The sample reported data is as follows:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
  "measurement": "aliyun_cloudfw",
  "tags": {
    "AttackApp"   : "MySql",
    "EventId"     : "2b58efae-xxxx",
    "EventName"   : "WEB Directory Traversal Attack",
    "RuleId"      : "1000xxxx",
    "AttackType"  : "1",
    "ResourceType": "EcsPublicIP",
    "DstIP"       : "192.0.XXXX",
    "EventCount"  : "100",
    "RuleResult"  : "2",
    "RuleSource"  : "1",
    "VulLevel"    : "1"
  },
  "fields": {
    "Description"          : "Detected HTTP request WEB access with directory traversal attack",
    "FirstEventTime"       : 1534408189,
    "LastEventTime"        : 1534408267,
    "ResourcePrivateIPList": "{Private IP information for this intrusion prevention event}",
    "VpcSrcInfo"           : "{Source VPC information for this intrusion prevention event}",
    "VpcDstInfo"           : "{Destination VPC information for this intrusion prevention event}",
    "message"              : "{Instance JSON data}"
  }
}

Explanations for some parameters are as follows:

AttackType (Type of intrusion prevention event attack):

Value Description
1 Indicates abnormal connection
2 Indicates command execution
3 Indicates brute force attack
4 Indicates scanning
5 Indicates other
6 Indicates information leakage
7 Indicates Dos attack
8 Indicates overflow attack
9 Indicates Web attack
10 Indicates Trojan backdoor
11 Indicates virus worm
12 Indicates mining behavior
13 Indicates反弹 Shell

ResourceType (Type of public IP for this intrusion prevention event):

Value Description
EIP Indicates elastic public IP
EcsPublicIP Indicates ECS public IP
EcsEIP Indicates ECS EIP
NatPublicIP Indicates NAT public IP
NatEIP Indicates NAT EIP

RuleResult (Defense status):

Value Description
1 Indicates alert
2 Indicates block

RuleSource (Source of detection rules for this intrusion prevention event):

Value Description
1 Indicates basic defense
2 Indicates virtual patch
4 Indicates threat intelligence

VulLevel (Security level of this intrusion prevention event):

Value Description
1 Indicates low risk
2 Indicates medium risk
4 Indicates high risk

Fields in tags and fields may change with subsequent updates.

fields.message is a string serialized in JSON format.

X. Appendix

Please refer to the official Alibaba Cloud documentation: