Vous êtes sur la page 1sur 61

Imperva WAF

Lab Guide
Practical Lab for SecureSphere V11.5

Version: 3.01 – Nov 01, 2016


SecureSphere Lab Guide

Index:

Introduction ................................................................................................................................................ 2
Lab 1 - Site Objects ..................................................................................................................................... 5
Lab 2 - Alerts and violations ....................................................................................................................... 11
Lab 3 - Blocking ........................................................................................................................................ 16
Lab 4 - Signatures ..................................................................................................................................... 19
Lab 5 - Policies ......................................................................................................................................... 22
Lab 6 – System Events ............................................................................................................................... 27
Lab 7 – Followed Actions ............................................................................................................................ 31
Lab 8 ‐ Profiling ......................................................................................................................................... 35
Lab 9 ‐ User Tracking ................................................................................................................................ 40
Lab 10 - Reporting ..................................................................................................................................... 43
Appendix .................................................................................................................................................. 61

Copyright © 2016 Imperva. All rights reserved. 2


SecureSphere Lab Guide

Introduction
This Lab Workbook will guide through some exercises that show some essential functions of the Imperva
WAF solution

“Lab in a box” - Environment

The “Lab in a box” environment consists of several VMs that can be used to demo different scenarios. For
this lab the SecureSphere V11.5 Onebox and the SuperVeda 2010 is used. We have 4 separated VLANS
(110,120,130 and 140), each VLAN has his own resources. On your table you’ll find an information, which
VLAN has been assigned to you

Resources
 UDS - SecureSphere 11.5– IP: 192.168.VLAN.100 (admin Port 8083)
 UDS - SuperVeda2010 MS SQL (vulnerable Webapplication)– IP: 192.168.VLAN.110

Login information
Use the following credentials to login to the different machines & services in the lab in a box
environment.

SecureSphere Web GUI Login


From the Client, connect to SecureSphere using Firefox, IE or Chrome.
 User: admin
 Password: Webco123

SecureSphere Credentials
Console
 Username: root
 Password: Root123

 Username: secure
 Password: Webco123

ssh
 Username: udsimperva
 Password: Webco123

Remote Agents / Gateway


 Username: imperva

Copyright © 2016 Imperva. All rights reserved. 3


SecureSphere Lab Guide

 Password: Webco123

SuperVeda
OS Login
 User: administrator
 Password: Secure123!

Site: http://10.255.VLAN.110:8080
 Login: bugsb
 Password: carrots

Site: http://10.255.VLAN.110:8080/admin
 Login: admin
 Password: system

Copyright © 2016 Imperva. All rights reserved. 4


SecureSphere Lab Guide

Lab 1 – Attacks & Site Objects


Objectives
The goal of this Lab is to understand the lab setup and the demo-VMs and identify resources to be
protected
SuperVeda is the Web server that will be used in different labs. The listener web service is port 80.
An Imperva WAF is configured in bridge mode and will protect the Web server.

Questions
Q1: Check that the Web server SuperVeda is accessible from the desktop
(http://192.168.VLAN.110 - make sure you adjust the IP to the network that has been
assigned to you)

_____________________________________________________________________________

Q2: What will be the IP of the Web server to be configured on the Imperva-platform?

_____________________________________________________________________________

Q3: What will be the listening port of the Web server to be configured in the Imperva GUI?

_____________________________________________________________________________

Task List – Basic SQL Attack

TASK LIST

Task # Task Description

1 Understanding non-configured resources:


1. With a Web browser, please go to this address: http: //192.168.VLAN.110

2. Click on “Sign In”

Copyright © 2016 Imperva. All rights reserved. 5


SecureSphere Lab Guide

TASK LIST

Task # Task Description

3. As Username, enter
'or 1=1 --
(There are 2 dashes at the end of the command).

4. Click on “Sign In”


5. Confirm that the SQL injection attack succeeds and allows to log in. If you click
on “My Account”, the window should be similar to the following:

6. Open the Imperva GUI. The GUI is available at:


https: //192.168.VLAN.100:8083 and login. Credentials are provided at the
beginning of this document.

7. Go to Main> Monitor> Alerts

Questions

Q4: Do you see information on the SQL Injection attack you just made?

Yes  No 

Copyright © 2016 Imperva. All rights reserved. 6


SecureSphere Lab Guide

Q5: What is the explanation for this behavior?

_____________________________________________________________________________________

You can find this document on the desktop of your student PC in PDF Format. If you
want, you can copy & paste difficult to type commands (like for SQL Injection) from
the document into the GUI.

Copyright © 2016 Imperva. All rights reserved. 7


SecureSphere Lab Guide

Task List – Configure Superveda objects in


Imperva GUI

TASK LIST

Task # Task Description

1 Configure SuperVeda:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Setup / Sites
3. In the tree, create the site "Training Imperva'

4. Create a Server Group for SuperVeda website.


Click on the website "Training Imperva" and right click to bring up the context menu

Click on "Create Server Group"

Name the server group Server Group SuperVeda

Click on "Create". In the "Sites Tree" tree, click on the new Server
Group, and select the "Definitions" tab on the central panel

Questions

Q6: What is the "Operation" mode of the server group?

_____________________________________________________________________________________

Q7: With this setup, would a Web-based attack be blocked by the WAF ?

Yes  No 

Q8: In this setup, would a Web-based attack generate alerts / violations on the WAF?

Yes  No 

Copyright © 2016 Imperva. All rights reserved. 8


SecureSphere Lab Guide

TASK LIST

Task # Task Description

1 Configure SuperVeda (cont’d):


5. In the definitions-tab in the table "Protected IP Addresses', click on the icon and add
the IP address of SuperVeda (192.168.VLAN.110)
6. Save the changes by clicking
7. Create a Web Service for SuperVeda website (Main> Setup> Sites): In the tree "Sites
Tree", right-click on the Server Group to bring up the context menu.
8. Click on “Create service”
9. Name the Service “Service-SuperVeda” and select HTTP Service in the drop down list
(depending on the licenses of the SecureSphere demo environment, this list may vary):

10. Click on “Create”


11. In the tree "Sites Tree", click on the new service and select the "Definitions" tab in the
central panel
12. In the "HTTP Port" field, enter the value of the listening port of the SuperVeda server
(see question 3)
13. Save changes by clicking
14. In the tree "Sites Tree" extend the new service using the icon next to the service.
15. Check that no Data Masking is enabled by default on Service / Operation / Data
Masking, if it is, please remove it:

Questions

Q9: What is the name of the application that was created automatically?

Copyright © 2016 Imperva. All rights reserved. 9


SecureSphere Lab Guide

_____________________________________________________________________________________

Copyright © 2016 Imperva. All rights reserved. 10


SecureSphere Lab Guide

Lab 2 - Alerts and violations


Objectives

The goal of this Lab is to understand and know how to interpret alerts and violations in the WAF
TASK LIST

Task # Task Description

1 Generate a violation on the WAF:


1. Using a Web browser, go to the following address of the web server SuperVeda
(192.168.VLAN.110)
2. Type the following string in the Username field of the "Sign In" page:
' or (2=2) --
3. Click on “Sign in”

Questions

Q1: Was the SQL Injection attack successful?

________________________________________________________________________

Q2: Why?

________________________________________________________________________

TASK LIST

Task # Task Description

1 Observe triggered violation:


1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Monitor / Alerts
3. Find the alert triggered by the attack SQL that you just made

Questions

Q3: Fill out this list:

Event Date: ___________________________

Copyright © 2016 Imperva. All rights reserved. 11


SecureSphere Lab Guide

Server group concerned: ___________________________

Service concerned: ___________________________

Application concerned: ___________________________

URL concerned: ___________________________

Field parameter that triggered the violation: ___________________________

IP Source of the attack ___________________________

TASK LIST

Task # Task Description

1 Create a search filter to display only specific alerts to your Web server:
1. Remove all filters that might exist by clicking the “clear” button

2. In the "Basic Filter" tab, select "By Server Group"


3. Check your server Group that you created before

4. Save your filter by clicking on "Save"


5. Name the filter "Filter Student ‘VLAN’ "
6. Click on “save”
7. Validate the successful creation of your filter by clicking on the tab "Saved Filters". Your
new filter should be included in the list of filters

Questions

Q4: What other filter could have been used to achieve a similar result?

_____________________________________________________________________________________

Copyright © 2016 Imperva. All rights reserved. 12


SecureSphere Lab Guide

Copyright © 2016 Imperva. All rights reserved. 13


SecureSphere Lab Guide

TASK LIST

Task # Task Description

1 Managing multiple relationships in the WAF:


4. Using a Web browser, go to the following address of the Web server Superveda
192.168.VLAN.110/cmd.exe
An error window similar to this one should appear:

5. Repeat the access to 192.168.VLAN.110/cmd.exe in a short period of time


6. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
7. Go to Main > Monitor > Alerts
8. Filter alerts using the filter you created before
a. In the Filters panel, click the "Saved Filters" tab
b. Select your filter
9. Find the alerts triggered by the illegitimate access you just made

Questions

Q5: Complete the information below:

Number of alerts triggered: _____________________________

Description of the alert _____________________________

Signature which has triggered the alert: _____________________________

Dictionary name of the alert: _____________________________

IP Address of the attack: _____________________________

Q6 Find the alert triggered by these illegitimate access you just made and complete the information
below:
Number of aggregated violations in this alert : ____________________________

Copyright © 2016 Imperva. All rights reserved. 14


SecureSphere Lab Guide

Aggregation factors : ____________________________

Copyright © 2016 Imperva. All rights reserved. 15


SecureSphere Lab Guide

Lab 3 - Blocking
Objectives

Understand the operation mode “active” and create a custom error page
TASK LIST

Task # Task Description

1 Change the operation mode of the server group:


1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. Go to Main / Setup / Sites
3. In the tree, select the server group you created before and select the “definitions” tab
from the center panel.
4. Set the operation mode to “active”

5. Save the change by clicking

Generate a violation on the WAF:


6. Using a Web browser, go to the SuperVeda Webserver (192.168.VLAN.110)
7. Type the following string in the Username field of the "Sign In" page:
' or (3=3) –
8. Click on “Sign in”

Questions

Q1: Is the SQL Injection attack blocked?

________________________________________________________________________
Q2 : What is the associated incident number?

_________________________________________________________________________

Copyright © 2016 Imperva. All rights reserved. 16


SecureSphere Lab Guide

TASK LIST

Task # Task Description

2 Monitor violations and triggered alerts:


1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main > Monitor > Alerts
3. Find the previous triggered violation
a) In the Filters panel in the Quick Filter field, enter the incident number noted
above (do not insert a space before or after the number)

b) Click on the filter button

c) Click on apply

4. Filter alerts using the filter you created before


5. Find the alert triggered in the Lab

Questions

Q1: What is the incident number in the details of the violation used for?

_________________________________________________________________________

Q2: How can you differentiate between the GUI actually stopped the attack WAF (Active Mode) and a
detected attack, but not blocked (Simulation Mode)

_________________________________________________

TASK LIST

Task # Task Description

3 Change the default error page


1. Open the Imperva GUI.
2. Go to Main / Setup / Sites
3. In the Sites Tree, find the service you created previously
4. Expand Section “Error Page”
5. On the "Page", enter the following HTML: <html>customized error</html> instead of
the default code

Copyright © 2016 Imperva. All rights reserved. 17


SecureSphere Lab Guide

TASK LIST

Task # Task Description

6. Save the changes by clicking on


9. Generate a new violation: Using a Web browser, go to the following address of the web
server SuperVeda (192.168.VLAN.110)
10. Type the following string in the Username field of the "Sign In" page:
' or (4=4) –
7. Click on “Sign in”
8. Observe the new error page returned

Copyright © 2016 Imperva. All rights reserved. 18


SecureSphere Lab Guide

Lab 4 - Signatures
Objectives

Create a signature and apply it


TASK LIST

Task # Task Description

1 Create a new dictionary signature:


1. Open the Imperva GUI.
2. Go to Main / Setup / Signatures

On the left panel, click on the symbol to add a new signature dictionary and select
"Create Manual Dictionary" The Name of the dictionary is: Student <VLAN>

Dictionary Type: Web

3. Click on “create”
4. Add a signature to the dictionary
a) Verify that the newly created dictionary is selected on the left panel
b) On the central panel, click on the symbol to add a new signature
c) Signature Name : “Signature_Student <VLAN>” (where X is your VLAN)
d) Signature: part=”XXX”
e) Protocols: http
f) Search Signature In: Parameters

g) Click on «Create»
h) Save the changes by clicking on

Create a new security policy


5. Go to Main > Policies > Security

Copyright © 2016 Imperva. All rights reserved. 19


SecureSphere Lab Guide

TASK LIST

Task # Task Description


6. Create a new security policy using the dictionary created before
a) On the central panel, click on the symbol to add a new policy
b) Select « Web Application »
c) Name: Signature Policy Student <VLAN>
d) Select « From Scratch »
e) Type : « Web Application Signatures »
f) Click on Create

7. Configure the security policy


a) On the central panel, verify that the newly created policy is selected
b) On the right panel, in the "Policy Rules" tab, click on the symbol and select
the new dictionary you just created
c) Check the box «Enabled»
d) Severity = High
e) Action = None
f) In the tab «Apply To», select the Server Group “Training Imperva”
g) Save the changes by clicking on

Test the security policy:

8. Using a Web browser, go to the SuperVeda Web server (192.168.VLAN.110)


9. Type the following string in the Username field of the "Sign In" page:
XXX

10. Click on “Sign in”

11. Open the Imperva GUI

12. Go to Main / Monitor / Alerts

13. Find the Alert of this signature violation

Copyright © 2016 Imperva. All rights reserved. 20


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Copyright © 2016 Imperva. All rights reserved. 21


SecureSphere Lab Guide

Lab 5 - Policies
In this Lab a WebService policy will be created that gets triggered on a specific event.

Objectives

Create a basic policy and apply it to specific objects

Task 1: Create a new Web Service policy


Task 2: Creating a policy that gets triggered on a certain event
Task 3: Test the policy
Task 4: Optional: Configure Exceptions

TASK LIST

Task # Task Description

1 Create a new Web Service policy


1. Go to the home page of SuperVeda: http://192.168.VLAN.110/
2. Sign in with the following account:
3. Login: bugsb
password: carrots

4. Click on "login"

Copyright © 2016 Imperva. All rights reserved. 22


SecureSphere Lab Guide

TASK LIST

Task # Task Description

TASK LIST

Task # Task Description

2 Creating a policy that gets triggered on a certain event


1. Open the Imperva GUI
2. Go to Main> Policies> Security
3. Create a new policy:
a) Click the button to add the new policy:
b) Select the type of policy: "Web Service"
c) Name the "Policy_Student X" where X is your Student number
d) Select "From Scratch" and type: "Web Service Custom"

e) Click on "Create"
4. Configure the new policy
a) In the Match Criteria tab of the right frame, leave the level of severity at "Medium"
b) In the Match Criteria tab of the right frame, make sure the box "Enabled" is checked

Copyright © 2016 Imperva. All rights reserved. 23


SecureSphere Lab Guide

TASK LIST

Task # Task Description


c) In the Match Criteria tab, select the following two criteria: "http Request Method"
and "HTTP Request URL" by clicking on the green arrow to the left of each criteria:

5. Configure the Match Criteria "HTTP Request Method"

a. Extend the Match Criteria by clicking on the blue down arrow


b. Enter POST as value and select At least one as Operation

6. Configure the criterion "HTTP request URL"

a) Extend the Match Criteria by clicking on the blue down arrow


b) Enter /performbuy.jsp as value
c) Leave the "Match" field "URL Prefix"
d) Leave the "Operation" field to "At Least One"

e) Apply the Policy to the Site Object created earlier

f) Save the Policy by clicking on

3 Test the policy


1. Go to the home page of SuperVeda: http://192.168.VLAN.110/

Copyright © 2016 Imperva. All rights reserved. 24


SecureSphere Lab Guide

TASK LIST

Task # Task Description


2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order

4. This will trigger the security policy and generate an alert. Since the policy is not set to
blocking the request gets passed to the web server.
5. Open up the SecureSphere GUI under https://192.168.VLAN.100 and navigate to Monitor >
Alerts
6. You should see an medium Security alert triggered by your custom policy:

7. Highlight the alert and inspect the security violation:

Copyright © 2016 Imperva. All rights reserved. 25


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Copyright © 2016 Imperva. All rights reserved. 26


SecureSphere Lab Guide

Lab 6 – System Events


Objectives

Create a basic policy and apply it to specific objects

Task 1: Observe the default behavior of SecureSphere for a failed authentication


Task 2: Configure an “action set” to send events to a Syslog server
Task 3: Test the System event policy and Action Set
TASK LIST

Task # Task Description

1 Observe the default behavior of SecureSphere for a failed authentication:


1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. try to login with your account and a wrong password

3. Login with your correct credentials


4. Navigate to Main > Monitor > System Events
5. Type in your username in the Quick Filter field:

6. Investigate the event

Copyright © 2016 Imperva. All rights reserved. 27


SecureSphere Lab Guide

Question

Q1 : What is the message of that event?

____________________________________________________

Q2 : What is the severity of the event?

______________________________________________________

TASK LIST

Task # Task Description

2 Configure and “action set” to send events to a Syslog server

Install Syslog Watcher server on your workstation. A free version is provided by your instructor.
Install it by accepting all the defaults during installation.
Under File / Setup / Inputs add the IP of your SecureSphere so it’s allowed to send Syslog (IP:
192.168.VLAN.100)

1. Open the Imperva GUI.


2. Navigate to Main > Policies > Action Sets
a) Click on the symbol to add a new "Action set":
b) Assign the name Syslog_Student <VLAN>
c) In the dropdown “Apply to event type” select “Any Event type”:

d) Click on "Create"
3. Configure the new "Action set"
a) Select "Server System Log > Log system event to System Log(syslog) using the CEF
standard" action interface by clicking on the green arrow on the left:

b) Configure the action interface:


c) Extend the criteria
d) Name the action interface Send to Syslog
e) In the Syslog Host field, enter the value corresponding to the syslog server IP (in
this case the IP of your workstation!)
f) Check "Run on Every Event"

Copyright © 2016 Imperva. All rights reserved. 28


SecureSphere Lab Guide

TASK LIST

Task # Task Description

4. Create a new System Event policy


a) Navigate to Main > Policies > System Events
b) Click the Symbol and create a New Policy
c) Name the Policy Syslog Policy Student <VLAN>
d) Select from the dropdown list the type "Login Failed"

5. Add a Followed Action


a) Click on the Followed Action Tab and select your newly created Action Set from the List.

6. Save the changes

Copyright © 2016 Imperva. All rights reserved. 29


SecureSphere Lab Guide

TASK LIST

Task # Task Description

3 Test the System event policy and Action Set:


1. Open the Imperva GUI.
2. and try to login with your account and a wrong password

3. Go to the syslog server, you should see a Syslog message similar to this:

Copyright © 2016 Imperva. All rights reserved. 30


SecureSphere Lab Guide

Lab 7 – Followed Actions


Objectives

Learn the use additional actions available in policy definition

Task 1: Create a Custom Action Set


Task 2: Set the Action Set as followed Action in your custom policy
Task 3: Test the policy

Copyright © 2016 Imperva. All rights reserved. 31


SecureSphere Lab Guide

TASK LIST

Task # Task Description

1 Create a Custom Action Set:


1. Open the Imperva GUI
2. Navigate to Main  Policies  Action Sets
3. Create a new "action set" that will block an IP for 60 Seconds
4. Click on the symbol to add a new "Action set":
a) Name it “BlockIP_Student <VLAN>” where <VLAN> is your VLAN ID
b) In the drop-down list “Apply to event type” select the field “Security Violations ‐ All”

c) Click on "Create"
5. Configure the new Action set
a) Select " IP Block> Block an IP " action interface by clicking on the green arrow on
the left:

b) Configure the action interface:


c) Display the details of thic action by clicking the + icon
d) Name the action interface “Block 60 seconds”

Question

Q1: Two Action Sets are available by default for blocking IP addresses during a time window. What are
these actions set?

_____________________________________________________________________________________

Copyright © 2016 Imperva. All rights reserved. 32


SecureSphere Lab Guide

Q2: How long do these two Action Sets Block the IP?

_____________________________________________________________________________________

Q3: What are the values of the field "Trusted IPs"?

_____________________________________________________________________________________________

TASK LIST

Task # Task Description

2 Set the Action Set as followed Action in your custom policy:


1. Navigate to Main > Policies > Security and locate your custom Policy Policy_StudentX
To find your policy faster you can filter the policies. Extent the Policy Origin
criteria and select User Defined and hit Apply. Only user defined policies are
displayed.

2. Select your custom Policy and configure a Followed Action in the Policy Details screen.
3. Extend the drop-down menu next to Followed Action and select the Action Set
BlockIP_Student <VLAN>

4. Save the Changes

TASK LIST

Task # Task Description

3 Test the policy:


1. Go to the home page of SuperVeda: http://192.168.<VLAN>.110

Copyright © 2016 Imperva. All rights reserved. 33


SecureSphere Lab Guide

TASK LIST

Task # Task Description


2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order.

4. This will trigger the security policy and followed action.

Questions

Q4: After performing the above, is the URL accessible?

__________________________________________________________________

Q5: If the URL is still accessible, why?

__________________________________________________________________

Imperva keeps a list of currently blocked and recently released sources,


navigate to Main > Monitor > Blocked Sources to access these lists. From
here it is also possible to release a blocked IP.

Copyright © 2016 Imperva. All rights reserved. 34


SecureSphere Lab Guide

Lab 8 ‐ Profiling
Objectives

The goal of this Lab is to understand how our profiling and the associated security mechanism work.

TASK LIST

Task # Task Description

1 View an application profile:


7. Open the Imperva GUI.
8. Go to Main> Profile> Overview
9. Extend the Site tree and select the Default Web Application under the SuperVeda
Webserver.

5. On the left panel, click on "URLs (List View). All URLs learned so far are displayed in this
view.

Questions

Q1: In the Lab 2, we asked you to access the URL: http: //192.168.VLAN.100/cmd.exe . Was the URL
/cmd.exe profiled? Why?

Copyright © 2016 Imperva. All rights reserved. 35


SecureSphere Lab Guide

_____________________________________________________________________________________

Q2: What is the URL for the login page of the SuperVeda shop?

_____________________________________________________________________________________

Q3: How many parameters were profiled on this URL? What are the names and Value Types of the
parameters learned?

Parameter name __________________________________

Value type __________________________________

TASK LIST

Task # Task Description

1 Manually change an application profile


1. Set the login.jsp page to "Protect" mode
a. Right‐click on the site's authentication URL login.jsp
b. In the context menu, click on "Switch to Protect"

It is now possible to change the profile information of the URL

2. Change the Parameter values for the field password


a. Click on the link under Value Type for the parameter password
b. Uncheck all special characters
c. In the "Primary Value Type" select Latin Characters

Copyright © 2016 Imperva. All rights reserved. 36


SecureSphere Lab Guide

TASK LIST

Task # Task Description

e. Save by clicking
4. Generate a profile violation
a. Go to the home page of SuperVeda Server http: //192.168.<VLAN>.110
b. Connect with the following account:
Username: bobby Password: “twenty_one”

Questions

Q1: Is access possible?

_________________________________________________________________________

Q2: Why?

___________________________________________________________________________________

TASK LIST

Task # Task Description

2 Review the violation


1. Open the Imperva GUI
2. Go to Main> Monitor > Alerts
3. Filter alerts with the By User Name Filter (Equals “bobby”)

Copyright © 2016 Imperva. All rights reserved. 37


SecureSphere Lab Guide

TASK LIST

Task # Task Description


4. Find triggered the violation

TASK LIST

Task # Task Description

3 Optional: Clone and modify the Default Profile Policy


1. Open the Imperva GUI.
2. Navigate to Main  Policies  Security
3. Apply a filter to display only Web Profile Policies (By Type – Application Level – Web Profile)
4. Create a new profile policy based on the Web Profile Default Policy
a) Click on
b) Select Web Application and name it Custom - Web Profile Policy
c) Select Use existing and choose Web Profile Policy

5. Edit the cloned policy to block (and not alert) when a parameter type violation is detected

6. Apply the policy and perform the Login from Task 1.4 again

Questions

Q1: What happens?

Copyright © 2016 Imperva. All rights reserved. 38


SecureSphere Lab Guide

______________________________________________________

Copyright © 2016 Imperva. All rights reserved. 39


SecureSphere Lab Guide

Lab 9 ‐ User Tracking


Objectives

The goal of this Lab is to configure the User Tracking feature of SecureSphere. With this function,
SecureSphere learns the username of an application user and shows it in the logs.
TASK LIST

Task # Task Description

1 Determine the authentication mechanisms of the website


7. Open the SecureSphere Web Interface.
8. Perform a failed Login in SuperVeda
a. open SuperVeda and enter a fake login / password (trigger a failed login)
b. Click on "Sign In"

Question

Q1: What is the error message that appears on the screen and returned by the WebShop

_____________________________________________________________?

Copyright © 2016 Imperva. All rights reserved. 40


SecureSphere Lab Guide

TASK LIST

Task # Task Description

3 Configure User Tracking


1. Open the SecureSphere Web Interface
2. Go to Main> Profile> Overview
3. In the site tree, select the "Default Web Application" under the http Service of the SuperVeda
Server group:

4. Select the User Tracking feature on the left panel


5. The login url has normally been profiled automatically. If this is not the case manually
configure it:
a. Click on the symbol on the central frame
b. In the "Action URL" field, enter the following values:

c. Click on Create

6. Configure the method (right panel)


a. In the drop‐down bar, select "Active"
b. Delete the type discovered and add a new decision rule
c. click on and type in the following:

d. Save your changes by clicking on

Copyright © 2016 Imperva. All rights reserved. 41


SecureSphere Lab Guide

TASK LIST

Task # Task Description

3 Test the User tracking feature

1. Trigger a Security violation as an web shop user


a) Browse to the SuperVeda Webshop
b) Login as a user (Logout and Login if you are still in an session)
c) Perform a simple XSS attack on the search field
d) Enter the following string in search:
<script>alert(document.cookie);</script>

2. Review the Alert in SecureSphere, it should look like this:

Question

Q4: Is the Username and Session ID correctly displayed?

_________________________________________________________________________

Copyright © 2016 Imperva. All rights reserved. 42


SecureSphere Lab Guide

Lab 10 - Reporting
TASK LIST

Task # Task Description

1 Creating an annual report on alerts:


8. Go to – Main – Reports – Manage Reports

9. Create an new Report of type “Alerts”

a) Provide a name and create from scratch

10. Select and Configure the new report


a) General Details:
i. Leave as Default

Copyright © 2016 Imperva. All rights reserved. 43


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Data Scope:
Enable Field “Last Few Days” and set to: “Last: 365 days”

Tabular:
Disable Tabular View

Copyright © 2016 Imperva. All rights reserved. 44


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Data Analysis Views:


Enable and Configure “Data Analysis View 1”
Title: Top 10 Server Group Distribution
Chart Type: Pie
X-Axis: Server Group
Y-Axis: Num. of Events

Copyright © 2016 Imperva. All rights reserved. 45


SecureSphere Lab Guide

TASK LIST

Task # Task Description

ii. Enable and Configure “Data Analysis View 2”


1. Title: Top 10 events by Alert Name
2. Chart Type: Pie
3. X-Axis: Alert Name
4. Y-Axis: Num. of events

Enable and Configure “Data Analysis View 3”


Title: Top 10 Source IPs
Chart Type: Pie
X-Axis: Source IP
Y-Axis: Num. of events

Copyright © 2016 Imperva. All rights reserved. 46


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Enable and Configure “Data Analysis View 4”


Title: Distribution of events by Severity
Chart Type: Pie
X-Axis: Severity
Y-Axis: Num. of events

Disable “Data Analysis View 5”

Copyright © 2016 Imperva. All rights reserved. 47


SecureSphere Lab Guide

TASK LIST

Task # Task Description

b) Scheduling:
i. Leave as Default

Results:
No changes possible

Permissions:
Leave as Default

Save the new report by clicking on

2 Creating a weekly report on system events:


1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and create from scratch

Copyright © 2016 Imperva. All rights reserved. 48


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Select and Configure the new report


General Details:
Leave as Default

Data Scope:
Enable Field “Last Few Days” and set to:
Last: 7

Tabular:
Disable Tabular View

Data Analysis Views:


Enable and Configure “Data Analysis View 1”
Title: Number of System Events by Subsytem
Chart Type: Pie
X-Axis: Subsystem
Y-Axis: Occurrences

Copyright © 2016 Imperva. All rights reserved. 49


SecureSphere Lab Guide

TASK LIST

Task # Task Description

Disable other Data Analysis Views (2 to 5)

Scheduling:
Leave as Default

Results:
No changes possible

Permissions:
Leave as Default

Save the new report

3 Creating a weekly report on User system events:


1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and use existing from above (task 2)

Copyright © 2016 Imperva. All rights reserved. 50


SecureSphere Lab Guide

TASK LIST

Task # Task Description

3. Select and Configure the new report


a) General Details:
i. Leave as Default

b) Data Scope:
i. Last View Days:
1. Last: 7
ii. Subsystem:
1. Selected: User

c) Tabular:
i. Enable Tabular View

Copyright © 2016 Imperva. All rights reserved. 51


SecureSphere Lab Guide

TASK LIST

Task # Task Description


ii. Add the following columns:
1. Severity
2. Message
3. Create time
ii. Configure Sorting:
1. Severity – Ascending
2. Message – Ascending

d) Data Analysis Views:


i. Disable all “Data Analysis Views”

e) Scheduling:
i. Leave as Default

f) Results:
i. No changes possible

g) Permissions:

Copyright © 2016 Imperva. All rights reserved. 52


SecureSphere Lab Guide

TASK LIST

Task # Task Description


i. Leave as Default

4. Save the new report

3a Creating a system event policy for user X


Example: Send message to SIEM (syslog) when the Super-User “admin” logs in:

1. Go to – Main – Policies – System Events

2. Create an new System Event Policy of Type “User logged in”

3. Define the Policy Details


a) Matching Text Segment: User admin logged in

4. Define the Followed Action


a) Followed Action: “LAB - Send System Event to syslog” (*)
b) Send to SOM: no

Copyright © 2016 Imperva. All rights reserved. 53


SecureSphere Lab Guide

TASK LIST

Task # Task Description

(*) In case there is no appropriate Followed Action for System Events available, follow the below
steps to create one:
1. Go to – Main – Policies – System Events

2. Create an new Action Set


a) Provide a name and Apply to events of type “System Events”

3. Configure the new Action Set:


a) Select the Action Interface:
“Server System Log > Log system event to System Log (syslog) using the CEF
standard”
b) Syslog Host:IP of your workstation (Kiwi)
c) Syslog Log Level: INFO
d) Facility: KERN
e)

4 OPTIONAL: Creating a report on specific violations:


1. Go to – Main – Reports – Manage Reports

Copyright © 2016 Imperva. All rights reserved. 54


SecureSphere Lab Guide

TASK LIST

Task # Task Description


2. Create an new Report of type “Alerts”
a) Provide a name and use existing from above (task 1)

3. Select and Configure the new report


a) General Details:
i. Leave as Default

b) Data Scope:
i. Last Few Days
1. Last: 365
ii. Violations
1. Parameter Value Length Violation
2. Parameters Type Violation
3. Unknown Parameter
4. Required Parameter Not Found

c) Tabular:
i. Enable Tabular View
ii. Add the following columns:
1. Alert Name

Copyright © 2016 Imperva. All rights reserved. 55


SecureSphere Lab Guide

TASK LIST

Task # Task Description


2. Alert Description
3. Num. of Events
4. URL
iii. Configure Sorting:
1. Alert Name – Ascending
2. Num. of Events – Descending
iv.

d) Data Analysis Views:


i. Leave all Data Analysis Views as copied

e) Scheduling:
i. Leave as Default

f) Results:
i. No changes possible

g) Permissions:
i. Leave as Default

4. Save the new report !!!

Copyright © 2016 Imperva. All rights reserved. 56


SecureSphere Lab Guide

Copyright © 2016 Imperva. All rights reserved. 57


SecureSphere Lab Guide

Results – How to Test/Demo the Use-cases

The following steps allow you to demo the use-case scenario described in this lab guide:

Reports
For the reports (Tasks 1,2, 3, and 4) – run each report and view the results
 Run Report:
o Run now: Main - Reports - Manage Reports
 General Details Tab
 Action Menu

o Scheduled
 Scheduling Tab

Copyright © 2016 Imperva. All rights reserved. 58


SecureSphere Lab Guide

 View Report:
o Open/Download after Run now

o Main - Reports - Manage Reports -> Results Tab of individual report


definitions/templates

o Main - Reports - View Results

System Event Policy


For the system event policy (Tasks 3a) – do the following:
 Login to MX GUI as admin one or more times
 Login to UDS Splunk as admin/password (or to Kiwi on UDS Server)
 In Splunk define a search filter: host=”10.255.0.100”

Copyright © 2016 Imperva. All rights reserved. 59


SecureSphere Lab Guide

 Verify the result:

Copyright © 2016 Imperva. All rights reserved. 60


SecureSphere Lab Guide

Appendix

Report Examples

Annual_Alerts_Repor
t

Weekly_System_Eve
nts_Report

Weekly_USER_Syste
m_Events_Report

Specific_Violations_R
eport

Copyright © 2016 Imperva. All rights reserved. 61