I’m trying to dig deeper on some OWASP rule triggers for tailoring the WAF to a site, but the WAF event only tells me the rule ID, eg 941340.

Looking at that rule, coreruleset/REQUEST-941-APPLICATION-ATTACK-XSS.conf at 83f922c3d0a334ee10c27661a5c251b5bd92f0c6 · coreruleset/coreruleset · GitHub

It’s looking at several areas cookies, args, values, etc. as expected, but I’m unable to view what the “logdata” would say to get a better idea on where/what to look for. Eg, cookie value containing such and such special characters.

It would be nice if that extra logging could be turned on temporarily so I can investigate deeper.

As far as I remember, using the Cloudflare API? as the JSON response has got more fields to inspect.

• https://api.cloudflare.com/

In terms of logging, I think it could depend on the Cloudflare Plan you are using, if you can export the logs and parse them (JSON) for example and using the GrapQL to get better insights into that.

• https://developers.cloudflare.com/logs/reference/firewall-fields

• https://developers.cloudflare.com/logs/reference/waf-fields

• https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests

• https://developers.cloudflare.com/logs/reference/log-fields/zone/firewall_events

• https://developers.cloudflare.com/logs/

If not yet possible, I believe it might be available in some future to get some part of the “logdata” on the lower plans, if so.

Haven’t tried yet, could be I am wrong about this.

Thanks for the tips. It’s on the Pro plan in most cases. I didn’t see anything in the API, and not in the log field descriptions for this.

Originally I was looking at the JSON exported from the dashboard for the event. There is a “metadata” array with data like the list of rule IDs contributing to the OWASP score. I imagine another field could be added to that for the “logdata” message at some point.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.