首页 / 全部技能 / modelscope-aliyun-alibabacloud-waf-checkresponse-intercept-query
A

Skill 详情

alibabacloud-waf-checkresponse-intercept-query

通过SLS日志和WAF CLI查询阿里云WAF的拦截原因。分析被拦截请求的详细信息。可选地支持禁用WAF规则(ModifyDefenseRuleStatus)和管理日志服务设置(ModifyUserWafLogStatus, ModifyResourceLogStatus)。当用户报告被WAF拦截、遇到405/拦截错误页面或需要调查并修复WAF安全规则时使用。触发词:“WAF拦截查询”,“被WAF拦截”,“405故障排除”,“请求被拦截

来源平台:ModelScope
来源标识:ModelScope/aliyun/alibabacloud-waf-checkresponse-intercept-query
源文件:原始说明
AI 平台与模型 热门 ModelScope 高 风险 下载 112访问 238Stars 64 ModelScopeGitHub Copilot
来源平台ModelScope
文档版本master
热度热门
排名信号下载 112
概述 安装 文档 下载

快速判断

通过SLS日志和WAF CLI查询阿里云WAF的拦截原因。分析被拦截请求的详细信息。可选地支持禁用WAF规则(ModifyDefenseRuleStatus)和管理日志服务设置(ModifyUserWafLogStatus, ModifyResourceLogStatus)。当用户报告被WAF拦截、遇到405/拦截错误页面或需要调查并修复WAF安全规则时使用。触发词:“WAF拦截查询”,“被WAF拦截”,“405故障排除”,“请求被拦截

最后校验2026-04-22
来源平台ModelScope
安全提示
下载副本ZIP 可用

适合任务

  • 按 ModelScope 收录说明完成平台、开发或工作流任务。
  • 通过下载包离线保存 Skill 内容。
  • 结合下载量、访问量和喜欢数评估优先级。

输入与输出

输入:任务目标、上下文材料、平台信息、文件路径、约束条件或需要处理的内容。

输出:按 Skill 说明生成的文档、代码、检查结果、计划、建议或操作步骤。

示例任务

  • 使用 alibabacloud-waf-checkresponse-intercept-query 帮我完成当前任务,并先确认必要上下文。
  • 根据 alibabacloud-waf-checkresponse-intercept-query 的说明,列出操作步骤和风险检查点。

安装方式

  1. 下载本站提供的 Skill ZIP 并解压。
  2. 把解压后的 Skill 目录放入当前 AI 工具支持的 skills 目录。
  3. 如需在线查看原始内容,可打开 GitHub 的 SKILL.md

在线原始地址:modelscope-aliyun-alibabacloud-waf-checkresponse-intercept-query/SKILL.md

风险边界

使用前请检查权限、外部依赖和要处理的数据类型。第三方平台数据、支付、部署、账号和密钥相关内容应先核对官方说明。

SKILL.md 文档介绍

WAF CheckResponse Intercept Query

Prerequisites

Before execution, you must collect the following information from the user:

| Parameter | Description | Required |

|-----------|-------------|----------|

| Request ID | The traceid obtained from the HTML body of WAF's block (intercept) response, or the Request ID shown on the 405 block page displayed in the browser | Yes |

Optional: WAF Instance ID, SLS Project name, SLS Logstore name (will be auto-discovered if not provided)

Notes:

  • Request ID (traceid) is obtained from the HTML body of WAF's block response, or from the 405 block page displayed in the browser
  • Uses Alibaba Cloud default credential chain for authentication (ECS RAM Role, ~/.alibabacloud/config, etc.)

Region Information

| RegionId Value | Region | Description |

|----------------|--------|-------------|

| cn-hangzhou | Chinese Mainland | WAF instances within mainland China |

| ap-southeast-1 | Outside Chinese Mainland | WAF instances in overseas and Hong Kong/Macao/Taiwan regions |

Query Workflow

Important: All aliyun CLI calls in this skill must include the header --header User-Agent=AlibabaCloud-Agent-Skills to identify the caller.

Step 1: Information Collection

Confirm the Request ID (traceid) with the user. If the user has not provided one, guide them to obtain it from:

1. The 405 block page displayed in the browser, which shows the Request ID directly

2. The HTML body of WAF's block (intercept) response, which contains the traceid

Step 2: Auto-Discover WAF Instances and Verify Log Service

If the user has not provided WAF Instance ID and SLS configuration, perform auto-discovery:

Step 2a: Discover WAF Instances

# Query WAF instances in both regions in parallel
aliyun waf-openapi DescribeInstance --region cn-hangzhou --RegionId cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills
aliyun waf-openapi DescribeInstance --region ap-southeast-1 --RegionId ap-southeast-1 --header User-Agent=AlibabaCloud-Agent-Skills

Step 2b: Check Log Service Status (Mandatory Before Querying Logs)

Before retrieving SLS configuration, you MUST first verify that the WAF instance has log service enabled by calling DescribeSlsLogStoreStatus:

aliyun waf-openapi DescribeSlsLogStoreStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --header User-Agent=AlibabaCloud-Agent-Skills
  • If the response indicates log service is already enabled (SlsLogStoreStatus is true/enabled), skip the enable operation and proceed directly to Step 2c (idempotent: no redundant writes).
  • If log service is not enabled, inform the user that WAF log service must be activated before log queries can proceed. With user consent, call ModifyUserWafLogStatus to enable it:
aliyun waf-openapi ModifyUserWafLogStatus \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --Status 1 \
  --RegionId '<region-id>' \
  --header User-Agent=AlibabaCloud-Agent-Skills

> Constraint: This skill only supports enabling log service (Status=1). Disabling log service is not permitted. Never call this API with Status=0.

After enabling, wait a moment and re-verify with DescribeSlsLogStoreStatus to confirm activation.

Step 2c: Retrieve SLS Configuration (Mandatory After Confirming Log Service is Enabled)

Once DescribeSlsLogStoreStatus confirms that log service is enabled, you must immediately call DescribeSlsLogStore to obtain the WAF log Project and Logstore information:

aliyun waf-openapi DescribeSlsLogStore --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --header User-Agent=AlibabaCloud-Agent-Skills

Key fields in the DescribeSlsLogStore response:

| Field | Description |

|-------|-------------|

| ProjectName | SLS Project name associated with the WAF instance |

| LogStoreName | SLS Logstore name for WAF logs |

| Ttl | Log retention period (in days) |

Cross-region note: The SLS log storage region may differ from the WAF instance region (e.g., WAF in ap-southeast-1 but SLS logs stored in ap-southeast-5). When querying SLS in Step 3, always use the region where the SLS Project is located, not the WAF instance region.

Step 3: Query SLS Logs

Use the ProjectName, LogStoreName and SLS region obtained from Step 2 to query block logs (prefer using the Python script):

# Query using script (recommended, supports automatic time range expansion)
python3 scripts/get_waf_logs.py \
  --project <project-name> \
  --logstore <logstore-name> \
  --request-id <request-id> \
  --region <sls-region>

Or use CLI directly:

TO_TIME=$(python3 -c "import time; print(int(time.time()))")
FROM_TIME=$((TO_TIME - 86400))

aliyun sls get-logs \
  --project <project-name> \
  --logstore <logstore-name> \
  --from $FROM_TIME \
  --to $TO_TIME \
  --query "<request-id>" \
  --region <sls-region> \
  --header User-Agent=AlibabaCloud-Agent-Skills

Important: The --region here must be the SLS log storage region, which may differ from the WAF instance region. Check the DescribeSlsLogStore response from Step 2 to determine the correct SLS region.

Step 4: Query Rule Details

Extract rule_id and final_plugin from the logs to query the rule configuration:

Important: The DescribeDefenseRule API requires the DefenseScene parameter. Common defense scenes include:

  • custom_acl - Custom access control rules
  • custom_cc - Custom rate limiting rules (CC rules)
  • waf_group - WAF protection rules
  • antiscan - Anti-scan rules
  • dlp - Data leakage prevention
  • tamperproof - Anti-tampering

You can determine the defense scene from final_plugin field in the logs:

| final_plugin | DefenseScene |

|--------------|---------------|

| customrule | custom_acl or custom_cc |

| waf | waf_group |

| scanner_behavior | antiscan |

| dlp | dlp |

# Query rule details with DefenseScene
aliyun waf-openapi DescribeDefenseRule \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --TemplateId <template-id> \
  --RuleId <rule-id> \
  --DefenseScene '<defense-scene>' \
  --RegionId '<region-id>' \
  --header User-Agent=AlibabaCloud-Agent-Skills

Note: If you don't know the TemplateId, first use DescribeDefenseTemplates to list templates:

aliyun waf-openapi DescribeDefenseTemplates \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --DefenseScene '<defense-scene>' \
  --RegionId '<region-id>' \
  --header User-Agent=AlibabaCloud-Agent-Skills

Step 5: Output Analysis Report

Output using the following template:

## WAF Block Analysis Report

### Request Information
- Request ID: {request_id}
- Block Time: {time}
- Client IP: {real_client_ip (masked, e.g. 192.***.***.***)} 
- Request URL: {host}{request_path}?{masked_query_params}

### Block Details
- Rule ID: {rule_id}
- Rule Name: {rule_name}
- Action: {action}

### Recommendations
{Provide recommendations based on rule type, refer to references/common-block-reasons.md}

Troubleshooting

No Logs Found

1. Re-check global log service status (should have been verified in Step 2b, but re-confirm):

   aliyun waf-openapi DescribeSlsLogStoreStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --header User-Agent=AlibabaCloud-Agent-Skills

If not enabled, prompt the user and enable with ModifyUserWafLogStatus (see Step 2b). Only enabling (Status=1) is allowed.

2. Check protection object log switch:

   aliyun waf-openapi DescribeResourceLogStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --header User-Agent=AlibabaCloud-Agent-Skills

3. Enable protection object log collection (check-then-act: only if DescribeResourceLogStatus shows log collection is disabled for the target resource; skip if already enabled):

   aliyun waf-openapi ModifyResourceLogStatus \
     --region <region-id> \
     --InstanceId '<instance-id>' \
     --Resource '<resource-name>' \
     --Status true \
     --header User-Agent=AlibabaCloud-Agent-Skills

See [references/common-block-reasons.md](references/common-block-reasons.md) for protection object naming conventions.

Permission Denied Errors

If you encounter permission errors, check the following:

1. Verify CLI profile configuration:

   aliyun configure list

2. Check RAM policy permissions:

Required permissions:

  • waf-openapi:DescribeInstance
  • waf-openapi:DescribeSlsLogStoreStatus
  • waf-openapi:DescribeSlsLogStore
  • waf-openapi:ModifyUserWafLogStatus (optional, for enabling log service)
  • waf-openapi:DescribeDefenseRule (for rule details)
  • sls:GetLogs (for log queries)

3. Try specifying a different profile:

   aliyun waf-openapi DescribeInstance --profile <profile-name> --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills

Request ID Not Found

If the Request ID is not found in the logs:

1. Verify Request ID format: Should be 32 characters without hyphens

2. Check time range: The script automatically expands search up to 90 days

3. Verify the correct region: Try both cn-hangzhou and ap-southeast-1

4. Check log retention (TTL): Default is 180 days, use --ttl parameter if different

Multi-Instance Scenarios

If both Chinese Mainland and non-Chinese Mainland instances exist, determine based on query results:

  • Logs found in only one region -> use that region directly
  • Logs found in both regions -> ask the user for clarification
  • No logs found in either region -> ask the user for the expected region, check protection object log switch

Note: Follow the same discovery commands as in Step 2, then query logs across all discovered SLS projects until the Request ID is found.

Rule Operation Constraints

Warning: Rule Disabling Policy

When the user requests to disable a rule:

1. Check current rule status first — call DescribeDefenseRule to query the rule's current status. If the rule is already in the target state (e.g., already disabled), skip the write operation and inform the user (idempotent check-then-act pattern)

2. Only perform disable operations (ModifyDefenseRuleStatus with RuleStatus=0)

3. Never delete rules

4. Never modify rule content

5. Must confirm with user before executing

# Disable a rule (only after confirming it is currently enabled)
aliyun waf-openapi ModifyDefenseRuleStatus \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --RuleId <rule-id> \
  --RuleStatus 0 \
  --RegionId '<region-id>' \
  --header User-Agent=AlibabaCloud-Agent-Skills

See [references/rule-operations.md](references/rule-operations.md) for detailed instructions.

References

  • [RAM Policy Requirements](references/ram-policies.md)
  • [Rule Configuration Details](references/rule-config-details.md)
  • [Rule Operation Policy](references/rule-operations.md)
  • [Common Block Reasons](references/common-block-reasons.md)
  • WAF OpenAPI
建议反馈