Imperva WAF Lab Guide - RRCrrc.ru/upload/imperva/Imperva-StartUp-WAF-LabGuide-V3.pdf · Imperva WAF...
Transcript of Imperva WAF Lab Guide - RRCrrc.ru/upload/imperva/Imperva-StartUp-WAF-LabGuide-V3.pdf · Imperva WAF...
Imperva WAF Lab Guide Practical Lab for SecureSphere V11.5
Version: 3.01 – Nov 01, 2016
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 2
Index:
Introduction ................................................................................................................................................ 2 Lab 1 - Site Objects ..................................................................................................................................... 5 Lab 2 - Alerts and violations ....................................................................................................................... 11 Lab 3 - Blocking ........................................................................................................................................ 16 Lab 4 - Signatures ..................................................................................................................................... 19 Lab 5 - Policies ......................................................................................................................................... 22 Lab 6 – System Events ............................................................................................................................... 27 Lab 7 – Followed Actions ............................................................................................................................ 31 Lab 8 ‐ Profiling ......................................................................................................................................... 35 Lab 9 ‐ User Tracking ................................................................................................................................ 40 Lab 10 - Reporting ..................................................................................................................................... 43 Appendix .................................................................................................................................................. 61
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 3
Introduction
This Lab Workbook will guide through some exercises that show some essential functions of the Imperva WAF solution
“Lab in a box” - Environment
The “Lab in a box” environment consists of several VMs that can be used to demo different scenarios. For this lab the SecureSphere V11.5 Onebox and the SuperVeda 2010 is used. We have 4 separated VLANS
(110,120,130 and 140), each VLAN has his own resources. On your table you’ll find an information, which VLAN has been assigned to you
Resources
UDS - SecureSphere 11.5– IP: 192.168.VLAN.100 (admin Port 8083)
UDS - SuperVeda2010 MS SQL (vulnerable Webapplication)– IP: 192.168.VLAN.110
Login information
Use the following credentials to login to the different machines & services in the lab in a box environment.
SecureSphere Web GUI Login
From the Client, connect to SecureSphere using Firefox, IE or Chrome.
User: admin
Password: Webco123
SecureSphere Credentials
Console
Username: root
Password: Root123
Username: secure
Password: Webco123
ssh
Username: udsimperva
Password: Webco123
Remote Agents / Gateway
Username: imperva
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 4
Password: Webco123
SuperVeda
OS Login
User: administrator
Password: Secure123!
Site: http://10.255.VLAN.110:8080
Login: bugsb
Password: carrots
Site: http://10.255.VLAN.110:8080/admin
Login: admin
Password: system
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 5
Lab 1 – Attacks & Site Objects
Objectives
The goal of this Lab is to understand the lab setup and the demo-VMs and identify resources to be protected
SuperVeda is the Web server that will be used in different labs. The listener web service is port 80.
An Imperva WAF is configured in bridge mode and will protect the Web server.
Questions
Q1: Check that the Web server SuperVeda is accessible from the desktop
(http://192.168.VLAN.110 - make sure you adjust the IP to the network that has been assigned to you)
_____________________________________________________________________________
Q2: What will be the IP of the Web server to be configured on the Imperva-platform?
_____________________________________________________________________________
Q3: What will be the listening port of the Web server to be configured in the Imperva GUI?
_____________________________________________________________________________
Task List – Basic SQL Attack
TASK LIST
Task # Task Description
1 Understanding non-configured resources:
1. With a Web browser, please go to this address: http: //192.168.VLAN.110
2. Click on “Sign In”
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 6
TASK LIST
Task # Task Description
3. As Username, enter
'or 1=1 --
(There are 2 dashes at the end of the command).
4. Click on “Sign In”
5. Confirm that the SQL injection attack succeeds and allows to log in. If you click on “My Account”, the window should be similar to the following:
6. Open the Imperva GUI. The GUI is available at:
https: //192.168.VLAN.100:8083 and login. Credentials are provided at the
beginning of this document.
7. Go to Main> Monitor> Alerts
Questions
Q4: Do you see information on the SQL Injection attack you just made?
Yes No
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 7
Q5: What is the explanation for this behavior?
_____________________________________________________________________________________
You can find this document on the desktop of your student PC in PDF Format. If you want, you can copy & paste difficult to type commands (like for SQL Injection) from the document into the GUI.
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 8
Task List – Configure Superveda objects in Imperva GUI
TASK LIST
Task # Task Description
1 Configure SuperVeda:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Setup / Sites
3. In the tree, create the site "Training Imperva'
4. Create a Server Group for SuperVeda website.
Click on the website "Training Imperva" and right click to bring up the context menu
Click on "Create Server Group"
Name the server group Server Group SuperVeda
Click on "Create". In the "Sites Tree" tree, click on the new Server
Group, and select the "Definitions" tab on the central panel
Questions
Q6: What is the "Operation" mode of the server group?
_____________________________________________________________________________________
Q7: With this setup, would a Web-based attack be blocked by the WAF ?
Yes No
Q8: In this setup, would a Web-based attack generate alerts / violations on the WAF?
Yes No
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 9
TASK LIST
Task # Task Description
1 Configure SuperVeda (cont’d):
5. In the definitions-tab in the table "Protected IP Addresses', click on the icon and add
the IP address of SuperVeda (192.168.VLAN.110)
6. Save the changes by clicking
7. Create a Web Service for SuperVeda website (Main> Setup> Sites): In the tree "Sites
Tree", right-click on the Server Group to bring up the context menu.
8. Click on “Create service”
9. Name the Service “Service-SuperVeda” and select HTTP Service in the drop down list
(depending on the licenses of the SecureSphere demo environment, this list may vary):
10. Click on “Create”
11. In the tree "Sites Tree", click on the new service and select the "Definitions" tab in the
central panel
12. In the "HTTP Port" field, enter the value of the listening port of the SuperVeda server
(see question 3)
13. Save changes by clicking
14. In the tree "Sites Tree" extend the new service using the icon next to the service.
15. Check that no Data Masking is enabled by default on Service / Operation / Data
Masking, if it is, please remove it:
Questions
Q9: What is the name of the application that was created automatically?
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 10
_____________________________________________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 11
Lab 2 - Alerts and violations
Objectives
The goal of this Lab is to understand and know how to interpret alerts and violations in the WAF
TASK LIST
Task # Task Description
1 Generate a violation on the WAF:
1. Using a Web browser, go to the following address of the web server SuperVeda
(192.168.VLAN.110)
2. Type the following string in the Username field of the "Sign In" page:
' or (2=2) --
3. Click on “Sign in”
Questions
Q1: Was the SQL Injection attack successful?
________________________________________________________________________
Q2: Why?
________________________________________________________________________
TASK LIST
Task # Task Description
1 Observe triggered violation:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Monitor / Alerts
3. Find the alert triggered by the attack SQL that you just made
Questions
Q3: Fill out this list:
Event Date: ___________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 12
Server group concerned: ___________________________
Service concerned: ___________________________
Application concerned: ___________________________
URL concerned: ___________________________
Field parameter that triggered the violation: ___________________________
IP Source of the attack ___________________________
TASK LIST
Task # Task Description
1 Create a search filter to display only specific alerts to your Web server:
1. Remove all filters that might exist by clicking the “clear” button
2. In the "Basic Filter" tab, select "By Server Group"
3. Check your server Group that you created before
4. Save your filter by clicking on "Save"
5. Name the filter "Filter Student ‘VLAN’ "
6. Click on “save”
7. Validate the successful creation of your filter by clicking on the tab "Saved Filters". Your new filter should be included in the list of filters
Questions
Q4: What other filter could have been used to achieve a similar result?
_____________________________________________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 13
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 14
TASK LIST
Task # Task Description
1 Managing multiple relationships in the WAF:
4. Using a Web browser, go to the following address of the Web server Superveda
192.168.VLAN.110/cmd.exe
An error window similar to this one should appear:
5. Repeat the access to 192.168.VLAN.110/cmd.exe in a short period of time
6. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
7. Go to Main > Monitor > Alerts
8. Filter alerts using the filter you created before
a. In the Filters panel, click the "Saved Filters" tab
b. Select your filter
9. Find the alerts triggered by the illegitimate access you just made
Questions
Q5: Complete the information below:
Number of alerts triggered: _____________________________
Description of the alert _____________________________
Signature which has triggered the alert: _____________________________
Dictionary name of the alert: _____________________________
IP Address of the attack: _____________________________
Q6 Find the alert triggered by these illegitimate access you just made and complete the information
below:
Number of aggregated violations in this alert : ____________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 15
Aggregation factors : ____________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 16
Lab 3 - Blocking
Objectives
Understand the operation mode “active” and create a custom error page
TASK LIST
Task # Task Description
1 Change the operation mode of the server group:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. Go to Main / Setup / Sites
3. In the tree, select the server group you created before and select the “definitions” tab
from the center panel.
4. Set the operation mode to “active”
5. Save the change by clicking
Generate a violation on the WAF:
6. Using a Web browser, go to the SuperVeda Webserver (192.168.VLAN.110)
7. Type the following string in the Username field of the "Sign In" page: ' or (3=3) –
8. Click on “Sign in”
Questions
Q1: Is the SQL Injection attack blocked?
________________________________________________________________________
Q2 : What is the associated incident number?
_________________________________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 17
TASK LIST
Task # Task Description
2 Monitor violations and triggered alerts:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main > Monitor > Alerts
3. Find the previous triggered violation
a) In the Filters panel in the Quick Filter field, enter the incident number noted
above (do not insert a space before or after the number)
b) Click on the filter button
c) Click on apply
4. Filter alerts using the filter you created before
5. Find the alert triggered in the Lab
Questions
Q1: What is the incident number in the details of the violation used for?
_________________________________________________________________________
Q2: How can you differentiate between the GUI actually stopped the attack WAF (Active Mode) and a
detected attack, but not blocked (Simulation Mode)
_________________________________________________
TASK LIST
Task # Task Description
3 Change the default error page
1. Open the Imperva GUI.
2. Go to Main / Setup / Sites
3. In the Sites Tree, find the service you created previously
4. Expand Section “Error Page”
5. On the "Page", enter the following HTML: <html>customized error</html> instead of the default code
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 18
TASK LIST
Task # Task Description
6. Save the changes by clicking on
9. Generate a new violation: Using a Web browser, go to the following address of the web server SuperVeda (192.168.VLAN.110)
10. Type the following string in the Username field of the "Sign In" page: ' or (4=4) –
7. Click on “Sign in”
8. Observe the new error page returned
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 19
Lab 4 - Signatures
Objectives
Create a signature and apply it
TASK LIST
Task # Task Description
1 Create a new dictionary signature:
1. Open the Imperva GUI.
2. Go to Main / Setup / Signatures
On the left panel, click on the symbol to add a new signature dictionary and select "Create Manual Dictionary" The Name of the dictionary is: Student <VLAN>
Dictionary Type: Web
3. Click on “create”
4. Add a signature to the dictionary
a) Verify that the newly created dictionary is selected on the left panel
b) On the central panel, click on the symbol to add a new signature
c) Signature Name : “Signature_Student <VLAN>” (where X is your VLAN)
d) Signature: part=”XXX”
e) Protocols: http
f) Search Signature In: Parameters
g) Click on «Create»
h) Save the changes by clicking on
Create a new security policy
5. Go to Main > Policies > Security
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 20
TASK LIST
Task # Task Description
6. Create a new security policy using the dictionary created before
a) On the central panel, click on the symbol to add a new policy
b) Select « Web Application »
c) Name: Signature Policy Student <VLAN>
d) Select « From Scratch »
e) Type : « Web Application Signatures »
f) Click on Create
7. Configure the security policy
a) On the central panel, verify that the newly created policy is selected
b) On the right panel, in the "Policy Rules" tab, click on the symbol and select
the new dictionary you just created
c) Check the box «Enabled»
d) Severity = High
e) Action = None
f) In the tab «Apply To», select the Server Group “Training Imperva”
g) Save the changes by clicking on
Test the security policy:
8. Using a Web browser, go to the SuperVeda Web server (192.168.VLAN.110)
9. Type the following string in the Username field of the "Sign In" page:
XXX
10. Click on “Sign in”
11. Open the Imperva GUI
12. Go to Main / Monitor / Alerts
13. Find the Alert of this signature violation
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 21
TASK LIST
Task # Task Description
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 22
Lab 5 - Policies
In this Lab a WebService policy will be created that gets triggered on a specific event.
Objectives
Create a basic policy and apply it to specific objects
Task 1: Create a new Web Service policy
Task 2: Creating a policy that gets triggered on a certain event
Task 3: Test the policy
Task 4: Optional: Configure Exceptions
TASK LIST
Task # Task Description
1 Create a new Web Service policy
1. Go to the home page of SuperVeda: http://192.168.VLAN.110/
2. Sign in with the following account:
3. Login: bugsb password: carrots
4. Click on "login"
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 23
TASK LIST
Task # Task Description
TASK LIST
Task # Task Description
2 Creating a policy that gets triggered on a certain event
1. Open the Imperva GUI
2. Go to Main> Policies> Security
3. Create a new policy:
a) Click the button to add the new policy:
b) Select the type of policy: "Web Service"
c) Name the "Policy_Student X" where X is your Student number
d) Select "From Scratch" and type: "Web Service Custom"
e) Click on "Create"
4. Configure the new policy
a) In the Match Criteria tab of the right frame, leave the level of severity at "Medium"
b) In the Match Criteria tab of the right frame, make sure the box "Enabled" is checked
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 24
TASK LIST
Task # Task Description
c) In the Match Criteria tab, select the following two criteria: "http Request Method" and "HTTP Request URL" by clicking on the green arrow to the left of each criteria:
5. Configure the Match Criteria "HTTP Request Method"
a. Extend the Match Criteria by clicking on the blue down arrow
b. Enter POST as value and select At least one as Operation
6. Configure the criterion "HTTP request URL"
a) Extend the Match Criteria by clicking on the blue down arrow
b) Enter /performbuy.jsp as value
c) Leave the "Match" field "URL Prefix"
d) Leave the "Operation" field to "At Least One"
e) Apply the Policy to the Site Object created earlier
f) Save the Policy by clicking on
3 Test the policy
1. Go to the home page of SuperVeda: http://192.168.VLAN.110/
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 25
TASK LIST
Task # Task Description
2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order
4. This will trigger the security policy and generate an alert. Since the policy is not set to blocking the request gets passed to the web server.
5. Open up the SecureSphere GUI under https://192.168.VLAN.100 and navigate to Monitor > Alerts
6. You should see an medium Security alert triggered by your custom policy:
7. Highlight the alert and inspect the security violation:
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 26
TASK LIST
Task # Task Description
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 27
Lab 6 – System Events
Objectives
Create a basic policy and apply it to specific objects
Task 1: Observe the default behavior of SecureSphere for a failed authentication
Task 2: Configure an “action set” to send events to a Syslog server
Task 3: Test the System event policy and Action Set
TASK LIST
Task # Task Description
1 Observe the default behavior of SecureSphere for a failed authentication:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. try to login with your account and a wrong password
3. Login with your correct credentials
4. Navigate to Main > Monitor > System Events
5. Type in your username in the Quick Filter field:
6. Investigate the event
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 28
Question
Q1 : What is the message of that event?
____________________________________________________
Q2 : What is the severity of the event?
______________________________________________________
TASK LIST
Task # Task Description
2 Configure and “action set” to send events to a Syslog server
Install Syslog Watcher server on your workstation. A free version is provided by your instructor.
Install it by accepting all the defaults during installation.
Under File / Setup / Inputs add the IP of your SecureSphere so it’s allowed to send Syslog (IP:
192.168.VLAN.100)
1. Open the Imperva GUI.
2. Navigate to Main > Policies > Action Sets
a) Click on the symbol to add a new "Action set":
b) Assign the name Syslog_Student <VLAN>
c) In the dropdown “Apply to event type” select “Any Event type”:
d) Click on "Create"
3. Configure the new "Action set"
a) Select "Server System Log > Log system event to System Log(syslog) using the CEF standard" action interface by clicking on the green arrow on the left:
b) Configure the action interface:
c) Extend the criteria
d) Name the action interface Send to Syslog
e) In the Syslog Host field, enter the value corresponding to the syslog server IP (in
this case the IP of your workstation!)
f) Check "Run on Every Event"
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 29
TASK LIST
Task # Task Description
4. Create a new System Event policy
a) Navigate to Main > Policies > System Events
b) Click the Symbol and create a New Policy
c) Name the Policy Syslog Policy Student <VLAN>
d) Select from the dropdown list the type "Login Failed"
5. Add a Followed Action
a) Click on the Followed Action Tab and select your newly created Action Set from the List.
6. Save the changes
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 30
TASK LIST
Task # Task Description
3 Test the System event policy and Action Set:
1. Open the Imperva GUI.
2. and try to login with your account and a wrong password
3. Go to the syslog server, you should see a Syslog message similar to this:
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 31
Lab 7 – Followed Actions
Objectives
Learn the use additional actions available in policy definition
Task 1: Create a Custom Action Set
Task 2: Set the Action Set as followed Action in your custom policy
Task 3: Test the policy
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 32
TASK LIST
Task # Task Description
1 Create a Custom Action Set:
1. Open the Imperva GUI
2. Navigate to Main Policies Action Sets
3. Create a new "action set" that will block an IP for 60 Seconds
4. Click on the symbol to add a new "Action set":
a) Name it “BlockIP_Student <VLAN>” where <VLAN> is your VLAN ID
b) In the drop-down list “Apply to event type” select the field “Security Violations ‐ All”
c) Click on "Create"
5. Configure the new Action set
a) Select " IP Block> Block an IP " action interface by clicking on the green arrow on
the left:
b) Configure the action interface:
c) Display the details of thic action by clicking the + icon
d) Name the action interface “Block 60 seconds”
Question
Q1: Two Action Sets are available by default for blocking IP addresses during a time window. What are
these actions set?
_____________________________________________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 33
Q2: How long do these two Action Sets Block the IP?
_____________________________________________________________________________________
Q3: What are the values of the field "Trusted IPs"?
_____________________________________________________________________________________________
TASK LIST
Task # Task Description
2 Set the Action Set as followed Action in your custom policy:
1. Navigate to Main > Policies > Security and locate your custom Policy Policy_StudentX
To find your policy faster you can filter the policies. Extent the Policy Origin criteria and select User Defined and hit Apply. Only user defined policies are
displayed.
2. Select your custom Policy and configure a Followed Action in the Policy Details screen.
3. Extend the drop-down menu next to Followed Action and select the Action Set
BlockIP_Student <VLAN>
4. Save the Changes
TASK LIST
Task # Task Description
3 Test the policy:
1. Go to the home page of SuperVeda: http://192.168.<VLAN>.110
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 34
TASK LIST
Task # Task Description
2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order.
4. This will trigger the security policy and followed action.
Questions
Q4: After performing the above, is the URL accessible?
__________________________________________________________________
Q5: If the URL is still accessible, why?
__________________________________________________________________
Imperva keeps a list of currently blocked and recently released sources,
navigate to Main > Monitor > Blocked Sources to access these lists. From
here it is also possible to release a blocked IP.
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 35
Lab 8 ‐ Profiling
Objectives
The goal of this Lab is to understand how our profiling and the associated security mechanism work.
TASK LIST
Task # Task Description
1 View an application profile:
7. Open the Imperva GUI.
8. Go to Main> Profile> Overview
9. Extend the Site tree and select the Default Web Application under the SuperVeda
Webserver.
5. On the left panel, click on "URLs (List View). All URLs learned so far are displayed in this
view.
Questions
Q1: In the Lab 2, we asked you to access the URL: http: //192.168.VLAN.100/cmd.exe . Was the URL /cmd.exe profiled? Why?
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 36
_____________________________________________________________________________________
Q2: What is the URL for the login page of the SuperVeda shop?
_____________________________________________________________________________________
Q3: How many parameters were profiled on this URL? What are the names and Value Types of the
parameters learned?
Parameter name __________________________________
Value type __________________________________
TASK LIST
Task # Task Description
1 Manually change an application profile
1. Set the login.jsp page to "Protect" mode
a. Right‐click on the site's authentication URL login.jsp
b. In the context menu, click on "Switch to Protect"
It is now possible to change the profile information of the URL
2. Change the Parameter values for the field password
a. Click on the link under Value Type for the parameter password
b. Uncheck all special characters
c. In the "Primary Value Type" select Latin Characters
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 37
TASK LIST
Task # Task Description
e. Save by clicking
4. Generate a profile violation
a. Go to the home page of SuperVeda Server http: //192.168.<VLAN>.110
b. Connect with the following account:
Username: bobby Password: “twenty_one”
Questions
Q1: Is access possible?
_________________________________________________________________________
Q2: Why?
___________________________________________________________________________________
TASK LIST
Task # Task Description
2 Review the violation
1. Open the Imperva GUI
2. Go to Main> Monitor > Alerts
3. Filter alerts with the By User Name Filter (Equals “bobby”)
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 38
TASK LIST
Task # Task Description
4. Find triggered the violation
TASK LIST
Task # Task Description
3 Optional: Clone and modify the Default Profile Policy
1. Open the Imperva GUI.
2. Navigate to Main Policies Security
3. Apply a filter to display only Web Profile Policies (By Type – Application Level – Web Profile)
4. Create a new profile policy based on the Web Profile Default Policy
a) Click on
b) Select Web Application and name it Custom - Web Profile Policy
c) Select Use existing and choose Web Profile Policy
5. Edit the cloned policy to block (and not alert) when a parameter type violation is detected
6. Apply the policy and perform the Login from Task 1.4 again
Questions
Q1: What happens?
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 39
______________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 40
Lab 9 ‐ User Tracking
Objectives
The goal of this Lab is to configure the User Tracking feature of SecureSphere. With this function,
SecureSphere learns the username of an application user and shows it in the logs.
TASK LIST
Task # Task Description
1 Determine the authentication mechanisms of the website
7. Open the SecureSphere Web Interface.
8. Perform a failed Login in SuperVeda
a. open SuperVeda and enter a fake login / password (trigger a failed login)
b. Click on "Sign In"
Question
Q1: What is the error message that appears on the screen and returned by the WebShop
_____________________________________________________________?
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 41
TASK LIST
Task # Task Description
3 Configure User Tracking
1. Open the SecureSphere Web Interface
2. Go to Main> Profile> Overview
3. In the site tree, select the "Default Web Application" under the http Service of the SuperVeda
Server group:
4. Select the User Tracking feature on the left panel
5. The login url has normally been profiled automatically. If this is not the case manually
configure it:
a. Click on the symbol on the central frame
b. In the "Action URL" field, enter the following values:
c. Click on Create
6. Configure the method (right panel)
a. In the drop‐down bar, select "Active"
b. Delete the type discovered and add a new decision rule
c. click on and type in the following:
d. Save your changes by clicking on
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 42
TASK LIST
Task # Task Description
3 Test the User tracking feature
1. Trigger a Security violation as an web shop user
a) Browse to the SuperVeda Webshop
b) Login as a user (Logout and Login if you are still in an session)
c) Perform a simple XSS attack on the search field
d) Enter the following string in search:
<script>alert(document.cookie);</script>
2. Review the Alert in SecureSphere, it should look like this:
Question
Q4: Is the Username and Session ID correctly displayed?
_________________________________________________________________________
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 43
Lab 10 - Reporting
TASK LIST
Task # Task Description
1 Creating an annual report on alerts:
8. Go to – Main – Reports – Manage Reports
9. Create an new Report of type “Alerts”
a) Provide a name and create from scratch
10. Select and Configure the new report
a) General Details:
i. Leave as Default
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 44
TASK LIST
Task # Task Description
Data Scope:
Enable Field “Last Few Days” and set to: “Last: 365 days”
Tabular:
Disable Tabular View
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 45
TASK LIST
Task # Task Description
Data Analysis Views:
Enable and Configure “Data Analysis View 1”
Title: Top 10 Server Group Distribution
Chart Type: Pie
X-Axis: Server Group
Y-Axis: Num. of Events
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 46
TASK LIST
Task # Task Description
ii. Enable and Configure “Data Analysis View 2”
1. Title: Top 10 events by Alert Name
2. Chart Type: Pie
3. X-Axis: Alert Name
4. Y-Axis: Num. of events
Enable and Configure “Data Analysis View 3”
Title: Top 10 Source IPs
Chart Type: Pie
X-Axis: Source IP
Y-Axis: Num. of events
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 47
TASK LIST
Task # Task Description
Enable and Configure “Data Analysis View 4”
Title: Distribution of events by Severity
Chart Type: Pie
X-Axis: Severity
Y-Axis: Num. of events
Disable “Data Analysis View 5”
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 48
TASK LIST
Task # Task Description
b) Scheduling:
i. Leave as Default
Results:
No changes possible
Permissions:
Leave as Default
Save the new report by clicking on
2 Creating a weekly report on system events:
1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and create from scratch
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 49
TASK LIST
Task # Task Description
Select and Configure the new report
General Details:
Leave as Default
Data Scope:
Enable Field “Last Few Days” and set to:
Last: 7
Tabular:
Disable Tabular View
Data Analysis Views:
Enable and Configure “Data Analysis View 1”
Title: Number of System Events by Subsytem
Chart Type: Pie
X-Axis: Subsystem
Y-Axis: Occurrences
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 50
TASK LIST
Task # Task Description
Disable other Data Analysis Views (2 to 5)
Scheduling:
Leave as Default
Results:
No changes possible
Permissions:
Leave as Default
Save the new report
3 Creating a weekly report on User system events:
1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and use existing from above (task 2)
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 51
TASK LIST
Task # Task Description
3. Select and Configure the new report
a) General Details:
i. Leave as Default
b) Data Scope:
i. Last View Days:
1. Last: 7
ii. Subsystem:
1. Selected: User
c) Tabular:
i. Enable Tabular View
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 52
TASK LIST
Task # Task Description
ii. Add the following columns:
1. Severity
2. Message
3. Create time
ii. Configure Sorting:
1. Severity – Ascending
2. Message – Ascending
d) Data Analysis Views:
i. Disable all “Data Analysis Views”
e) Scheduling:
i. Leave as Default
f) Results:
i. No changes possible
g) Permissions:
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 53
TASK LIST
Task # Task Description
i. Leave as Default
4. Save the new report
3a Creating a system event policy for user X
Example: Send message to SIEM (syslog) when the Super-User “admin” logs in:
1. Go to – Main – Policies – System Events
2. Create an new System Event Policy of Type “User logged in”
3. Define the Policy Details
a) Matching Text Segment: User admin logged in
4. Define the Followed Action
a) Followed Action: “LAB - Send System Event to syslog” (*)
b) Send to SOM: no
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 54
TASK LIST
Task # Task Description
(*) In case there is no appropriate Followed Action for System Events available, follow the below steps to create one:
1. Go to – Main – Policies – System Events
2. Create an new Action Set
a) Provide a name and Apply to events of type “System Events”
3. Configure the new Action Set:
a) Select the Action Interface:
“Server System Log > Log system event to System Log (syslog) using the CEF standard”
b) Syslog Host:IP of your workstation (Kiwi)
c) Syslog Log Level: INFO
d) Facility: KERN
e)
4 OPTIONAL: Creating a report on specific violations:
1. Go to – Main – Reports – Manage Reports
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 55
TASK LIST
Task # Task Description
2. Create an new Report of type “Alerts”
a) Provide a name and use existing from above (task 1)
3. Select and Configure the new report
a) General Details:
i. Leave as Default
b) Data Scope:
i. Last Few Days
1. Last: 365
ii. Violations
1. Parameter Value Length Violation
2. Parameters Type Violation
3. Unknown Parameter
4. Required Parameter Not Found
c) Tabular:
i. Enable Tabular View
ii. Add the following columns:
1. Alert Name
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 56
TASK LIST
Task # Task Description
2. Alert Description
3. Num. of Events
4. URL
iii. Configure Sorting:
1. Alert Name – Ascending
2. Num. of Events – Descending
iv.
d) Data Analysis Views:
i. Leave all Data Analysis Views as copied
e) Scheduling:
i. Leave as Default
f) Results:
i. No changes possible
g) Permissions:
i. Leave as Default
4. Save the new report !!!
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 57
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 58
Results – How to Test/Demo the Use-cases
The following steps allow you to demo the use-case scenario described in this lab guide:
Reports
For the reports (Tasks 1,2, 3, and 4) – run each report and view the results
Run Report:
o Run now: Main - Reports - Manage Reports
General Details Tab
Action Menu
o Scheduled
Scheduling Tab
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 59
View Report:
o Open/Download after Run now
o Main - Reports - Manage Reports -> Results Tab of individual report
definitions/templates
o Main - Reports - View Results
System Event Policy
For the system event policy (Tasks 3a) – do the following:
Login to MX GUI as admin one or more times
Login to UDS Splunk as admin/password (or to Kiwi on UDS Server)
In Splunk define a search filter: host=”10.255.0.100”
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 60
Verify the result:
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved. 61
Appendix
Report Examples
Annual_Alerts_Report
Weekly_System_Events_Report
Weekly_USER_System_Events_Report
Specific_Violations_Report