WAF CheckResponse Intercept Query Prerequisites Pre-check: Aliyun CLI = 3.3.3 required Run to verify = 3.3.3. If not installed or version too low, run to update, or see for installation instructions. Pre-check: Aliyun CLI plugin update required [MUST] run to enable automatic plugin installation. [MUST] run to ensure that any existing plugins are always up-to-date. At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation: [MUST] Disable AI-Mode at EVERY exit point —…

)\n\n# Pattern: request trace ID — hex, alphanumeric, hyphens (e.g. UUIDs, trace IDs)\n_REQUEST_ID_RE = re.compile(r'^[a-zA-Z0-9-]{1,128}

WAF CheckResponse Intercept Query Prerequisites Pre-check: Aliyun CLI = 3.3.3 required Run to verify = 3.3.3. If not installed or version too low, run to update, or see for installation instructions. Pre-check: Aliyun CLI plugin update required [MUST] run to enable automatic plugin installation. [MUST] run to ensure that any existing plugins are always up-to-date. At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation: [MUST] Disable AI-Mode at EVERY exit point —…

)\n\n# Pattern: WAF instance ID (e.g. waf_v3cdnrecognition-cn-xxx, waf-cn-xxx)\n_INSTANCE_ID_RE = re.compile(r'^[a-zA-Z0-9_-]{1,128}

WAF CheckResponse Intercept Query Prerequisites Pre-check: Aliyun CLI = 3.3.3 required Run to verify = 3.3.3. If not installed or version too low, run to update, or see for installation instructions. Pre-check: Aliyun CLI plugin update required [MUST] run to enable automatic plugin installation. [MUST] run to ensure that any existing plugins are always up-to-date. At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation: [MUST] Disable AI-Mode at EVERY exit point —…

)\n\n\ndef _validate_sls_name(value, label):\n \"\"\"Validate SLS project / logstore name format.\"\"\"\n if not _SLS_NAME_RE.match(value):\n raise argparse.ArgumentTypeError(\n f\"Invalid {label}: '{value}'. \"\n f\"Must start with alphanumeric and contain only [a-zA-Z0-9_-], max 128 chars.\"\n )\n return value\n\n\ndef _validate_request_id(value):\n \"\"\"Validate request ID format (alphanumeric + hyphens).\"\"\"\n if not _REQUEST_ID_RE.match(value):\n raise argparse.ArgumentTypeError(\n f\"Invalid request ID: '{value}'. \"\n f\"Must contain only [a-zA-Z0-9-], max 128 chars.\"\n )\n return value\n\n\ndef _validate_region(value):\n \"\"\"Validate region is a known Alibaba Cloud region ID.\"\"\"\n if value not in _VALID_REGIONS:\n raise argparse.ArgumentTypeError(\n f\"Invalid region: '{value}'. \"\n f\"Must be a valid Alibaba Cloud region ID (e.g. cn-hangzhou, ap-southeast-1).\"\n )\n return value\n\n\ndef _validate_instance_id(value):\n \"\"\"Validate WAF instance ID format.\"\"\"\n if not _INSTANCE_ID_RE.match(value):\n raise argparse.ArgumentTypeError(\n f\"Invalid instance ID: '{value}'. \"\n f\"Must contain only [a-zA-Z0-9_-], max 128 chars.\"\n )\n return value\n\n\ndef _validate_ttl(value):\n \"\"\"Validate TTL is a positive integer within a reasonable range.\"\"\"\n try:\n ivalue = int(value)\n except (ValueError, TypeError):\n raise argparse.ArgumentTypeError(f\"Invalid TTL: '{value}'. Must be a positive integer.\")\n if ivalue \u003c 1 or ivalue > 3650:\n raise argparse.ArgumentTypeError(\n f\"TTL out of range: {ivalue}. Must be between 1 and 3650 days.\"\n )\n return ivalue\n\n\ndef main():\n parser = argparse.ArgumentParser(description='Query WAF SLS block logs')\n parser.add_argument('--project', required=True,\n type=lambda v: _validate_sls_name(v, 'project'),\n help='SLS Project name')\n parser.add_argument('--logstore', required=True,\n type=lambda v: _validate_sls_name(v, 'logstore'),\n help='SLS Logstore name')\n parser.add_argument('--request-id', required=True,\n type=_validate_request_id,\n help='Request ID to query')\n parser.add_argument('--region', default='ap-southeast-5',\n type=_validate_region,\n help='SLS region (default: ap-southeast-5)')\n parser.add_argument('--ttl', type=_validate_ttl, default=90,\n help='Log retention period in days (default: 90, max: 3650)')\n parser.add_argument('--json', action='store_true', help='Output raw logs in JSON format')\n parser.add_argument('--instance-id',\n type=_validate_instance_id,\n help='WAF instance ID (for querying rule details)')\n parser.add_argument('--waf-region',\n type=_validate_region,\n help='WAF region (for querying rule details, defaults to --region)')\n \n args = parser.parse_args()\n \n # WAF region defaults to SLS region\n waf_region = args.waf_region if args.waf_region else args.region\n \n print(\"=\"*60)\n print(\"WAF SLS Log Query\")\n print(\"=\"*60)\n print(f\"Project: {args.project}\")\n print(f\"Logstore: {args.logstore}\")\n print(f\"Request ID: {args.request_id}\")\n print(f\"Region: {args.region}\")\n print(f\"Current timestamp: {get_current_timestamp()} ({time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(get_current_timestamp()))})\")\n \n # Query logs\n logs = query_sls_logs(args.project, args.logstore, args.request_id, args.region, args.ttl)\n \n if logs:\n if args.json:\n # JSON format output — mask sensitive fields before emitting\n sanitized_logs = []\n for log in logs:\n sanitized = {}\n for k, v in log.items():\n if _is_sensitive_field(k):\n sanitized[k] = _mask_field_value(k, v)\n elif k.lower() in ('request_uri', 'uri', 'querystring', 'query_string'):\n sanitized[k] = _mask_uri(str(v))\n else:\n sanitized[k] = v\n sanitized_logs.append(sanitized)\n print(\"\\n\" + json.dumps(sanitized_logs, indent=2, ensure_ascii=False))\n else:\n # Analysis format output (with rule details)\n print_log_analysis(logs, args.instance_id, waf_region)\n return 0\n else:\n print(\"\\nSuggestions:\")\n print(\" 1. Verify the Request ID is correct\")\n print(\" 2. Confirm that the log service is enabled\")\n print(\" 3. Wait 3-5 minutes and retry (log sync delay)\")\n return 1\n\n\nif __name__ == '__main__':\n sys.exit(main())\n","content_type":"text/x-python; charset=utf-8","language":"python","size":21511,"content_sha256":"ce00dbe60d55e15f18560138522d3c1b3df35e40e370c60395e7507c2a7b9c6c"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"WAF CheckResponse Intercept Query","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"paragraph","content":[{"text":"Pre-check: Aliyun CLI >= 3.3.3 required","type":"text","marks":[{"type":"strong"}]}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"Run ","type":"text"},{"text":"aliyun version","type":"text","marks":[{"type":"code_inline"}]},{"text":" to verify >= 3.3.3. If not installed or version too low, run ","type":"text"},{"text":"curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash","type":"text","marks":[{"type":"code_inline"}]},{"text":" to update, or see ","type":"text"},{"text":"references/cli-installation-guide.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" for installation instructions.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Pre-check: Aliyun CLI plugin update required","type":"text","marks":[{"type":"strong"}]}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"[MUST] run ","type":"text"},{"text":"aliyun configure set --auto-plugin-install true","type":"text","marks":[{"type":"code_inline"}]},{"text":" to enable automatic plugin installation. [MUST] run ","type":"text"},{"text":"aliyun plugin update","type":"text","marks":[{"type":"code_inline"}]},{"text":" to ensure that any existing plugins are always up-to-date.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"At the ","type":"text"},{"text":"start","type":"text","marks":[{"type":"strong"}]},{"text":" of the Core Workflow (before any CLI invocation): ","type":"text"},{"text":"[MUST] Enable AI-Mode","type":"text","marks":[{"type":"strong"}]},{"text":" — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun configure ai-mode enable\naliyun configure ai-mode set-user-agent --user-agent \"AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query\"","type":"text"}]},{"type":"paragraph","content":[{"text":"[MUST] Disable AI-Mode at EVERY exit point","type":"text","marks":[{"type":"strong"}]},{"text":" — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun configure ai-mode disable","type":"text"}]},{"type":"paragraph","content":[{"text":"[MUST] CLI User-Agent","type":"text","marks":[{"type":"strong"}]},{"text":" — Every ","type":"text"},{"text":"aliyun","type":"text","marks":[{"type":"code_inline"}]},{"text":" CLI command invocation must include: ","type":"text"},{"text":"--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text","marks":[{"type":"code_inline"}]}]},{"type":"paragraph","content":[{"text":"Before execution, you ","type":"text"},{"text":"must","type":"text","marks":[{"type":"strong"}]},{"text":" collect the following information from the user:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Parameter","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Required","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Request ID","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"The traceid obtained from the HTML body of WAF's block (intercept) response, or the Request ID shown on the 405 block page displayed in the browser","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"strong"}]},{"text":": WAF Instance ID, SLS Project name, SLS Logstore name (will be auto-discovered if not provided)","type":"text"}]},{"type":"paragraph","content":[{"text":"Notes","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Request ID (traceid) is obtained from the HTML body of WAF's block response, or from the 405 block page displayed in the browser","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Uses Alibaba Cloud default credential chain for authentication (ECS RAM Role, ~/.alibabacloud/config, etc.)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Region Information","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RegionId Value","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Region","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cn-hangzhou","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Chinese Mainland","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WAF instances within mainland China","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ap-southeast-1","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Outside Chinese Mainland","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"WAF instances in overseas and Hong Kong/Macao/Taiwan regions","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Query Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Information Collection","type":"text"}]},{"type":"paragraph","content":[{"text":"Confirm the Request ID (traceid) with the user. If the user has not provided one, guide them to obtain it from:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The 405 block page displayed in the browser, which shows the Request ID directly","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"The HTML body of WAF's block (intercept) response, which contains the traceid","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Auto-Discover WAF Instances and Verify Log Service","type":"text"}]},{"type":"paragraph","content":[{"text":"If the user has not provided WAF Instance ID and SLS configuration, perform auto-discovery:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Step 2a: Discover WAF Instances","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Query WAF instances in both regions in parallel\naliyun waf-openapi DescribeInstance --region cn-hangzhou --RegionId cn-hangzhou --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query\naliyun waf-openapi DescribeInstance --region ap-southeast-1 --RegionId ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Step 2b: Check Log Service Status (Mandatory Before Querying Logs)","type":"text"}]},{"type":"paragraph","content":[{"text":"Before retrieving SLS configuration, you MUST first verify that the WAF instance has log service enabled","type":"text","marks":[{"type":"strong"}]},{"text":" by calling ","type":"text"},{"text":"DescribeSlsLogStoreStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeSlsLogStoreStatus --region \u003cregion-id> --InstanceId '\u003cinstance-id>' --RegionId '\u003cregion-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"If the response indicates log service is ","type":"text"},{"text":"already enabled","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"SlsLogStoreStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" is true/enabled), ","type":"text"},{"text":"skip","type":"text","marks":[{"type":"strong"}]},{"text":" the enable operation and proceed directly to ","type":"text"},{"text":"Step 2c","type":"text","marks":[{"type":"strong"}]},{"text":" (idempotent: no redundant writes).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"If log service is ","type":"text"},{"text":"not enabled","type":"text","marks":[{"type":"strong"}]},{"text":", inform the user that WAF log service must be activated before log queries can proceed. With user consent, call ","type":"text"},{"text":"ModifyUserWafLogStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" to enable it:","type":"text"}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi ModifyUserWafLogStatus \\\n --region \u003cregion-id> \\\n --InstanceId '\u003cinstance-id>' \\\n --Status 1 \\\n --RegionId '\u003cregion-id>' \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"Constraint","type":"text","marks":[{"type":"strong"}]},{"text":": This skill only supports ","type":"text"},{"text":"enabling","type":"text","marks":[{"type":"strong"}]},{"text":" log service (","type":"text"},{"text":"Status=1","type":"text","marks":[{"type":"code_inline"}]},{"text":"). Disabling log service is ","type":"text"},{"text":"not permitted","type":"text","marks":[{"type":"strong"}]},{"text":". Never call this API with ","type":"text"},{"text":"Status=0","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]}]},{"type":"paragraph","content":[{"text":"After enabling, wait a moment and re-verify with ","type":"text"},{"text":"DescribeSlsLogStoreStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" to confirm activation.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Step 2c: Retrieve SLS Configuration (Mandatory After Confirming Log Service is Enabled)","type":"text"}]},{"type":"paragraph","content":[{"text":"Once ","type":"text"},{"text":"DescribeSlsLogStoreStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" confirms that log service is enabled, you ","type":"text"},{"text":"must immediately","type":"text","marks":[{"type":"strong"}]},{"text":" call ","type":"text"},{"text":"DescribeSlsLogStore","type":"text","marks":[{"type":"code_inline"}]},{"text":" to obtain the WAF log Project and Logstore information:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeSlsLogStore --region \u003cregion-id> --InstanceId '\u003cinstance-id>' --RegionId '\u003cregion-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"paragraph","content":[{"text":"Key fields in the ","type":"text"},{"text":"DescribeSlsLogStore","type":"text","marks":[{"type":"code_inline"}]},{"text":" response:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Field","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ProjectName","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SLS Project name associated with the WAF instance","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LogStoreName","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SLS Logstore name for WAF logs","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ttl","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Log retention period (in days)","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"Cross-region note","type":"text","marks":[{"type":"strong"}]},{"text":": The SLS log storage region may differ from the WAF instance region (e.g., WAF in ","type":"text"},{"text":"ap-southeast-1","type":"text","marks":[{"type":"code_inline"}]},{"text":" but SLS logs stored in ","type":"text"},{"text":"ap-southeast-5","type":"text","marks":[{"type":"code_inline"}]},{"text":"). When querying SLS in Step 3, always use the region where the SLS Project is located, not the WAF instance region.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Query SLS Logs","type":"text"}]},{"type":"paragraph","content":[{"text":"Use the ","type":"text"},{"text":"ProjectName","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"LogStoreName","type":"text","marks":[{"type":"code_inline"}]},{"text":" and SLS region obtained from Step 2 to query block logs (prefer using the Python script):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Query using script (recommended, supports automatic time range expansion)\npython3 scripts/get_waf_logs.py \\\n --project \u003cproject-name> \\\n --logstore \u003clogstore-name> \\\n --request-id \u003crequest-id> \\\n --region \u003csls-region>","type":"text"}]},{"type":"paragraph","content":[{"text":"Or use CLI directly:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"TO_TIME=$(python3 -c \"import time; print(int(time.time()))\")\nFROM_TIME=$((TO_TIME - 86400))\n\naliyun sls get-logs \\\n --project \u003cproject-name> \\\n --logstore \u003clogstore-name> \\\n --from $FROM_TIME \\\n --to $TO_TIME \\\n --query \"\u003crequest-id>\" \\\n --region \u003csls-region> \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"paragraph","content":[{"text":"Important","type":"text","marks":[{"type":"strong"}]},{"text":": The ","type":"text"},{"text":"--region","type":"text","marks":[{"type":"code_inline"}]},{"text":" here must be the SLS log storage region, which may differ from the WAF instance region. Check the ","type":"text"},{"text":"DescribeSlsLogStore","type":"text","marks":[{"type":"code_inline"}]},{"text":" response from Step 2 to determine the correct SLS region.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Query Rule Details","type":"text"}]},{"type":"paragraph","content":[{"text":"Extract ","type":"text"},{"text":"rule_id","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"final_plugin","type":"text","marks":[{"type":"code_inline"}]},{"text":" from the logs to query the rule configuration:","type":"text"}]},{"type":"paragraph","content":[{"text":"Important","type":"text","marks":[{"type":"strong"}]},{"text":": The ","type":"text"},{"text":"DescribeDefenseRule","type":"text","marks":[{"type":"code_inline"}]},{"text":" API requires the ","type":"text"},{"text":"DefenseScene","type":"text","marks":[{"type":"code_inline"}]},{"text":" parameter. Common defense scenes include:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"custom_acl","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Custom access control rules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"custom_cc","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Custom rate limiting rules (CC rules)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf_group","type":"text","marks":[{"type":"code_inline"}]},{"text":" - WAF protection rules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"antiscan","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Anti-scan rules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"dlp","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Data leakage prevention","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"tamperproof","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Anti-tampering","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"You can determine the defense scene from ","type":"text"},{"text":"final_plugin","type":"text","marks":[{"type":"code_inline"}]},{"text":" field in the logs:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"final_plugin","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DefenseScene","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"customrule","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"custom_acl or custom_cc","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"waf","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"waf_group","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"scanner_behavior","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"antiscan","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dlp","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dlp","type":"text"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Query rule details with DefenseScene\naliyun waf-openapi DescribeDefenseRule \\\n --region \u003cregion-id> \\\n --InstanceId '\u003cinstance-id>' \\\n --TemplateId \u003ctemplate-id> \\\n --RuleId \u003crule-id> \\\n --DefenseScene '\u003cdefense-scene>' \\\n --RegionId '\u003cregion-id>' \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"paragraph","content":[{"text":"Note","type":"text","marks":[{"type":"strong"}]},{"text":": If you don't know the ","type":"text"},{"text":"TemplateId","type":"text","marks":[{"type":"code_inline"}]},{"text":", first use ","type":"text"},{"text":"DescribeDefenseTemplates","type":"text","marks":[{"type":"code_inline"}]},{"text":" to list templates:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeDefenseTemplates \\\n --region \u003cregion-id> \\\n --InstanceId '\u003cinstance-id>' \\\n --DefenseScene '\u003cdefense-scene>' \\\n --RegionId '\u003cregion-id>' \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Output Analysis Report","type":"text"}]},{"type":"paragraph","content":[{"text":"Output using the following template:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"markdown"},"content":[{"text":"## WAF Block Analysis Report\n\n### Request Information\n- Request ID: {request_id}\n- Block Time: {time}\n- Client IP: {real_client_ip (masked, e.g. 192.***.***.***)} \n- Request URL: {host}{request_path}?{masked_query_params}\n\n### Block Details\n- Rule ID: {rule_id}\n- Rule Name: {rule_name}\n- Action: {action}\n\n### Recommendations\n{Provide recommendations based on rule type, refer to references/common-block-reasons.md}","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"No Logs Found","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Re-check global log service status","type":"text","marks":[{"type":"strong"}]},{"text":" (should have been verified in Step 2b, but re-confirm):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeSlsLogStoreStatus --region \u003cregion-id> --InstanceId '\u003cinstance-id>' --RegionId '\u003cregion-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"paragraph","content":[{"text":"If not enabled, prompt the user and enable with ","type":"text"},{"text":"ModifyUserWafLogStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" (see Step 2b). Only enabling (","type":"text"},{"text":"Status=1","type":"text","marks":[{"type":"code_inline"}]},{"text":") is allowed.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check protection object log switch","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeResourceLogStatus --region \u003cregion-id> --InstanceId '\u003cinstance-id>' --RegionId '\u003cregion-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable protection object log collection","type":"text","marks":[{"type":"strong"}]},{"text":" (check-then-act: only if ","type":"text"},{"text":"DescribeResourceLogStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" shows log collection is disabled for the target resource; skip if already enabled):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi ModifyResourceLogStatus \\\n --region \u003cregion-id> \\\n --InstanceId '\u003cinstance-id>' \\\n --Resource '\u003cresource-name>' \\\n --Status true \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/common-block-reasons.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/common-block-reasons.md","title":null}}]},{"text":" for protection object naming conventions.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Permission Denied Errors","type":"text"}]},{"type":"paragraph","content":[{"text":"If you encounter permission errors, check the following:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify CLI profile configuration","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun configure list","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check RAM policy permissions","type":"text","marks":[{"type":"strong"}]},{"text":": Required permissions:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf-openapi:DescribeInstance","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf-openapi:DescribeSlsLogStoreStatus","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf-openapi:DescribeSlsLogStore","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf-openapi:ModifyUserWafLogStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" (optional, for enabling log service)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"waf-openapi:DescribeDefenseRule","type":"text","marks":[{"type":"code_inline"}]},{"text":" (for rule details)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"sls:GetLogs","type":"text","marks":[{"type":"code_inline"}]},{"text":" (for log queries)","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Try specifying a different profile","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"aliyun waf-openapi DescribeInstance --profile \u003cprofile-name> --region \u003cregion-id> --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Request ID Not Found","type":"text"}]},{"type":"paragraph","content":[{"text":"If the Request ID is not found in the logs:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify Request ID format","type":"text","marks":[{"type":"strong"}]},{"text":": Should be 32 characters without hyphens","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check time range","type":"text","marks":[{"type":"strong"}]},{"text":": The script automatically expands search up to 90 days","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify the correct region","type":"text","marks":[{"type":"strong"}]},{"text":": Try both ","type":"text"},{"text":"cn-hangzhou","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"ap-southeast-1","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check log retention (TTL)","type":"text","marks":[{"type":"strong"}]},{"text":": Default is 180 days, use ","type":"text"},{"text":"--ttl","type":"text","marks":[{"type":"code_inline"}]},{"text":" parameter if different","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Multi-Instance Scenarios","type":"text"}]},{"type":"paragraph","content":[{"text":"If both Chinese Mainland and non-Chinese Mainland instances exist, determine based on query results:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Logs found in only one region -> use that region directly","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Logs found in both regions -> ask the user for clarification","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No logs found in either region -> ask the user for the expected region, check protection object log switch","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Note","type":"text","marks":[{"type":"strong"}]},{"text":": Follow the same discovery commands as in Step 2, then query logs across all discovered SLS projects until the Request ID is found.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Rule Operation Constraints","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Warning: Rule Disabling Policy","type":"text"}]},{"type":"paragraph","content":[{"text":"When the user requests to disable a rule:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check current rule status first","type":"text","marks":[{"type":"strong"}]},{"text":" — call ","type":"text"},{"text":"DescribeDefenseRule","type":"text","marks":[{"type":"code_inline"}]},{"text":" to query the rule's current status. If the rule is already in the target state (e.g., already disabled), ","type":"text"},{"text":"skip","type":"text","marks":[{"type":"strong"}]},{"text":" the write operation and inform the user (idempotent check-then-act pattern)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Only perform disable operations","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"ModifyDefenseRuleStatus","type":"text","marks":[{"type":"code_inline"}]},{"text":" with ","type":"text"},{"text":"RuleStatus=0","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Never delete rules","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Never modify rule content","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Must confirm with user before executing","type":"text"}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Disable a rule (only after confirming it is currently enabled)\naliyun waf-openapi ModifyDefenseRuleStatus \\\n --region \u003cregion-id> \\\n --InstanceId '\u003cinstance-id>' \\\n --RuleId \u003crule-id> \\\n --RuleStatus 0 \\\n --RegionId '\u003cregion-id>' \\\n --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query","type":"text"}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/rule-operations.md","type":"text","marks":[{"type":"link","attrs":{"href":"references/rule-operations.md","title":null}}]},{"text":" for detailed instructions.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"RAM Policy Requirements","type":"text","marks":[{"type":"link","attrs":{"href":"references/ram-policies.md","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rule Configuration Details","type":"text","marks":[{"type":"link","attrs":{"href":"references/rule-config-details.md","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rule Operation Policy","type":"text","marks":[{"type":"link","attrs":{"href":"references/rule-operations.md","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Common Block Reasons","type":"text","marks":[{"type":"link","attrs":{"href":"references/common-block-reasons.md","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"WAF OpenAPI","type":"text","marks":[{"type":"link","attrs":{"href":"https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"alibabacloud-waf-checkresponse-intercept-query","author":"@skillopedia","source":{"stars":133,"repo_name":"alibabacloud-aiops-skills","origin_url":"https://github.com/aliyun/alibabacloud-aiops-skills/blob/HEAD/skills/security/waf/alibabacloud-waf-checkresponse-intercept-query/SKILL.md","repo_owner":"aliyun","body_sha256":"a7098b873268a650c9c484f71675084267d9fbb7a79f751cda294b8ff5855139","cluster_key":"d75fdbe0d9d152d6a1a09ee8f71a3c77457249bbba93fc669a9e2d30256e43d9","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aliyun/alibabacloud-aiops-skills/skills/security/waf/alibabacloud-waf-checkresponse-intercept-query/SKILL.md","attachments":[{"id":"9564858f-f114-5624-a423-f67056eefebe","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9564858f-f114-5624-a423-f67056eefebe/attachment.md","path":"references/common-block-reasons.md","size":1649,"sha256":"38313b549527bde4bc77e050d65c29f0bdea232b6d107a2b6f59dce2e2962a73","contentType":"text/markdown; charset=utf-8"},{"id":"c28ff708-58ad-5a9b-9548-4eb3369e2676","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/c28ff708-58ad-5a9b-9548-4eb3369e2676/attachment.md","path":"references/ram-policies.md","size":2838,"sha256":"d811b226e0d345d09fe4d6b56714e7ad51a49e0a7a79fe8ee1030c487d3ac8a5","contentType":"text/markdown; charset=utf-8"},{"id":"689e3408-f8e9-5a47-aeaf-a51deeebe00d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/689e3408-f8e9-5a47-aeaf-a51deeebe00d/attachment.md","path":"references/rule-config-details.md","size":2018,"sha256":"201071121ed05c664b890eef591c676b1278bc1098ee71cfdc1356802ecd8dd8","contentType":"text/markdown; charset=utf-8"},{"id":"1a7746ed-eb3e-504f-8622-157dfad4d2e4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/1a7746ed-eb3e-504f-8622-157dfad4d2e4/attachment.md","path":"references/rule-operations.md","size":4534,"sha256":"9bd24c22b831f7ac877056f756368234eb9519a2dda1dc5ba6609dfba89401f8","contentType":"text/markdown; charset=utf-8"},{"id":"53b84f3d-9e8e-5098-b857-34c5b6509baa","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/53b84f3d-9e8e-5098-b857-34c5b6509baa/attachment.py","path":"scripts/get_waf_logs.py","size":21511,"sha256":"ce00dbe60d55e15f18560138522d3c1b3df35e40e370c60395e7507c2a7b9c6c","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"bb8fd019a0e01eb2b10c70e469a50c064700ab5bbd1504ae14f6ff85ccf36aa6","attachment_count":5,"text_attachments":5,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/security/waf/alibabacloud-waf-checkresponse-intercept-query/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Query Alibaba Cloud WAF block reasons via SLS logs and WAF CLI. Analyzes detailed information about blocked requests. Optionally supports disabling WAF rules (ModifyDefenseRuleStatus) and managing log service settings (ModifyUserWafLogStatus, ModifyResourceLogStatus).\nUse when users report being blocked by WAF, encounter 405/block error pages, or need to investigate and remediate WAF security rules.\nTrigger words: \"WAF block query\", \"blocked by WAF\", \"405 troubleshooting\", \"request blocked\", \"checkresponse\", \"intercept query\", \"disable WAF rule\", \"enable WAF log\"\n"}},"renderedAt":1782981796329}

WAF CheckResponse Intercept Query Prerequisites Pre-check: Aliyun CLI = 3.3.3 required Run to verify = 3.3.3. If not installed or version too low, run to update, or see for installation instructions. Pre-check: Aliyun CLI plugin update required [MUST] run to enable automatic plugin installation. [MUST] run to ensure that any existing plugins are always up-to-date. At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation: [MUST] Disable AI-Mode at EVERY exit point —…