Imperva WAF Lab Guide - RRCrrc.ru/upload/imperva/Imperva-StartUp-WAF-LabGuide-V3.pdf · Imperva WAF...

Imperva WAF Lab Guide Practical Lab for SecureSphere V11.5

Version: 3.01 – Nov 01, 2016

SecureSphere Lab Guide

Copyright © 2016 Imperva. All rights reserved. 2

Index:

Introduction ................................................................................................................................................ 2 Lab 1 - Site Objects ..................................................................................................................................... 5 Lab 2 - Alerts and violations ....................................................................................................................... 11 Lab 3 - Blocking ........................................................................................................................................ 16 Lab 4 - Signatures ..................................................................................................................................... 19 Lab 5 - Policies ......................................................................................................................................... 22 Lab 6 – System Events ............................................................................................................................... 27 Lab 7 – Followed Actions ............................................................................................................................ 31 Lab 8 ‐ Profiling ......................................................................................................................................... 35 Lab 9 ‐ User Tracking ................................................................................................................................ 40 Lab 10 - Reporting ..................................................................................................................................... 43 Appendix .................................................................................................................................................. 61



Introduction

This Lab Workbook will guide through some exercises that show some essential functions of the Imperva WAF solution

“Lab in a box” - Environment

The “Lab in a box” environment consists of several VMs that can be used to demo different scenarios. For this lab the SecureSphere V11.5 Onebox and the SuperVeda 2010 is used. We have 4 separated VLANS

(110,120,130 and 140), each VLAN has his own resources. On your table you’ll find an information, which VLAN has been assigned to you

Resources

UDS - SecureSphere 11.5– IP: 192.168.VLAN.100 (admin Port 8083)

UDS - SuperVeda2010 MS SQL (vulnerable Webapplication)– IP: 192.168.VLAN.110

Login information

Use the following credentials to login to the different machines & services in the lab in a box environment.

SecureSphere Web GUI Login

From the Client, connect to SecureSphere using Firefox, IE or Chrome.

User: admin

Password: Webco123

SecureSphere Credentials

Console

Username: root

Password: Root123

Username: secure

Password: Webco123

ssh

Username: udsimperva

Password: Webco123

Remote Agents / Gateway

Username: imperva



Password: Webco123

SuperVeda

OS Login

User: administrator

Password: Secure123!

Site: http://10.255.VLAN.110:8080

Login: bugsb

Password: carrots

Site: http://10.255.VLAN.110:8080/admin

Login: admin

Password: system

http://10.255.vlan.110:8080/

http://10.255.vlan.110:8080/admin



Lab 1 – Attacks & Site Objects

Objectives

The goal of this Lab is to understand the lab setup and the demo-VMs and identify resources to be protected

SuperVeda is the Web server that will be used in different labs. The listener web service is port 80.

An Imperva WAF is configured in bridge mode and will protect the Web server.

Questions

Q1: Check that the Web server SuperVeda is accessible from the desktop

(http://192.168.VLAN.110 - make sure you adjust the IP to the network that has been assigned to you)

_____________________________________________________________________________

Q2: What will be the IP of the Web server to be configured on the Imperva-platform?

_____________________________________________________________________________

Q3: What will be the listening port of the Web server to be configured in the Imperva GUI?

_____________________________________________________________________________

Task List – Basic SQL Attack

TASK LIST

Task # Task Description

1 Understanding non-configured resources:

1. With a Web browser, please go to this address: http: //192.168.VLAN.110

2. Click on “Sign In”



TASK LIST


3. As Username, enter

'or 1=1 --

(There are 2 dashes at the end of the command).

4. Click on “Sign In”

5. Confirm that the SQL injection attack succeeds and allows to log in. If you click on “My Account”, the window should be similar to the following:

6. Open the Imperva GUI. The GUI is available at:

https: //192.168.VLAN.100:8083 and login. Credentials are provided at the

beginning of this document.

7. Go to Main> Monitor> Alerts

Questions

Q4: Do you see information on the SQL Injection attack you just made?

Yes No



Q5: What is the explanation for this behavior?

_____________________________________________________________________________________

You can find this document on the desktop of your student PC in PDF Format. If you want, you can copy & paste difficult to type commands (like for SQL Injection) from the document into the GUI.



Task List – Configure Superveda objects in Imperva GUI

TASK LIST


1 Configure SuperVeda:

1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083

2. Go to Main / Setup / Sites

3. In the tree, create the site "Training Imperva'

4. Create a Server Group for SuperVeda website.

Click on the website "Training Imperva" and right click to bring up the context menu

Click on "Create Server Group"

Name the server group Server Group SuperVeda

Click on "Create". In the "Sites Tree" tree, click on the new Server

Group, and select the "Definitions" tab on the central panel

Questions

Q6: What is the "Operation" mode of the server group?

_____________________________________________________________________________________

Q7: With this setup, would a Web-based attack be blocked by the WAF ?

Yes No

Q8: In this setup, would a Web-based attack generate alerts / violations on the WAF?

Yes No



TASK LIST


1 Configure SuperVeda (cont’d):

5. In the definitions-tab in the table "Protected IP Addresses', click on the icon and add

the IP address of SuperVeda (192.168.VLAN.110)

6. Save the changes by clicking

7. Create a Web Service for SuperVeda website (Main> Setup> Sites): In the tree "Sites

Tree", right-click on the Server Group to bring up the context menu.

8. Click on “Create service”

9. Name the Service “Service-SuperVeda” and select HTTP Service in the drop down list

(depending on the licenses of the SecureSphere demo environment, this list may vary):

10. Click on “Create”

11. In the tree "Sites Tree", click on the new service and select the "Definitions" tab in the

central panel

12. In the "HTTP Port" field, enter the value of the listening port of the SuperVeda server

(see question 3)

13. Save changes by clicking

14. In the tree "Sites Tree" extend the new service using the icon next to the service.

15. Check that no Data Masking is enabled by default on Service / Operation / Data

Masking, if it is, please remove it:

Questions

Q9: What is the name of the application that was created automatically?



_____________________________________________________________________________________



Lab 2 - Alerts and violations

Objectives

The goal of this Lab is to understand and know how to interpret alerts and violations in the WAF

TASK LIST


1 Generate a violation on the WAF:

1. Using a Web browser, go to the following address of the web server SuperVeda

(192.168.VLAN.110)

2. Type the following string in the Username field of the "Sign In" page:

' or (2=2) --

3. Click on “Sign in”

Questions

Q1: Was the SQL Injection attack successful?

________________________________________________________________________

Q2: Why?

________________________________________________________________________

TASK LIST


1 Observe triggered violation:


2. Go to Main / Monitor / Alerts

3. Find the alert triggered by the attack SQL that you just made

Questions

Q3: Fill out this list:

Event Date: ___________________________



Server group concerned: ___________________________

Service concerned: ___________________________

Application concerned: ___________________________

URL concerned: ___________________________

Field parameter that triggered the violation: ___________________________

IP Source of the attack ___________________________

TASK LIST


1 Create a search filter to display only specific alerts to your Web server:

1. Remove all filters that might exist by clicking the “clear” button

2. In the "Basic Filter" tab, select "By Server Group"

3. Check your server Group that you created before

4. Save your filter by clicking on "Save"

5. Name the filter "Filter Student ‘VLAN’ "

6. Click on “save”

7. Validate the successful creation of your filter by clicking on the tab "Saved Filters". Your new filter should be included in the list of filters

Questions

Q4: What other filter could have been used to achieve a similar result?

_____________________________________________________________________________________



TASK LIST


1 Managing multiple relationships in the WAF:

4. Using a Web browser, go to the following address of the Web server Superveda

192.168.VLAN.110/cmd.exe

An error window similar to this one should appear:

5. Repeat the access to 192.168.VLAN.110/cmd.exe in a short period of time


7. Go to Main > Monitor > Alerts

8. Filter alerts using the filter you created before

a. In the Filters panel, click the "Saved Filters" tab

b. Select your filter

9. Find the alerts triggered by the illegitimate access you just made

Questions

Q5: Complete the information below:

Number of alerts triggered: _____________________________

Description of the alert _____________________________

Signature which has triggered the alert: _____________________________

Dictionary name of the alert: _____________________________

IP Address of the attack: _____________________________

Q6 Find the alert triggered by these illegitimate access you just made and complete the information

below:

Number of aggregated violations in this alert : ____________________________



Aggregation factors : ____________________________



Lab 3 - Blocking

Objectives

Understand the operation mode “active” and create a custom error page

TASK LIST


1 Change the operation mode of the server group:

1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083


3. In the tree, select the server group you created before and select the “definitions” tab

from the center panel.

4. Set the operation mode to “active”

5. Save the change by clicking

Generate a violation on the WAF:

6. Using a Web browser, go to the SuperVeda Webserver (192.168.VLAN.110)

7. Type the following string in the Username field of the "Sign In" page: ' or (3=3) –


Questions

Q1: Is the SQL Injection attack blocked?

________________________________________________________________________

Q2 : What is the associated incident number?

_________________________________________________________________________



TASK LIST


2 Monitor violations and triggered alerts:


2. Go to Main > Monitor > Alerts

3. Find the previous triggered violation

a) In the Filters panel in the Quick Filter field, enter the incident number noted

above (do not insert a space before or after the number)

b) Click on the filter button

c) Click on apply

4. Filter alerts using the filter you created before

5. Find the alert triggered in the Lab

Questions

Q1: What is the incident number in the details of the violation used for?

_________________________________________________________________________

Q2: How can you differentiate between the GUI actually stopped the attack WAF (Active Mode) and a

detected attack, but not blocked (Simulation Mode)

_________________________________________________

TASK LIST


3 Change the default error page

1. Open the Imperva GUI.


3. In the Sites Tree, find the service you created previously

4. Expand Section “Error Page”

5. On the "Page", enter the following HTML: <html>customized error</html> instead of the default code



TASK LIST


6. Save the changes by clicking on

9. Generate a new violation: Using a Web browser, go to the following address of the web server SuperVeda (192.168.VLAN.110)

10. Type the following string in the Username field of the "Sign In" page: ' or (4=4) –


8. Observe the new error page returned



Lab 4 - Signatures

Objectives

Create a signature and apply it

TASK LIST


1 Create a new dictionary signature:


2. Go to Main / Setup / Signatures

On the left panel, click on the symbol to add a new signature dictionary and select "Create Manual Dictionary" The Name of the dictionary is: Student <VLAN>

Dictionary Type: Web

3. Click on “create”

4. Add a signature to the dictionary

a) Verify that the newly created dictionary is selected on the left panel

b) On the central panel, click on the symbol to add a new signature

c) Signature Name : “Signature_Student <VLAN>” (where X is your VLAN)

d) Signature: part=”XXX”

e) Protocols: http

f) Search Signature In: Parameters

g) Click on «Create»

h) Save the changes by clicking on

Create a new security policy

5. Go to Main > Policies > Security



TASK LIST


6. Create a new security policy using the dictionary created before

a) On the central panel, click on the symbol to add a new policy

b) Select « Web Application »

c) Name: Signature Policy Student <VLAN>

d) Select « From Scratch »

e) Type : « Web Application Signatures »

f) Click on Create

7. Configure the security policy

a) On the central panel, verify that the newly created policy is selected

b) On the right panel, in the "Policy Rules" tab, click on the symbol and select

the new dictionary you just created

c) Check the box «Enabled»

d) Severity = High

e) Action = None

f) In the tab «Apply To», select the Server Group “Training Imperva”

g) Save the changes by clicking on

Test the security policy:

8. Using a Web browser, go to the SuperVeda Web server (192.168.VLAN.110)

9. Type the following string in the Username field of the "Sign In" page:

XXX


11. Open the Imperva GUI

12. Go to Main / Monitor / Alerts

13. Find the Alert of this signature violation



TASK LIST




Lab 5 - Policies

In this Lab a WebService policy will be created that gets triggered on a specific event.

Objectives

Create a basic policy and apply it to specific objects

Task 1: Create a new Web Service policy

Task 2: Creating a policy that gets triggered on a certain event

Task 3: Test the policy

Task 4: Optional: Configure Exceptions

TASK LIST


1 Create a new Web Service policy

1. Go to the home page of SuperVeda: http://192.168.VLAN.110/

2. Sign in with the following account:

3. Login: bugsb password: carrots

4. Click on "login"



TASK LIST


TASK LIST


2 Creating a policy that gets triggered on a certain event


2. Go to Main> Policies> Security

3. Create a new policy:

a) Click the button to add the new policy:

b) Select the type of policy: "Web Service"

c) Name the "Policy_Student X" where X is your Student number

d) Select "From Scratch" and type: "Web Service Custom"

e) Click on "Create"

4. Configure the new policy

a) In the Match Criteria tab of the right frame, leave the level of severity at "Medium"

b) In the Match Criteria tab of the right frame, make sure the box "Enabled" is checked



TASK LIST


c) In the Match Criteria tab, select the following two criteria: "http Request Method" and "HTTP Request URL" by clicking on the green arrow to the left of each criteria:

5. Configure the Match Criteria "HTTP Request Method"

a. Extend the Match Criteria by clicking on the blue down arrow

b. Enter POST as value and select At least one as Operation

6. Configure the criterion "HTTP request URL"

a) Extend the Match Criteria by clicking on the blue down arrow

b) Enter /performbuy.jsp as value

c) Leave the "Match" field "URL Prefix"

d) Leave the "Operation" field to "At Least One"

e) Apply the Policy to the Site Object created earlier

f) Save the Policy by clicking on

3 Test the policy

1. Go to the home page of SuperVeda: http://192.168.VLAN.110/



TASK LIST


2. Sign in with the following account: bugsb / carrots

3. Add at least one product to your shopping card and place an order

4. This will trigger the security policy and generate an alert. Since the policy is not set to blocking the request gets passed to the web server.

5. Open up the SecureSphere GUI under https://192.168.VLAN.100 and navigate to Monitor > Alerts

6. You should see an medium Security alert triggered by your custom policy:

7. Highlight the alert and inspect the security violation:



TASK LIST




Lab 6 – System Events

Objectives

Create a basic policy and apply it to specific objects

Task 1: Observe the default behavior of SecureSphere for a failed authentication

Task 2: Configure an “action set” to send events to a Syslog server

Task 3: Test the System event policy and Action Set

TASK LIST


1 Observe the default behavior of SecureSphere for a failed authentication:

1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083

2. try to login with your account and a wrong password

3. Login with your correct credentials

4. Navigate to Main > Monitor > System Events

5. Type in your username in the Quick Filter field:

6. Investigate the event



Question

Q1 : What is the message of that event?

____________________________________________________

Q2 : What is the severity of the event?

______________________________________________________

TASK LIST


2 Configure and “action set” to send events to a Syslog server

Install Syslog Watcher server on your workstation. A free version is provided by your instructor.

Install it by accepting all the defaults during installation.

Under File / Setup / Inputs add the IP of your SecureSphere so it’s allowed to send Syslog (IP:

192.168.VLAN.100)


2. Navigate to Main > Policies > Action Sets

a) Click on the symbol to add a new "Action set":

b) Assign the name Syslog_Student <VLAN>

c) In the dropdown “Apply to event type” select “Any Event type”:

d) Click on "Create"

3. Configure the new "Action set"

a) Select "Server System Log > Log system event to System Log(syslog) using the CEF standard" action interface by clicking on the green arrow on the left:

b) Configure the action interface:

c) Extend the criteria

d) Name the action interface Send to Syslog

e) In the Syslog Host field, enter the value corresponding to the syslog server IP (in

this case the IP of your workstation!)

f) Check "Run on Every Event"



TASK LIST


4. Create a new System Event policy

a) Navigate to Main > Policies > System Events

b) Click the Symbol and create a New Policy

c) Name the Policy Syslog Policy Student <VLAN>

d) Select from the dropdown list the type "Login Failed"

5. Add a Followed Action

a) Click on the Followed Action Tab and select your newly created Action Set from the List.

6. Save the changes



TASK LIST


3 Test the System event policy and Action Set:


2. and try to login with your account and a wrong password

3. Go to the syslog server, you should see a Syslog message similar to this:



Lab 7 – Followed Actions

Objectives

Learn the use additional actions available in policy definition

Task 1: Create a Custom Action Set

Task 2: Set the Action Set as followed Action in your custom policy

Task 3: Test the policy



TASK LIST


1 Create a Custom Action Set:


2. Navigate to Main Policies Action Sets

3. Create a new "action set" that will block an IP for 60 Seconds

4. Click on the symbol to add a new "Action set":

a) Name it “BlockIP_Student <VLAN>” where <VLAN> is your VLAN ID

b) In the drop-down list “Apply to event type” select the field “Security Violations ‐ All”

c) Click on "Create"

5. Configure the new Action set

a) Select " IP Block> Block an IP " action interface by clicking on the green arrow on

the left:

b) Configure the action interface:

c) Display the details of thic action by clicking the + icon

d) Name the action interface “Block 60 seconds”

Question

Q1: Two Action Sets are available by default for blocking IP addresses during a time window. What are

these actions set?

_____________________________________________________________________________________



Q2: How long do these two Action Sets Block the IP?

_____________________________________________________________________________________

Q3: What are the values of the field "Trusted IPs"?

_____________________________________________________________________________________________

TASK LIST


2 Set the Action Set as followed Action in your custom policy:

1. Navigate to Main > Policies > Security and locate your custom Policy Policy_StudentX

To find your policy faster you can filter the policies. Extent the Policy Origin criteria and select User Defined and hit Apply. Only user defined policies are

displayed.

2. Select your custom Policy and configure a Followed Action in the Policy Details screen.

3. Extend the drop-down menu next to Followed Action and select the Action Set

BlockIP_Student <VLAN>

4. Save the Changes

TASK LIST


3 Test the policy:

1. Go to the home page of SuperVeda: http://192.168.<VLAN>.110



TASK LIST


2. Sign in with the following account: bugsb / carrots

3. Add at least one product to your shopping card and place an order.

4. This will trigger the security policy and followed action.

Questions

Q4: After performing the above, is the URL accessible?

__________________________________________________________________

Q5: If the URL is still accessible, why?

__________________________________________________________________

Imperva keeps a list of currently blocked and recently released sources,

navigate to Main > Monitor > Blocked Sources to access these lists. From

here it is also possible to release a blocked IP.



Lab 8 ‐ Profiling

Objectives

The goal of this Lab is to understand how our profiling and the associated security mechanism work.

TASK LIST


1 View an application profile:


8. Go to Main> Profile> Overview

9. Extend the Site tree and select the Default Web Application under the SuperVeda

Webserver.

5. On the left panel, click on "URLs (List View). All URLs learned so far are displayed in this

view.

Questions

Q1: In the Lab 2, we asked you to access the URL: http: //192.168.VLAN.100/cmd.exe . Was the URL /cmd.exe profiled? Why?



_____________________________________________________________________________________

Q2: What is the URL for the login page of the SuperVeda shop?

_____________________________________________________________________________________

Q3: How many parameters were profiled on this URL? What are the names and Value Types of the

parameters learned?

Parameter name __________________________________

Value type __________________________________

TASK LIST


1 Manually change an application profile

1. Set the login.jsp page to "Protect" mode

a. Right‐click on the site's authentication URL login.jsp

b. In the context menu, click on "Switch to Protect"

It is now possible to change the profile information of the URL

2. Change the Parameter values for the field password

a. Click on the link under Value Type for the parameter password

b. Uncheck all special characters

c. In the "Primary Value Type" select Latin Characters



TASK LIST


e. Save by clicking

4. Generate a profile violation

a. Go to the home page of SuperVeda Server http: //192.168.<VLAN>.110

b. Connect with the following account:

Username: bobby Password: “twenty_one”

Questions

Q1: Is access possible?

_________________________________________________________________________

Q2: Why?

___________________________________________________________________________________

TASK LIST


2 Review the violation


2. Go to Main> Monitor > Alerts

3. Filter alerts with the By User Name Filter (Equals “bobby”)



TASK LIST


4. Find triggered the violation

TASK LIST


3 Optional: Clone and modify the Default Profile Policy


2. Navigate to Main Policies Security

3. Apply a filter to display only Web Profile Policies (By Type – Application Level – Web Profile)

4. Create a new profile policy based on the Web Profile Default Policy

a) Click on

b) Select Web Application and name it Custom - Web Profile Policy

c) Select Use existing and choose Web Profile Policy

5. Edit the cloned policy to block (and not alert) when a parameter type violation is detected

6. Apply the policy and perform the Login from Task 1.4 again

Questions

Q1: What happens?



______________________________________________________



Lab 9 ‐ User Tracking

Objectives

The goal of this Lab is to configure the User Tracking feature of SecureSphere. With this function,

SecureSphere learns the username of an application user and shows it in the logs.

TASK LIST


1 Determine the authentication mechanisms of the website

7. Open the SecureSphere Web Interface.

8. Perform a failed Login in SuperVeda

a. open SuperVeda and enter a fake login / password (trigger a failed login)

b. Click on "Sign In"

Question

Q1: What is the error message that appears on the screen and returned by the WebShop

_____________________________________________________________?



TASK LIST


3 Configure User Tracking

1. Open the SecureSphere Web Interface

2. Go to Main> Profile> Overview

3. In the site tree, select the "Default Web Application" under the http Service of the SuperVeda

Server group:

4. Select the User Tracking feature on the left panel

5. The login url has normally been profiled automatically. If this is not the case manually

configure it:

a. Click on the symbol on the central frame

b. In the "Action URL" field, enter the following values:

c. Click on Create

6. Configure the method (right panel)

a. In the drop‐down bar, select "Active"

b. Delete the type discovered and add a new decision rule

c. click on and type in the following:

d. Save your changes by clicking on



TASK LIST


3 Test the User tracking feature

1. Trigger a Security violation as an web shop user

a) Browse to the SuperVeda Webshop

b) Login as a user (Logout and Login if you are still in an session)

c) Perform a simple XSS attack on the search field

d) Enter the following string in search:

<script>alert(document.cookie);</script>

2. Review the Alert in SecureSphere, it should look like this:

Question

Q4: Is the Username and Session ID correctly displayed?

_________________________________________________________________________



Lab 10 - Reporting

TASK LIST


1 Creating an annual report on alerts:

8. Go to – Main – Reports – Manage Reports

9. Create an new Report of type “Alerts”

a) Provide a name and create from scratch

10. Select and Configure the new report

a) General Details:

i. Leave as Default



TASK LIST


Data Scope:

Enable Field “Last Few Days” and set to: “Last: 365 days”

Tabular:

Disable Tabular View



TASK LIST


Data Analysis Views:

Enable and Configure “Data Analysis View 1”

Title: Top 10 Server Group Distribution

Chart Type: Pie

X-Axis: Server Group

Y-Axis: Num. of Events



TASK LIST


ii. Enable and Configure “Data Analysis View 2”

1. Title: Top 10 events by Alert Name

2. Chart Type: Pie

3. X-Axis: Alert Name

4. Y-Axis: Num. of events


Title: Top 10 Source IPs

Chart Type: Pie

X-Axis: Source IP

Y-Axis: Num. of events



TASK LIST



Title: Distribution of events by Severity

Chart Type: Pie

X-Axis: Severity

Y-Axis: Num. of events

Disable “Data Analysis View 5”



TASK LIST


b) Scheduling:

i. Leave as Default

Results:

No changes possible

Permissions:

Leave as Default

Save the new report by clicking on

2 Creating a weekly report on system events:


2. Create an new Report of type “System Events”

a) Provide a name and create from scratch



TASK LIST


Select and Configure the new report

General Details:

Leave as Default

Data Scope:

Enable Field “Last Few Days” and set to:

Last: 7

Tabular:

Disable Tabular View

Data Analysis Views:


Title: Number of System Events by Subsytem

Chart Type: Pie

X-Axis: Subsystem

Y-Axis: Occurrences



TASK LIST


Disable other Data Analysis Views (2 to 5)

Scheduling:

Leave as Default

Results:

No changes possible

Permissions:

Leave as Default

Save the new report

3 Creating a weekly report on User system events:


2. Create an new Report of type “System Events”

a) Provide a name and use existing from above (task 2)



TASK LIST



a) General Details:

i. Leave as Default

b) Data Scope:

i. Last View Days:

1. Last: 7

ii. Subsystem:

1. Selected: User

c) Tabular:

i. Enable Tabular View



TASK LIST


ii. Add the following columns:

1. Severity

2. Message

3. Create time

ii. Configure Sorting:

1. Severity – Ascending

2. Message – Ascending

d) Data Analysis Views:

i. Disable all “Data Analysis Views”

e) Scheduling:

i. Leave as Default

f) Results:

i. No changes possible

g) Permissions:



TASK LIST


i. Leave as Default

4. Save the new report

3a Creating a system event policy for user X

Example: Send message to SIEM (syslog) when the Super-User “admin” logs in:

1. Go to – Main – Policies – System Events

2. Create an new System Event Policy of Type “User logged in”

3. Define the Policy Details

a) Matching Text Segment: User admin logged in

4. Define the Followed Action

a) Followed Action: “LAB - Send System Event to syslog” (*)

b) Send to SOM: no



TASK LIST


(*) In case there is no appropriate Followed Action for System Events available, follow the below steps to create one:

1. Go to – Main – Policies – System Events

2. Create an new Action Set

a) Provide a name and Apply to events of type “System Events”

3. Configure the new Action Set:

a) Select the Action Interface:

“Server System Log > Log system event to System Log (syslog) using the CEF standard”

b) Syslog Host:IP of your workstation (Kiwi)

c) Syslog Log Level: INFO

d) Facility: KERN

e)

4 OPTIONAL: Creating a report on specific violations:




TASK LIST


2. Create an new Report of type “Alerts”

a) Provide a name and use existing from above (task 1)


a) General Details:

i. Leave as Default

b) Data Scope:

i. Last Few Days

1. Last: 365

ii. Violations

1. Parameter Value Length Violation

2. Parameters Type Violation

3. Unknown Parameter

4. Required Parameter Not Found

c) Tabular:

i. Enable Tabular View

ii. Add the following columns:

1. Alert Name



TASK LIST


2. Alert Description

3. Num. of Events

4. URL

iii. Configure Sorting:

1. Alert Name – Ascending

2. Num. of Events – Descending

iv.

d) Data Analysis Views:

i. Leave all Data Analysis Views as copied

e) Scheduling:

i. Leave as Default

f) Results:

i. No changes possible

g) Permissions:

i. Leave as Default

4. Save the new report !!!



Results – How to Test/Demo the Use-cases

The following steps allow you to demo the use-case scenario described in this lab guide:

Reports

For the reports (Tasks 1,2, 3, and 4) – run each report and view the results

Run Report:

o Run now: Main - Reports - Manage Reports

General Details Tab

Action Menu

o Scheduled

Scheduling Tab



View Report:

o Open/Download after Run now

o Main - Reports - Manage Reports -> Results Tab of individual report

definitions/templates

o Main - Reports - View Results

System Event Policy

For the system event policy (Tasks 3a) – do the following:

Login to MX GUI as admin one or more times

Login to UDS Splunk as admin/password (or to Kiwi on UDS Server)

In Splunk define a search filter: host=”10.255.0.100”



Verify the result:



Appendix

Report Examples

Annual_Alerts_Report

Weekly_System_Events_Report

Weekly_USER_System_Events_Report

Specific_Violations_Report

Imperva WAF Lab Guide - RRCrrc.ru/upload/imperva/Imperva-StartUp-WAF-LabGuide-V3.pdf · Imperva WAF...

Documents

Transcript of Imperva WAF Lab Guide - RRCrrc.ru/upload/imperva/Imperva-StartUp-WAF-LabGuide-V3.pdf · Imperva WAF...