Collector 'Alibaba Cloud-CLOUDFW' Configuration Manual¶

Before reading this document, please read:

Cloud Integration

Tip

Before using this collector, you must install the 'Integration Core Package' and its accompanying third-party dependencies

1. Configuration Structure¶

The configuration structure of this collector is as follows:

Field	Type	Required	Description
`regions`	list	Required	List of regions to collect data from
`regions[#]`	str	Required	Region ID. For example: `'cn-hangzhou'` See appendix for the complete list

2. Configuration Example¶

Specifying a Region¶

Collect data from the Hangzhou region

collector_configs = {
    'regions': [ 'cn-hangzhou' ]
}

3. Data Reporting Format¶

After data is successfully synchronized, you can view the data in the 'LOG' of TrueWatch.

An example of the reported data is as follows:

{
  "measurement": "aliyun_cloudfw",
  "tags": {
    "AttackApp"   : "MySql",
    "EventId"     : "2b58efae-xxxx",
    "EventName"   : "WEB Directory Traversal Attack",
    "RuleId"      : "1000xxxx",
    "AttackType"  : "1",
    "ResourceType": "EcsPublicIP",
    "DstIP"       : "192.0.XXXX",
    "EventCount"  : "100",
    "RuleResult"  : "2",
    "RuleSource"  : "1",
    "VulLevel"    : "1"
  },
  "fields": {
    "Description"          : "Detected a directory traversal attack in HTTP request WEB access",
    "FirstEventTime"       : 1534408189,
    "LastEventTime"        : 1534408267,
    "ResourcePrivateIPList": "{Private IP information of the intrusion prevention event}",
    "VpcSrcInfo"           : "{Source VPC information of the intrusion prevention event}",
    "VpcDstInfo"           : "{Destination VPC information of the intrusion prevention event}",
    "message"              : "{Instance JSON data}"
  }
}

Partial parameter descriptions are as follows:

AttackType (Attack type of the intrusion prevention event) values and meanings:

Value	Description
`1`	Abnormal connection
`2`	Command execution
`3`	Brute force attack
`4`	Scanning
`5`	Others
`6`	Information leakage
`7`	Dos attack
`8`	Overflow attack
`9`	Web attack
`10`	Trojan backdoor
`11`	Virus worm
`12`	Mining behavior
`13`	Reverse Shell

ResourceType (Public IP type of the intrusion prevention event) values and meanings:

Value	Description
`EIP`	Elastic IP
`EcsPublicIP`	ECS Public IP
`EcsEIP`	ECS EIP
`NatPublicIP`	NAT Public IP
`NatEIP`	NAT EIP

RuleResult (Defense status) values and meanings:

Value	Description
`1`	Alert
`2`	Block

RuleSource (Detection rule source of the intrusion prevention event) values and meanings:

Value	Description
`1`	Basic defense
`2`	Virtual patch
`4`	Threat intelligence

VulLevel (Security level of the intrusion prevention event) values and meanings:

Value	Description
`1`	Low risk
`2`	Medium risk
`4`	High risk

Note

The fields in tags and fields may change with subsequent updates

Tip

fields.message is a JSON serialized string

X. Appendix¶

Please refer to the official Alibaba Cloud documentation: