Parsing a waf log to get the host ip to prevent dos attack

Question

I'm trying to create a report where if a ip request have attacked the server more then 1000 in one minute it is an dos attack. Aws waf is logging the logs in s3 and using lambda we will check if certain ip crosses the threshold.

import urllib import boto3 import gzip

s3=boto3.client('s3')

def lambda_handler(event, context): # Main configuration variables requests_limit = 100

# Parsing the required information out of the event structure
bucket_name = event['Records'][0]['s3']['bucket']['name']
file_name = urllib.parse.unquote_plus(event['Records'][0]['s3']['object']['key'])
response = s3.get_object(Bucket=bucket_name, Key=file_name)
target_bucket='blocketrequest'
FILE='Filtered' + file_name

text = response["Body"].read().decode()
e  = text.split("\n")




# Parsing IPs out of the access log file
suspicious_ips = {}

for each in e:
    try:
        loaded_data = json.loads(each)
        ip = loaded_data['httpRequest']['clientIp']
        if ip in suspicious_ips.keys():
            suspicious_ips[ip] += 1
        else:
            suspicious_ips[ip] = 1
    except Exception as err:
        print(f"Problem with line:{str(err)}")
        break

# Filtering IPs that exceeded the limit and preparing inserts to WAF
updates_list = []
for ip in suspicious_ips.keys():
    if suspicious_ips[ip] < requests_limit:
        continue

updates_list.append({
    'Action': 'INSERT',
    'IPSetDescriptor': {
        'Type': 'IPV4',
        'Value': "%s/32"%ip
    }
})

# Exit if there are no malicious IPs
if updates_list == []:
    return

s3.put_object(Body=updates_list,Bucket=target_bucket,Key=FILE)
print('transferred')

In this code I'm getting error of Intendention on line 44 can some one help

Answer 1

You can use the Rate-based rule provided by AWS WAF.

Answer 2

This is probably counter-productive but have you looked into Amazon Athena? It allows you to query the log easily in SQL. I think there's Athena SDK for Python as well.

Answer 3

You can do syntax checks a lot of ways. I love using Visual Studio Code with the python plugin.

You can also ask python to compile you code without running it to check the file.

Python3 shows no error with your file

$ python3 -m py_compile 61327893.py
$

I assume your not using 2.7 but here is the same command.

$ python2.7 -m py_compile 61327893.py
  File "61327893.py", line 35
    print(f"TotalRecords:{len(e)}")
                                 ^
SyntaxError: invalid syntax

Another great non Microsoft option is this online pep8 checker. http://pep8online.com/

Can you post the stacktrace you are seeing? The error might be in imported code.