Back to Details

alibabacloud-ddoscoo-intercept-query

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

DDoS Pro (Anti-DDoS Pro) Intercept Query

DDoS Pro(Anti-DDoS Pro)拦截查询

Scenario Description

场景说明

Query and analyze DDoS Pro (ddoscoo) block/intercept events using SLS full logs and ddoscoo CLI commands. When a user reports being blocked by DDoS Pro or encounters a block page, this skill discovers DDoS instances, checks full log configuration, queries SLS logs by Request ID, retrieves rule details, and outputs a structured analysis report with recommendations.
Architecture: 
DDoS Pro Instance → Full Log (SLS) → Log Query → Rule Analysis → Report
通过SLS全量日志和ddoscoo CLI命令查询并分析DDoS Pro(ddoscoo)的拦截事件。当用户反馈被DDoS Pro拦截或遇到拦截页面时,本技能会自动发现DDoS实例、检查全量日志配置、通过Request ID查询SLS日志、获取规则详情,并输出带有建议的结构化分析报告。
架构
DDoS Pro实例 → 全量日志(SLS)→ 日志查询 → 规则分析 → 报告

Installation

安装

Pre-check: Aliyun CLI >= 3.3.3 required
Run 
aliyun version
to verify >= 3.3.3. If not installed or version too low, see references/cli-installation-guide.md for installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run 
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation. [MUST] run 
aliyun plugin update
to ensure that any existing plugins are always up-to-date.
Pre-check: AI-Mode Lifecycle
At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason (workflow success, failure, error, user cancellation, or session end), always disable AI-mode first. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
bash
aliyun configure ai-mode disable
Pre-check: SLS CLI plugin required
[MUST] Install the SLS CLI plugin before any log query operations:
bash
aliyun component install sls
Verify the plugin is available:
bash
aliyun sls --help
If 
aliyun component install
is not available, use the legacy command:
bash
aliyun plugin install --names aliyun-cli-sls
预检查:需Aliyun CLI >= 3.3.3
运行
aliyun version
验证版本是否≥3.3.3。若未安装或版本过低,请查看references/cli-installation-guide.md获取安装说明。
预检查:需更新Aliyun CLI插件
[必须] 运行
aliyun configure set --auto-plugin-install true
开启自动插件安装。 [必须] 运行
aliyun plugin update
确保所有现有插件始终保持最新。
预检查:AI-Mode生命周期
在核心工作流开始时(执行任何CLI调用前): [必须] 启用AI-Mode —— AI-mode是Agent Skill执行的必要条件。 在执行任何CLI调用前运行以下命令:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query"
[必须] 在所有退出点禁用AI-Mode —— 无论因何种原因返回最终响应(工作流成功、失败、错误、用户取消或会话结束),都必须先禁用AI-mode。AI-mode仅适用于Agent Skill调用场景,技能停止运行后不得保持启用状态。
bash
aliyun configure ai-mode disable
预检查:需SLS CLI插件
[必须] 在执行任何日志查询操作前安装SLS CLI插件:
bash
aliyun component install sls
验证插件是否可用:
bash
aliyun sls --help
aliyun component install
不可用,请使用旧版命令:
bash
aliyun plugin install --names aliyun-cli-sls

Environment Variables

环境变量

No additional environment variables required. Authentication is handled via the Aliyun CLI credential chain.
无需额外环境变量。认证通过Aliyun CLI凭证链处理。

Authentication

认证

Pre-check: Alibaba Cloud Credentials Required
Security Rules:
  • NEVER read, echo, or print AK/SK values (e.g., 
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
    is FORBIDDEN)
  • NEVER ask the user to input AK/SK directly in the conversation or command line
  • NEVER use 
    aliyun configure set
    with literal credential values
  • ONLY use 
    aliyun configure list
    to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
  1. Obtain credentials from Alibaba Cloud Console
  2. Configure credentials outside of this session (via 
    aliyun configure
    in terminal or environment variables in shell profile)
  3. Return and re-run after 
    aliyun configure list
    shows a valid profile
Note on 401 Unauthorized errors: A 
401 The security token has expired
error means the STS temporary credential has expired — this is not a RAM permission issue. Ask the user to refresh credentials outside this session via 
aliyun configure
, then retry.
预检查:需阿里云凭证
安全规则:
  • 禁止读取、回显或打印AK/SK值(例如
    echo $ALIBABA_CLOUD_ACCESS_KEY_ID
    是不允许的)
  • 禁止要求用户在对话或命令行中直接输入AK/SK
  • 禁止使用
    aliyun configure set
    传入明文凭证值
  • 仅允许使用
    aliyun configure list
    检查凭证状态
bash
aliyun configure list
检查输出中是否存在有效配置(AK、STS或OAuth身份)。
若无有效配置,请在此停止。
  1. 阿里云控制台获取凭证
  2. 在本次会话外配置凭证(通过终端的
    aliyun configure
    或Shell配置文件中的环境变量)
  3. aliyun configure list
    显示有效配置后,返回并重新运行
关于401未授权错误的说明
401 The security token has expired
错误表示STS临时凭证已过期 —— 这不是RAM权限问题。请让用户在本次会话外通过
aliyun configure
刷新凭证,然后重试。

RAM Policy

RAM权限

See references/ram-policies.md for the full list of required permissions.
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
  1. Read 
    references/ram-policies.md
    to get the full list of permissions required by this SKILL
  2. Use 
    ram-permission-diagnose
    skill to guide the user through requesting the necessary permissions
  3. Pause and wait until the user confirms that the required permissions have been granted
所需权限的完整列表请查看references/ram-policies.md
[必须] 权限失败处理:若执行过程中任何命令或API调用因权限错误失败,请遵循以下流程:
  1. 查看
    references/ram-policies.md
    获取本技能所需的完整权限列表
  2. 使用
    ram-permission-diagnose
    技能引导用户申请必要权限
  3. 暂停操作,等待用户确认所需权限已授予

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, CIDR blocks, passwords, domain names, resource specifications, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
Parameter NameRequired/OptionalDescriptionDefault Value
Request IDRequiredThe traceid from DDoS Pro's block response pageNone
DomainOptionalThe website domain configured in DDoS Pro (auto-discovered if not provided)Auto-discover
DDoS Instance IDOptionalDDoS Pro instance ID (auto-discovered if not provided)Auto-discover
SLS ProjectOptionalSLS Project name (auto-discovered if not provided)Auto-discover
SLS LogstoreOptionalSLS Logstore name (auto-discovered if not provided)Auto-discover
RegionIdOptionalDDoS Pro region: 
cn-hangzhou
(China Mainland) or 
ap-southeast-1
(International)		cn-hangzhou
重要提示:参数确认 —— 在执行任何命令或API调用前,所有用户可自定义的参数(例如RegionId、实例名称、CIDR块、密码、域名、资源规格等)必须与用户确认。不得在未获得用户明确批准的情况下假设或使用默认值。
参数名称必填/可选描述默认值
Request ID必填DDoS Pro拦截响应页面中的traceid
域名可选DDoS Pro中配置的网站域名(未提供时自动发现)自动发现
DDoS实例ID可选DDoS Pro实例ID(未提供时自动发现)自动发现
SLS项目可选SLS项目名称(未提供时自动发现)自动发现
SLS日志库可选SLS日志库名称(未提供时自动发现)自动发现
RegionId可选DDoS Pro地域:
cn-hangzhou
(中国大陆)或
ap-southeast-1
(国际)		cn-hangzhou

Core Workflow

核心工作流

[MUST] Required API Call Sequence — The following API calls MUST be executed in order for every invocation of this skill. Do NOT skip any step, even if you believe the result is known in advance:
  1. Step 2a
    ddoscoo DescribeInstances
    (both regions) + if domain unknown: 
    DescribeWebAccessLogDispatchStatus
    for domain discovery only
  2. Step 2b
    ddoscoo DescribeSlsOpenStatus
    + 
    DescribeLogStoreExistStatus
    + 
    DescribeSlsLogstoreInfo
  3. Step 2c
    ddoscoo DescribeWebAccessLogStatus
    only (domain must be known from user or Step 2a; 
    DescribeWebAccessLogDispatchStatus
    is NOT permitted here)
  4. Step 3
    sls GetLogs
    (query block log by Request ID)
  5. Step 5 → Output analysis report
[MUST] User-Agent Header — Every 
aliyun
CLI command in this skill MUST include 
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
to identify the caller.
[MUST] 敏感数据脱敏 — 全局规则,贯穿所有输出 — 以下规则适用于整个工作流的所有输出,包括最终报告、中间分析、日志引用、补充说明的任何段落,不得在任何位置还原已脱敏的数据:
  • Client IP:仅保留第一段,其余用 
    *
    替代。适用于所有输出格式(JSON 字段、纯文本段落均须脱敏):
    • 纯文本段落:
      140.205.11.30
      140.*.*.*
      ;"来自 IP 140.205.11.30 的请求" → "来自 IP 140...* 的请求"
    • JSON 字段引用:
      "real_client_ip": "140.205.11.30"
      "real_client_ip": "140.*.*.*"
  • Cookie / Authorization / Token:整个值替换为 
    [MASKED]
    ,包括在引用原始日志字段时
  • Query Parameters:所有参数值替换为 
    ***
    。示例:
    ?token=abc&name=test
    ?token=***&name=***
  • User-Agent 字符串:截取前 32 个字符
[必须] 要求的API调用顺序 —— 每次调用本技能时,必须按以下顺序执行API调用。即使认为结果已知,也不得跳过任何步骤:
  1. 步骤2a
    ddoscoo DescribeInstances
    (两个地域)+ 若域名未知:仅调用
    DescribeWebAccessLogDispatchStatus
    发现域名
  2. 步骤2b
    ddoscoo DescribeSlsOpenStatus
    + 
    DescribeLogStoreExistStatus
    + 
    DescribeSlsLogstoreInfo
  3. 步骤2c → 仅调用
    ddoscoo DescribeWebAccessLogStatus
    (域名必须来自用户或步骤2a;禁止在此调用
    DescribeWebAccessLogDispatchStatus
  4. 步骤3
    sls GetLogs
    (通过Request ID查询拦截日志)
  5. 步骤5 → 输出分析报告
[必须] User-Agent请求头 —— 本技能中的每个
aliyun
CLI命令必须包含
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
以标识调用方。
[必须] 敏感数据脱敏 —— 全局规则,贯穿所有输出 —— 以下规则适用于工作流的所有输出,包括最终报告、中间分析、日志引用、补充说明的任何段落,不得在任何位置还原已脱敏的数据:
  • 客户端IP:仅保留第一段,其余用
    *
    替代。适用于所有输出格式(JSON字段、纯文本段落均须脱敏):
    • 纯文本段落:
      140.205.11.30
      140.*.*.*
      ;"来自IP 140.205.11.30的请求" → "来自IP 140...*的请求"
    • JSON字段引用:
      "real_client_ip": "140.205.11.30"
      "real_client_ip": "140.*.*.*"
  • Cookie / Authorization / Token:整个值替换为
    [MASKED]
    ,包括引用原始日志字段时
  • Query参数:所有参数值替换为
    ***
    。示例:
    ?token=abc&name=test
    ?token=***&name=***
  • User-Agent字符串:截取前32个字符

Step 1: Information Collection

步骤1:信息收集

Confirm the Request ID (traceid) with the user. Guide them to obtain it from:
  1. The block page displayed in the browser (shows Request ID directly)
  2. The HTML body of DDoS Pro's block (intercept) response (contains traceid)
Optionally collect the domain name if the user knows which website was blocked.
与用户确认Request ID(traceid)。引导用户从以下位置获取:
  1. 浏览器显示的拦截页面(直接显示Request ID)
  2. DDoS Pro拦截响应的HTML正文(包含traceid)
若用户知道被拦截的网站域名,可选择性收集。

Step 2: Discover DDoS Pro Instances and Verify Full Log Service

步骤2:发现DDoS Pro实例并验证全量日志服务

Step 2a: Discover DDoS Pro Instances and Protected Domains

步骤2a:发现DDoS Pro实例和受保护域名

bash
undefined
bash
undefined

Query DDoS Pro instances (API endpoint region: cn-hangzhou for China, ap-southeast-1 for International)

查询DDoS Pro实例(API端点地域:中国大陆为cn-hangzhou,国际为ap-southeast-1)

aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region ap-southeast-1 --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

> **[MUST] Instance Discovery Validation** — After calling `describe-instances`, inspect the response:
> - If `Instances` is a non-empty array → record the instance(s) and proceed to Step 2b.
> - If `Instances` is empty (`[]`) for one region → retry with the other region before proceeding.
> - If both regions return empty → stop and inform the user: "No DDoS Pro instances were found under this account. Please verify your credentials and region."
> - **Do NOT proceed to Step 2b or beyond if `describe-instances` returns no results.** An empty instance list means subsequent SLS and log queries will also fail — continuing will produce an empty or incorrect report.

> **[MUST] Domain Discovery** — Step 2c requires a known domain name to call `describe-web-access-log-status`. If the user did NOT provide the domain in their message, discover it HERE in Step 2a before proceeding:
> ```bash
> # Discover all protected domains (domain discovery only — do NOT use the log status from this response)
> aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 10 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
> ```
> Extract the domain name(s) from the response and record them. This API is used **only for domain name discovery**, not for checking log status. The actual log status check happens in Step 2c using `describe-web-access-log-status`.

> **[MUST] International Region API Error Recovery**: If any `ap-southeast-1` API call returns `InvalidRosettaRegionId`, `400 Bad Request`, or similar region-level errors:
> 1. **Do NOT abandon the workflow** — continue with available data
> 2. For SLS-related operations: International DDoS Pro SLS projects are typically hosted in `cn-hangzhou` (not `ap-southeast-1`), with project names like `ddosdip-project-<uid>-ap-southeast-1`. Always try `cn-hangzhou` as the SLS region.
> 3. For rule query APIs (e.g., `describe-web-precise-access-rule`, `describe-l7-global-rule`): If `ap-southeast-1` fails, retry the same API call using `cn-hangzhou` endpoint
> 4. **[MUST] Never skip a user-requested query step** due to region API errors — always attempt recovery via the alternative region before reporting failure
aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query aliyun ddoscoo describe-instances --page-number 1 --page-size 50 --region ap-southeast-1 --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

> **[必须] 实例发现验证** —— 调用`describe-instances`后,检查响应:
> - 若`Instances`为非空数组 → 记录实例并进入步骤2b。
> - 若一个地域的`Instances`为空数组`[]` → 在进入步骤2b前重试另一个地域。
> - 若两个地域均返回空 → 停止操作并告知用户:"当前账号下未找到DDoS Pro实例,请验证凭证和地域。"
> - **若`describe-instances`无结果,不得进入步骤2b或后续步骤**。实例列表为空意味着后续SLS和日志查询也会失败 —— 继续操作会生成空或错误的报告。

> **[必须] 域名发现** —— 步骤2c需要已知域名才能调用`describe-web-access-log-status`。若用户未在消息中提供域名,请在此步骤2a中发现域名后再继续:
> ```bash
> # 发现所有受保护域名(仅用于域名发现 —— 请勿使用此响应中的日志状态)
> aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 10 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
> ```
> 从响应中提取域名并记录。此API**仅用于域名发现**,不用于检查日志状态。实际日志状态检查在步骤2c中通过`describe-web-access-log-status`执行。

> **[必须] 国际地域API错误恢复**:若任何`ap-southeast-1`的API调用返回`InvalidRosettaRegionId`、`400 Bad Request`或类似地域级错误:
> 1. **请勿终止工作流** —— 使用可用数据继续操作
> 2. 对于SLS相关操作:国际版DDoS Pro的SLS项目通常托管在`cn-hangzhou`(而非`ap-southeast-1`),项目名称类似`ddosdip-project-<uid>-ap-southeast-1`。请始终尝试将`cn-hangzhou`作为SLS地域。
> 3. 对于规则查询API(例如`describe-web-precise-access-rule`、`describe-l7-global-rule`):若`ap-southeast-1`调用失败,使用`cn-hangzhou`端点重试相同API调用
> 4. **[必须] 不得因地域API错误跳过用户请求的查询步骤** —— 在报告失败前,始终尝试通过替代地域恢复

Step 2b: Check SLS and Full Log Status

步骤2b:检查SLS和全量日志状态

First check if SLS is opened and log store exists:
bash
aliyun ddoscoo describe-sls-open-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
aliyun ddoscoo describe-log-store-exist-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then get the SLS logstore info (project, logstore, capacity, TTL):
bash
aliyun ddoscoo describe-sls-logstore-info --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
[IMPORTANT] Fallback for SLS Info Retrieval: If 
describe-sls-logstore-info
returns an error (e.g., 
400 InvalidRosettaRegionId
in 
ap-southeast-1
), use the following fallback methods in order:
Fallback 1 — Get SLS info from domain log status (requires knowing a domain):
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Extract 
SlsProject
and 
SlsLogstore
from the response.
Fallback 2 — List all SLS projects and find the ddoscoo one:
bash
aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Look for project names containing 
ddoscoo
or 
ddosdip
. Note: International DDoS Pro SLS projects may also be hosted in 
cn-hangzhou
.
首先检查SLS是否开启以及日志库是否存在:
bash
aliyun ddoscoo describe-sls-open-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
aliyun ddoscoo describe-log-store-exist-status --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
然后获取SLS日志库信息(项目、日志库、容量、TTL):
bash
aliyun ddoscoo describe-sls-logstore-info --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
[重要] SLS信息获取回退方案:若
describe-sls-logstore-info
返回错误(例如
ap-southeast-1
地域的
400 InvalidRosettaRegionId
),按以下顺序使用回退方法:
回退方案1 —— 从域名日志状态获取SLS信息(需已知域名):
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
从响应中提取
SlsProject
SlsLogstore
回退方案2 —— 列出所有SLS项目并找到ddoscoo相关项目:
bash
aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
查找名称包含
ddoscoo
ddosdip
的项目。注意:国际版DDoS Pro的SLS项目也可能托管在
cn-hangzhou

Step 2c: Check Domain Full Log Status

步骤2c:检查域名全量日志状态

⛔ FORBIDDEN: 
describe-web-access-log-dispatch-status
is NOT used in this step. Domain discovery was completed in Step 2a. This step has exactly ONE permitted API call.
By this point the domain name MUST be known (provided by the user, or discovered in Step 2a). Call:
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  • 若返回 
    SlsConfigStatus=true
    ,说明已开启,直接进入 Step 3。
  • 若未开启,告知用户并征得同意后开启:
bash
aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Constraint: This skill only supports enabling full log (
enable-web-access-log-config
). Disabling is not permitted via this skill. Never call 
disable-web-access-log-config
.
[IMPORTANT] Error Handling for Enable: If 
enable-web-access-log-config
returns an error:
  • DomainDoNotBelongToYou
    — Domain is not configured in this DDoS Pro instance. Verify the domain belongs to this instance, or try the other region (
    cn-hangzhou
    ap-southeast-1
    ).
  • 403 Forbidden
    / RAM permission error — See references/ram-policies.md.
[IMPORTANT] Historical Logs: Enabling full log only records future requests. If the block event occurred before enabling, no SLS log will exist for that Request ID. Inform the user: "Full log has been enabled, but the historical block event cannot be queried via SLS. Please reproduce the block and retry with the new Request ID."
⛔ 禁止:此步骤不得使用
describe-web-access-log-dispatch-status
。 域名发现已在步骤2a完成。此步骤仅允许调用一个API。
此时必须已知域名(由用户提供或步骤2a发现)。调用:
bash
aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  • 若返回
    SlsConfigStatus=true
    ,说明已开启,直接进入步骤3。
  • 若未开启,告知用户并征得同意后开启:
bash
aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
约束:本技能仅支持开启全量日志(
enable-web-access-log-config
)。禁止通过本技能执行关闭操作。不得调用
disable-web-access-log-config
[重要] 开启操作错误处理:若
enable-web-access-log-config
返回错误:
  • DomainDoNotBelongToYou
    —— 域名未配置在当前DDoS Pro实例中。验证域名是否属于该实例,或尝试切换地域(
    cn-hangzhou
    ap-southeast-1
    )。
  • 403 Forbidden
    / RAM权限错误 —— 查看references/ram-policies.md。
[重要] 历史日志:开启全量日志仅记录未来的请求。若拦截事件发生在开启前,则该Request ID对应的SLS日志不存在。告知用户:"全量日志已开启,但历史拦截事件无法通过SLS查询,请重现拦截并使用新的Request ID重试。"

Step 3: Query SLS Logs

步骤3:查询SLS日志

[MUST] Use the SLS CLI plugin (
aliyun sls get-logs
) for all log queries.
Use the SLS project/logstore obtained from Step 2 to query block logs:
bash
undefined
[必须] 所有日志查询均使用SLS CLI插件(
aliyun sls get-logs
)。
使用步骤2中获取的SLS项目/日志库查询拦截日志:
bash
undefined

Query SLS logs via plugin-mode call

通过插件模式调用查询SLS日志

TO_TIME=$(python3 -c "import time; print(int(time.time()))") FROM_TIME=$((TO_TIME - 86400)) aliyun sls get-logs
--project <project-name>
--logstore <logstore-name>
--from $FROM_TIME
--to $TO_TIME
--query "<request-id>"
--reverse true
--lines 100
--region <sls-region>
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

If no results found in the last 24 hours, progressively expand the time range:
- Last 3 days: `FROM_TIME=$((TO_TIME - 86400 * 3))`
- Last 7 days: `FROM_TIME=$((TO_TIME - 86400 * 7))`
- Last 30 days: `FROM_TIME=$((TO_TIME - 86400 * 30))`
- Maximum (based on TTL): `FROM_TIME=$((TO_TIME - 86400 * <ttl_days>))`

> **Fallback method** — If the SLS plugin command above fails (e.g., plugin not installed), use the Python script:
> ```bash
> python3 scripts/get_ddos_logs.py \
>   --project <project-name> \
>   --logstore <logstore-name> \
>   --request-id <request-id> \
>   --region <sls-region>
> ```

**Note**: DDoS Pro full log SLS region mapping:
- China Mainland instances (`cn-hangzhou`): SLS project is in `cn-hangzhou`
- International instances (`ap-southeast-1`): SLS project is **also typically in `cn-hangzhou`** (not `ap-southeast-1`), with project names like `ddosdip-project-<uid>-ap-southeast-1`

> **[MUST]** Do NOT guess SLS project names. Always use the exact project/logstore values obtained from Step 2b (`describe-sls-logstore-info` or its fallback). If both APIs failed, use `aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query` to discover projects containing `ddoscoo` or `ddosdip`.
TO_TIME=$(python3 -c "import time; print(int(time.time()))") FROM_TIME=$((TO_TIME - 86400)) aliyun sls get-logs
--project <project-name>
--logstore <logstore-name>
--from $FROM_TIME
--to $TO_TIME
--query "<request-id>"
--reverse true
--lines 100
--region <sls-region>
--header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

若过去24小时内无结果,逐步扩大时间范围:
- 过去3天:`FROM_TIME=$((TO_TIME - 86400 * 3))`
- 过去7天:`FROM_TIME=$((TO_TIME - 86400 * 7))`
- 过去30天:`FROM_TIME=$((TO_TIME - 86400 * 30))`
- 最大范围(基于TTL):`FROM_TIME=$((TO_TIME - 86400 * <ttl_days>))`

> **回退方法** —— 若上述SLS插件命令失败(例如未安装插件),使用Python脚本:
> ```bash
> python3 scripts/get_ddos_logs.py \
>   --project <project-name> \
>   --logstore <logstore-name> \
>   --request-id <request-id> \
>   --region <sls-region>
> ```

**注意**:DDoS Pro全量日志SLS地域映射:
- 中国大陆实例(`cn-hangzhou`):SLS项目位于`cn-hangzhou`
- 国际实例(`ap-southeast-1`):SLS项目通常也位于**`cn-hangzhou`**(而非`ap-southeast-1`),项目名称类似`ddosdip-project-<uid>-ap-southeast-1`

> **[必须]** 不得猜测SLS项目名称。始终使用步骤2b中获取的准确项目/日志库值(`describe-sls-logstore-info`或其回退方案)。若两个API均失败,使用`aliyun sls list-project --region cn-hangzhou --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query`发现包含`ddoscoo`或`ddosdip`的项目。

Step 4: Query Rule Details

步骤4:查询规则详情

After obtaining the SLS log, extract key fields to determine the block type and query the specific rule configuration.
获取SLS日志后,提取关键字段以确定拦截类型并查询具体规则配置。

Step 4a: Identify Block Type from Log Fields

步骤4a:从日志字段识别拦截类型

The two most important log fields for identifying the block type are:
  • cc_phase
     — Identifies which protection module triggered the block
  • last_owner
     — Format is 
    <rule_name>|<source>
    , where 
    source
    is 
    manual
    (user-created) or 
    clover
    (auto-generated)
cc_phase
→ Block Type → Query API Mapping:
cc_phase
value		Block TypeRule Detail Query Command
gfcc
/ 
cc
CC Protection (频率控制自定义规则)
describe-web-cc-rules-v2
gfacl
/ 
acl
Precise Access Control (精确访问控制)
describe-web-precise-access-rule
gfai
/ 
ai
AI Smart Protection (AI智能防护)
describe-web-cc-protect-switch
gfglobal
/ 
global
/ 
gf_rule
Global Defense Policy (全局防护策略)
describe-l7-global-rule
gfbwip
/ 
blacklist
IP Blacklist (IP黑名单)
describe-web-rules
(BlackList field)
gfareaban
/ 
region
/ 
geo
Region Blocking (区域封禁)
describe-web-area-block-configs
Other useful log fields:
Log FieldDescription
cc_action
Action taken: 
block
, 
captcha
, 
close
, 
watch
cc_rule_id
Specific rule ID that triggered
cc_blocks
Whether the request was blocked (
1
= yes)
final_action
Final action taken on the request
final_plugin
Block plugin identifier
traceid
Request trace ID (same as Request ID in block page)
matched_host
The domain that matched the request
host
The Host header from the request
real_client_ip
Client's real IP address
last_owner
<rule_name>|<source>
— identifies which rule and its origin
isp_line
DDoS Pro 接入线路(如:电信、联通、移动、香港、海外等)。注意:此字段反映的是 DDoS Pro 的接入线路,不等同于客户端的物理位置。报告中应表述为"请求经由 {isp_line} 线路接入",不可将其直接等同于客户端所在地区
识别拦截类型最重要的两个日志字段是:
  • cc_phase
     —— 识别触发拦截的防护模块
  • last_owner
     —— 格式为
    <rule_name>|<source>
    ,其中
    source
    manual
    (用户创建)或
    clover
    (自动生成)
cc_phase
→ 拦截类型 → 查询API映射:
cc_phase
拦截类型规则详情查询命令
gfcc
/ 
cc
CC防护(频率控制自定义规则)
describe-web-cc-rules-v2
gfacl
/ 
acl
精准访问控制
describe-web-precise-access-rule
gfai
/ 
ai
AI智能防护
describe-web-cc-protect-switch
gfglobal
/ 
global
/ 
gf_rule
全局防护策略
describe-l7-global-rule
gfbwip
/ 
blacklist
IP黑名单
describe-web-rules
(BlackList字段)
gfareaban
/ 
region
/ 
geo
区域封禁
describe-web-area-block-configs
其他有用的日志字段:
日志字段描述
cc_action
执行的操作:
block
captcha
close
watch
cc_rule_id
触发拦截的具体规则ID
cc_blocks
请求是否被拦截(
1
= 是)
final_action
对请求执行的最终操作
final_plugin
拦截插件标识符
traceid
请求跟踪ID(与拦截页面中的Request ID一致)
matched_host
匹配请求的域名
host
请求中的Host头
real_client_ip
客户端真实IP地址
last_owner
<rule_name>|<source>
—— 识别触发规则及其来源
isp_line
DDoS Pro接入线路(如:电信、联通、移动、香港、海外等)。注意:此字段反映的是DDoS Pro的接入线路,不等同于客户端的物理位置。报告中应表述为"请求经由{isp_line}线路接入",不可将其直接等同于客户端所在地区

Step 4b: Query Strategy Switch Status (策略预检)

步骤4b:查询策略开关状态(策略预检)

[MUST] Before querying specific rules, first check which protection modules are enabled:
bash
aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
This returns all switch states. Key fields:
FieldDescriptionValues
CcEnable
CC protection master switch
0
(off) / 
1
(on)
CcCustomRuleEnable
Custom CC rules switch
0
/ 
1
PreciseRuleEnable
Precise Access Control (ACL) switch
0
/ 
1
CcGlobalSwitch
Global defense switch
close
/ 
open
AiRuleEnable
AI smart protection switch
0
/ 
1
AiMode
AI mode
watch
/ 
defense
AiTemplate
AI level
level30
/ 
level60
/ 
level90
BlackWhiteListEnable
IP blacklist/whitelist switch
0
/ 
1
RegionBlockEnable
Region blocking switch
0
/ 
1
[必须] 在查询具体规则前,先检查哪些防护模块已启用:
bash
aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
该命令返回所有开关状态。关键字段:
字段描述取值
CcEnable
CC防护总开关
0
(关闭)/ 
1
(开启)
CcCustomRuleEnable
自定义CC规则开关
0
/ 
1
PreciseRuleEnable
精准访问控制(ACL)开关
0
/ 
1
CcGlobalSwitch
全局防护开关
close
/ 
open
AiRuleEnable
AI智能防护开关
0
/ 
1
AiMode
AI模式
watch
/ 
defense
AiTemplate
AI防护等级
level30
/ 
level60
/ 
level90
BlackWhiteListEnable
IP黑白名单开关
0
/ 
1
RegionBlockEnable
区域封禁开关
0
/ 
1

Step 4c: Query Specific Rule Details

步骤4c:查询具体规则详情

Based on 
cc_phase
, call the corresponding API to fetch the rule configuration.
If 
cc_phase
= 
cc
→ CC Protection Rules:
bash
undefined
根据
cc_phase
调用对应的API获取规则配置。
cc_phase
= 
cc
→ CC防护规则:
bash
undefined

Query all CC rules for the domain; use --owner manual for user rules, clover for auto rules

查询该域名下所有CC规则;使用--owner manual查询用户规则,clover查询自动规则

aliyun ddoscoo describe-web-cc-rules-v2 --domain '<domain>' --offset 0 --page-size 30 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then find the specific rule by matching `last_owner`'s rule name (the part before `|`) against the rule's `name` field in the response.

**If `cc_phase` = `gfacl` → Precise Access Control (ACL) Rules:**
```bash
aliyun ddoscoo describe-web-precise-access-rule --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Then find the specific rule by matching 
last_owner
's rule name against the rule's 
Name
field in the response.
If 
cc_phase
= 
ai
→ AI Smart Protection:
bash
undefined
aliyun ddoscoo describe-web-cc-rules-v2 --domain '<domain>' --offset 0 --page-size 30 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
然后通过`last_owner`中的规则名称(`|`前的部分)匹配响应中规则的`name`字段,找到具体规则。

**若`cc_phase` = `gfacl` → 精准访问控制(ACL)规则:**
```bash
aliyun ddoscoo describe-web-precise-access-rule --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
然后通过
last_owner
中的规则名称匹配响应中规则的
Name
字段,找到具体规则。
cc_phase
= 
ai
→ AI智能防护:
bash
undefined

AI protection has no individual rules; check mode and level from switch status

AI防护无独立规则;从开关状态中检查模式和等级

aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Report the `AiMode` (watch/defense), `AiTemplate` (level30/60/90), and `AiRuleEnable` status.

**If `cc_phase` = `global` or `gf_rule` → Global Defense Policy:**
```bash
aliyun ddoscoo describe-web-cc-protect-switch --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
报告`AiMode`(watch/defense)、`AiTemplate`(level30/60/90)和`AiRuleEnable`状态。

**若`cc_phase` = `global`或`gf_rule` → 全局防护策略:**
```bash

Get global rule list with RuleId, Action, Enabled, Description

获取包含RuleId、Action、Enabled、Description的全局规则列表

aliyun ddoscoo describe-l7-global-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

**If `cc_phase` = `blacklist` → IP Blacklist/Whitelist:**
```bash
aliyun ddoscoo describe-l7-global-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

**若`cc_phase` = `blacklist` → IP黑白名单:**
```bash

Get blacklist and whitelist IPs from domain web rules

从域名Web规则中获取黑白名单IP

aliyun ddoscoo describe-web-rules --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Extract `BlackList` and `WhiteList` arrays from the response.

**If `cc_phase` = `region` or `geo` → Region Blocking:**
```bash
aliyun ddoscoo describe-web-area-block-configs --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Check which regions have 
Block = 1
.
[IMPORTANT] Domain Not Found: If the domain query returns 
DomainNotExist
, the domain may have been removed from DDoS Pro after the block event. Report this to the user — the log is still valid but rule details cannot be retrieved.
See references/domain-security-policy.md for the complete domain security policy management reference including rule creation, modification, deletion, and field reference tables.
aliyun ddoscoo describe-web-rules --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
从响应中提取`BlackList`和`WhiteList`数组。

**若`cc_phase` = `region`或`geo` → 区域封禁:**
```bash
aliyun ddoscoo describe-web-area-block-configs --domains.1 '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
检查哪些区域的
Block = 1
[重要] 域名未找到:若域名查询返回
DomainNotExist
,说明该域名可能在拦截事件发生后已从DDoS Pro中移除。向用户报告此情况 —— 日志仍然有效,但无法获取规则详情。
完整的域名安全策略管理参考(包括规则创建、修改、删除和字段参考表)请查看references/domain-security-policy.md

Step 5: Output Analysis Report

步骤5:输出分析报告

[MUST] Sensitive Data Masking — Apply the global masking rules defined in Core Workflow to all fields in this report, including any supplementary paragraphs. Never restore masked data in any section.
markdown
undefined
[必须] 敏感数据脱敏 —— 对本报告中的所有字段应用核心工作流中定义的全局脱敏规则,包括任何补充段落。不得在任何部分还原已脱敏的数据。
markdown
undefined

DDoS Pro Intercept Analysis Report

DDoS Pro拦截分析报告

Request Information

请求信息

  • Request ID: {request_traceid}
  • Block Time: {time}
  • Client IP: {masked_real_client_ip, e.g. 192...***}
  • ISP Line: {isp_line}(DDoS Pro 接入线路,非客户端实际位置)
  • Domain: {matched_host}
  • Request URL: {host}{request_path}?{masked_query_params}
  • Request ID: {request_traceid}
  • 拦截时间: {time}
  • 客户端IP: {masked_real_client_ip, 例如 192...***}
  • 接入线路: {isp_line}(DDoS Pro接入线路,非客户端实际位置)
  • 域名: {matched_host}
  • 请求URL: {host}{request_path}?{masked_query_params}

Block Details

拦截详情

  • Rule ID: {final_rule_id 或 cc_rule_id;若日志中两个字段均不存在,输出 "N/A - 日志中未记录规则 ID",不可省略此行}
  • Block Type: {final_plugin / cc_phase}
  • Action: {final_action or cc_action}
  • 规则ID: {final_rule_id 或 cc_rule_id;若日志中两个字段均不存在,输出 "N/A - 日志中未记录规则ID",不可省略此行}
  • 拦截类型: {final_plugin / cc_phase}
  • 执行操作: {final_action or cc_action}

Recommendations

建议

{Based on block type, refer to references/common-block-reasons.md}
undefined
{根据拦截类型,参考references/common-block-reasons.md}
undefined

Troubleshooting

故障排查

No Logs Found

未找到日志

  1. Re-check SLS and log store status (Step 2b)
  2. Check domain full log switch:
    bash
    aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  3. Enable if disabled (check-then-act):
    bash
    aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  4. Check all domain log dispatch status:
    bash
    aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 50 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  1. 重新检查SLS和日志库状态(步骤2b)
  2. 检查域名全量日志开关:
    bash
    aliyun ddoscoo describe-web-access-log-status --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  3. 若未开启则开启(先检查再操作):
    bash
    aliyun ddoscoo enable-web-access-log-config --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
  4. 检查所有域名日志分发状态:
    bash
    aliyun ddoscoo describe-web-access-log-dispatch-status --page-number 1 --page-size 50 --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

Request ID Not Found

Request ID未找到

  1. Verify Request ID format (typically 30+ hex characters)
  2. Script auto-expands search up to 90 days
  3. Try both regions (
    cn-hangzhou
    and 
    ap-southeast-1
    )
  4. Check log retention (TTL) via 
    describe-sls-logstore-info
  1. 验证Request ID格式(通常为30+位十六进制字符)
  2. 脚本自动扩展搜索范围至90天
  3. 尝试两个地域(
    cn-hangzhou
    ap-southeast-1
  4. 通过
    describe-sls-logstore-info
    检查日志保留时间(TTL)

Multi-Instance Scenarios

多实例场景

DDoS Pro instances may span both regions. Query logs across all discovered SLS projects until the Request ID is found.
DDoS Pro实例可能跨两个地域。在所有发现的SLS项目中查询日志,直到找到Request ID。

Rule Operation Constraints

规则操作约束

See references/rule-operations.md for detailed instructions.
When user requests to disable a rule:
  1. Check current status first (idempotent check-then-act)
  2. Only disable operations are permitted; never delete rules
  3. Confirm with user before executing
Disable CC Rule:
bash
aliyun ddoscoo disable-web-cc-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
Disable Precise Access Control:
bash
aliyun ddoscoo modify-web-precise-access-switch --domain '<domain>' --config '{"PreciseRuleEnable": 0}' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
详细说明请查看references/rule-operations.md
当用户请求禁用规则时:
  1. 先检查当前状态(幂等性先检查再操作)
  2. 仅允许禁用操作;不得删除规则
  3. 执行前需与用户确认
禁用CC规则:
bash
aliyun ddoscoo disable-web-cc-rule --domain '<domain>' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query
禁用精准访问控制:
bash
aliyun ddoscoo modify-web-precise-access-switch --domain '<domain>' --config '{"PreciseRuleEnable": 0}' --region <region-id> --header User-Agent=AlibabaCloud-Agent-Skills/alibabacloud-ddoscoo-intercept-query

Success Verification Method

成功验证方法

See references/verification-method.md for detailed verification steps.
Expected Outcome: Intercept analysis report generated with complete request information, rule details, and actionable recommendations.
Verification: After querying with a known Request ID, the output should contain all fields in the report template.
详细验证步骤请查看references/verification-method.md
预期结果:生成包含完整请求信息、规则详情和可执行建议的拦截分析报告。
验证方式:使用已知的Request ID查询后,输出应包含报告模板中的所有字段。

Cleanup

清理

This skill is read-only by default and does not create persistent resources. No cleanup required unless:
  • Full log was enabled for a domain during execution (inform user; this skill only enables, never disables)
  • CC rules were disabled (can be re-enabled via 
    enable-web-cc-rule
    )
本技能默认只读,不会创建持久化资源。除非以下情况,否则无需清理:
  • 执行过程中为某个域名开启了全量日志(告知用户;本技能仅开启,不会关闭)
  • 禁用了CC规则(可通过
    enable-web-cc-rule
    重新开启)

Best Practices

最佳实践

  1. Always query both regions (
    cn-hangzhou
    and 
    ap-southeast-1
    ) for instance discovery
  2. [MUST] Use 
    aliyun sls get-logs
    (plugin mode, kebab-case) for SLS log queries
  3. Do NOT guess SLS project/logstore names — always obtain them from 
    describe-sls-logstore-info
    or 
    describe-web-access-log-status
  4. Check domain full log status before querying to avoid empty results
  5. [MUST] Mask sensitive data in output reports: Client IP → 
    first_octet.*.*.*
    , query parameters → 
    ***
    , cookies/tokens → 
    [MASKED]
  6. Use idempotent check-then-act pattern before any write operations
  7. Never delete rules — only disable/enable operations are permitted
  1. 实例发现时始终查询两个地域(
    cn-hangzhou
    ap-southeast-1
  2. [必须] 使用
    aliyun sls get-logs
    (插件模式,短横线命名)进行SLS日志查询
  3. 不得猜测SLS项目/日志库名称 —— 始终从
    describe-sls-logstore-info
    describe-web-access-log-status
    获取
  4. 查询前检查域名全量日志状态,避免空结果
  5. [必须] 在输出报告中脱敏敏感数据:客户端IP → 
    first_octet.*.*.*
    ,查询参数 → 
    ***
    ,Cookie/Token → 
    [MASKED]
  6. 执行任何写入操作前使用幂等性先检查再操作的模式
  7. 不得删除规则 —— 仅允许禁用/启用操作

Reference Links

参考链接

ReferenceDescription
references/ram-policies.mdRAM permission requirements
references/common-block-reasons.mdCommon block reasons and recommendations
references/rule-config-details.mdRule configuration field descriptions
references/rule-operations.mdRule operation policy and constraints
references/domain-security-policy.mdDomain security policy management (query, create, modify, delete rules)
references/related-commands.mdAll CLI commands used in this skill
references/verification-method.mdSuccess verification steps
references/cli-installation-guide.mdAliyun CLI installation and upgrade guide
参考文档描述
references/ram-policies.mdRAM权限要求
references/common-block-reasons.md常见拦截原因及建议
references/rule-config-details.md规则配置字段说明
references/rule-operations.md规则操作策略及约束
references/domain-security-policy.md域名安全策略管理(查询、创建、修改、删除规则)
references/related-commands.md本技能使用的所有CLI命令
references/verification-method.md成功验证步骤
references/cli-installation-guide.mdAliyun CLI安装和升级指南