Imperva WAF
Lab Guide
Practical Lab for SecureSphere V11.5
Version:
3.01 – Nov 01, 2016
SecureSphere Lab Guide
Index:
Introduction ................................................................................................................................................ 2
Lab 1 - Site Objects ..................................................................................................................................... 5
Lab 2 - Alerts and violations ....................................................................................................................... 11
Lab 3 - Blocking ........................................................................................................................................ 16
Lab 4 - Signatures ..................................................................................................................................... 19
Lab 5 - Policies ......................................................................................................................................... 22
Lab 6 – System Events ............................................................................................................................... 27
Lab 7 – Followed Actions ............................................................................................................................ 31
Lab 8 ‐ Profiling ......................................................................................................................................... 35
Lab 9 ‐ User Tracking ................................................................................................................................ 40
Lab 10 - Reporting ..................................................................................................................................... 43
Appendix .................................................................................................................................................. 61
Copyright © 2016 Imperva. All rights reserved.
2
SecureSphere Lab Guide
Introduction
This Lab Workbook will guide through some exercises that show some essential functions of the Imperva
WAF solution
“Lab in a box” - Environment
The “Lab in a box” environment consists of several VMs that can be used to demo different scenarios. For
this lab the SecureSphere V11.5 Onebox and the SuperVeda 2010 is used. We have 4 separated VLANS
(110,120,130 and 140), each VLAN has his own resources. On your table you’ll find an information, which
VLAN has been assigned to you
Resources

UDS - SecureSphere 11.5– IP: 192.168.VLAN.100 (admin Port 8083)

UDS - SuperVeda2010 MS SQL (vulnerable Webapplication)– IP: 192.168.VLAN.110
Login information
Use the following credentials to login to the different machines & services in the lab in a box
environment.
SecureSphere Web GUI Login
From the Client, connect to SecureSphere using Firefox, IE or Chrome.

User: admin

Password: Webco123
SecureSphere Credentials
Console

Username: root

Password: Root123

Username: secure

Password: Webco123
ssh

Username: udsimperva

Password: Webco123
Remote Agents / Gateway

Username: imperva
Copyright © 2016 Imperva. All rights reserved.
3
SecureSphere Lab Guide

Password: Webco123
SuperVeda
OS Login

User: administrator

Password: Secure123!
Site: http://10.255.VLAN.110:8080

Login: bugsb

Password: carrots
Site: http://10.255.VLAN.110:8080/admin

Login: admin

Password: system
Copyright © 2016 Imperva. All rights reserved.
4
SecureSphere Lab Guide
Lab 1 – Attacks & Site Objects
Objectives
The goal of this Lab is to understand the lab setup and the demo-VMs and identify resources to be
protected
SuperVeda is the Web server that will be used in different labs. The listener web service is port 80.
An Imperva WAF is configured in bridge mode and will protect the Web server.
Questions
Q1: Check that the Web server SuperVeda is accessible from the desktop
(http://192.168.VLAN.110 - make sure you adjust the IP to the network that has been
assigned to you)
_____________________________________________________________________________
Q2: What will be the IP of the Web server to be configured on the Imperva-platform?
_____________________________________________________________________________
Q3: What will be the listening port of the Web server to be configured in the Imperva GUI?
_____________________________________________________________________________
Task List – Basic SQL Attack
TASK LIST
Task #
1
Task Description
Understanding non-configured resources:
1. With a Web browser, please go to this address: http: //192.168.VLAN.110
2. Click on “Sign In”
Copyright © 2016 Imperva. All rights reserved.
5
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
3. As Username, enter
'or 1=1 -(There are 2 dashes at the end of the command).
4. Click on “Sign In”
5. Confirm that the SQL injection attack succeeds and allows to log in. If you click
on “My Account”, the window should be similar to the following:
6. Open the Imperva GUI. The GUI is available at:
https: //192.168.VLAN.100:8083 and login. Credentials are provided at the
beginning of this document.
7. Go to Main> Monitor> Alerts
Questions
Q4: Do you see information on the SQL Injection attack you just made?
Yes

No

Copyright © 2016 Imperva. All rights reserved.
6
SecureSphere Lab Guide
Q5: What is the explanation for this behavior?
_____________________________________________________________________________________
You can find this document on the desktop of your student PC in PDF Format. If you
want, you can copy & paste difficult to type commands (like for SQL Injection) from
the document into the GUI.
Copyright © 2016 Imperva. All rights reserved.
7
SecureSphere Lab Guide
Task List – Configure Superveda objects in
Imperva GUI
TASK LIST
Task #
1
Task Description
Configure SuperVeda:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Setup / Sites
3. In the tree, create the site "Training Imperva'
4. Create a Server Group for SuperVeda website.
Click on the website "Training Imperva" and right click to bring up the context menu
Click on "Create Server Group"
Name the server group Server Group SuperVeda
Click on "Create". In the "Sites Tree" tree, click on the new Server
Group, and select the "Definitions" tab on the central panel
Questions
Q6: What is the "Operation" mode of the server group?
_____________________________________________________________________________________
Q7: With this setup, would a Web-based attack be blocked by the WAF ?
Yes

No

Q8: In this setup, would a Web-based attack generate alerts / violations on the WAF?
Yes

No

Copyright © 2016 Imperva. All rights reserved.
8
SecureSphere Lab Guide
TASK LIST
Task #
1
Task Description
Configure SuperVeda (cont’d):
5. In the definitions-tab in the table "Protected IP Addresses', click on the icon
the IP address of SuperVeda (192.168.VLAN.110)
and add
6. Save the changes by clicking
7. Create a Web Service for SuperVeda website (Main> Setup> Sites): In the tree "Sites
Tree", right-click on the Server Group to bring up the context menu.
8. Click on “Create service”
9. Name the Service “Service-SuperVeda” and select HTTP Service in the drop down list
(depending on the licenses of the SecureSphere demo environment, this list may vary):
10. Click on “Create”
11. In the tree "Sites Tree", click on the new service and select the "Definitions" tab in the
central panel
12. In the "HTTP Port" field, enter the value of the listening port of the SuperVeda server
(see question 3)
13. Save changes by clicking
14. In the tree "Sites Tree" extend the new service using the icon next to the service.
15. Check that no Data Masking is enabled by default on Service / Operation / Data
Masking, if it is, please remove it:
Questions
Q9: What is the name of the application that was created automatically?
Copyright © 2016 Imperva. All rights reserved.
9
SecureSphere Lab Guide
_____________________________________________________________________________________
Copyright © 2016 Imperva. All rights reserved.
10
SecureSphere Lab Guide
Lab 2 - Alerts and violations
Objectives
The goal of this Lab is to understand and know how to interpret alerts and violations in the WAF
TASK LIST
Task #
1
Task Description
Generate a violation on the WAF:
1. Using a Web browser, go to the following address of the web server SuperVeda
(192.168.VLAN.110)
2. Type the following string in the Username field of the "Sign In" page:
' or (2=2) -3. Click on “Sign in”
Questions
Q1: Was the SQL Injection attack successful?
________________________________________________________________________
Q2: Why?
________________________________________________________________________
TASK LIST
Task #
1
Task Description
Observe triggered violation:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main / Monitor / Alerts
3. Find the alert triggered by the attack SQL that you just made
Questions
Q3: Fill out this list:
Event Date:
___________________________
Copyright © 2016 Imperva. All rights reserved.
11
SecureSphere Lab Guide
Server group concerned:
___________________________
Service concerned:
___________________________
Application concerned:
___________________________
URL concerned:
___________________________
Field parameter that triggered the violation:
___________________________
IP Source of the attack
___________________________
TASK LIST
Task #
1
Task Description
Create a search filter to display only specific alerts to your Web server:
1. Remove all filters that might exist by clicking the “clear” button
2. In the "Basic Filter" tab, select "By Server Group"
3. Check your server Group that you created before
4. Save your filter by clicking on "Save"
5. Name the filter "Filter Student ‘VLAN’ "
6. Click on “save”
7. Validate the successful creation of your filter by clicking on the tab "Saved Filters". Your
new filter should be included in the list of filters
Questions
Q4: What other filter could have been used to achieve a similar result?
_____________________________________________________________________________________
Copyright © 2016 Imperva. All rights reserved.
12
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved.
13
SecureSphere Lab Guide
TASK LIST
Task #
1
Task Description
Managing multiple relationships in the WAF:
4. Using a Web browser, go to the following address of the Web server Superveda
192.168.VLAN.110/cmd.exe
An error window similar to this one should appear:
5. Repeat the access to 192.168.VLAN.110/cmd.exe in a short period of time
6. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
7. Go to Main > Monitor > Alerts
8. Filter alerts using the filter you created before
a. In the Filters panel, click the "Saved Filters" tab
b. Select your filter
9. Find the alerts triggered by the illegitimate access you just made
Questions
Q5: Complete the information below:
Number of alerts triggered:
_____________________________
Description of the alert
_____________________________
Signature which has triggered the alert:
_____________________________
Dictionary name of the alert:
_____________________________
IP Address of the attack:
_____________________________
Q6 Find the alert triggered by these illegitimate access you just made and complete the information
below:
Number of aggregated violations in this alert :
____________________________
Copyright © 2016 Imperva. All rights reserved.
14
SecureSphere Lab Guide
Aggregation factors :
____________________________
Copyright © 2016 Imperva. All rights reserved.
15
SecureSphere Lab Guide
Lab 3 - Blocking
Objectives
Understand the operation mode “active” and create a custom error page
TASK LIST
Task #
1
Task Description
Change the operation mode of the server group:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. Go to Main / Setup / Sites
3. In the tree, select the server group you created before and select the “definitions” tab
from the center panel.
4. Set the operation mode to “active”
5. Save the change by clicking
Generate a violation on the WAF:
6. Using a Web browser, go to the SuperVeda Webserver (192.168.VLAN.110)
7. Type the following string in the Username field of the "Sign In" page:
' or (3=3) –
8. Click on “Sign in”
Questions
Q1: Is the SQL Injection attack blocked?
________________________________________________________________________
Q2 : What is the associated incident number?
_________________________________________________________________________
Copyright © 2016 Imperva. All rights reserved.
16
SecureSphere Lab Guide
TASK LIST
Task #
2
Task Description
Monitor violations and triggered alerts:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100:8083
2. Go to Main > Monitor > Alerts
3. Find the previous triggered violation
a) In the Filters panel in the Quick Filter field, enter the incident number noted
above (do not insert a space before or after the number)
b) Click on the filter button
c) Click on apply
4. Filter alerts using the filter you created before
5. Find the alert triggered in the Lab
Questions
Q1: What is the incident number in the details of the violation used for?
_________________________________________________________________________
Q2: How can you differentiate between the GUI actually stopped the attack WAF (Active Mode) and a
detected attack, but not blocked (Simulation Mode)
_________________________________________________
TASK LIST
Task #
3
Task Description
Change the default error page
1. Open the Imperva GUI.
2. Go to Main / Setup / Sites
3. In the Sites Tree, find the service you created previously
4. Expand Section “Error Page”
5. On the "Page", enter the following HTML: <html>customized error</html> instead of
the default code
Copyright © 2016 Imperva. All rights reserved.
17
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
6. Save the changes by clicking on
9. Generate a new violation: Using a Web browser, go to the following address of the web
server SuperVeda (192.168.VLAN.110)
10. Type the following string in the Username field of the "Sign In" page:
' or (4=4) –
7. Click on “Sign in”
8. Observe the new error page returned
Copyright © 2016 Imperva. All rights reserved.
18
SecureSphere Lab Guide
Lab 4 - Signatures
Objectives
Create a signature and apply it
TASK LIST
Task #
1
Task Description
Create a new dictionary signature:
1. Open the Imperva GUI.
2. Go to Main / Setup / Signatures
On the left panel, click on the symbol to add a new signature dictionary and select
"Create Manual Dictionary" The Name of the dictionary is: Student <VLAN>
Dictionary Type: Web
3. Click on “create”
4. Add a signature to the dictionary
a) Verify that the newly created dictionary is selected on the left panel
b) On the central panel, click on the
symbol to add a new signature
c) Signature Name : “Signature_Student <VLAN>” (where X is your VLAN)
d) Signature: part=”XXX”
e) Protocols: http
f)
Search Signature In: Parameters
g) Click on «Create»
h) Save the changes by clicking on
Create a new security policy
5. Go to Main > Policies > Security
Copyright © 2016 Imperva. All rights reserved.
19
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
6. Create a new security policy using the dictionary created before
a) On the central panel, click on the symbol
to add a new policy
b) Select « Web Application »
c) Name: Signature Policy Student <VLAN>
d) Select « From Scratch »
e) Type : « Web Application Signatures »
f)
Click on Create
7. Configure the security policy
a) On the central panel, verify that the newly created policy is selected
b) On the right panel, in the "Policy Rules" tab, click on the symbol
the new dictionary you just created
and select
c) Check the box «Enabled»
d) Severity = High
e) Action = None
f)
In the tab «Apply To», select the Server Group “Training Imperva”
g) Save the changes by clicking on
Test the security policy:
8. Using a Web browser, go to the SuperVeda Web server (192.168.VLAN.110)
9.
Type the following string in the Username field of the "Sign In" page:
XXX
10. Click on “Sign in”
11. Open the Imperva GUI
12. Go to Main / Monitor / Alerts
13. Find the Alert of this signature violation
Copyright © 2016 Imperva. All rights reserved.
20
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Copyright © 2016 Imperva. All rights reserved.
21
SecureSphere Lab Guide
Lab 5 - Policies
In this Lab a WebService policy will be created that gets triggered on a specific event.
Objectives
Create a basic policy and apply it to specific objects
Task 1: Create a new Web Service policy
Task 2: Creating a policy that gets triggered on a certain event
Task 3: Test the policy
Task 4: Optional: Configure Exceptions
TASK LIST
Task #
1
Task Description
Create a new Web Service policy
1. Go to the home page of SuperVeda: http://192.168.VLAN.110/
2. Sign in with the following account:
3. Login: bugsb
password: carrots
4. Click on "login"
Copyright © 2016 Imperva. All rights reserved.
22
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
TASK LIST
Task #
2
Task Description
Creating a policy that gets triggered on a certain event
1. Open the Imperva GUI
2. Go to Main> Policies> Security
3. Create a new policy:
a) Click the
button to add the new policy:
b) Select the type of policy: "Web Service"
c) Name the "Policy_Student X" where X is your Student number
d) Select "From Scratch" and type: "Web Service Custom"
e) Click on "Create"
4. Configure the new policy
a) In the Match Criteria tab of the right frame, leave the level of severity at "Medium"
b) In the Match Criteria tab of the right frame, make sure the box "Enabled" is checked
Copyright © 2016 Imperva. All rights reserved.
23
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
c) In the Match Criteria tab, select the following two criteria: "http Request Method"
and "HTTP Request URL" by clicking on the green arrow to the left of each criteria:
5. Configure the Match Criteria "HTTP Request Method"
a. Extend the Match Criteria by clicking on the blue down arrow
b. Enter POST as value and select At least one as Operation
6. Configure the criterion "HTTP request URL"
a) Extend the Match Criteria by clicking on the blue down arrow
b) Enter /performbuy.jsp as value
c) Leave the "Match" field "URL Prefix"
d) Leave the "Operation" field to "At Least One"
e) Apply the Policy to the Site Object created earlier
f)
3
Save the Policy by clicking on
Test the policy
1. Go to the home page of SuperVeda: http://192.168.VLAN.110/
Copyright © 2016 Imperva. All rights reserved.
24
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order
4. This will trigger the security policy and generate an alert. Since the policy is not set to
blocking the request gets passed to the web server.
5. Open up the SecureSphere GUI under https://192.168.VLAN.100 and navigate to Monitor >
Alerts
6. You should see an medium Security alert triggered by your custom policy:
7. Highlight the alert and inspect the security violation:
Copyright © 2016 Imperva. All rights reserved.
25
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Copyright © 2016 Imperva. All rights reserved.
26
SecureSphere Lab Guide
Lab 6 – System Events
Objectives
Create a basic policy and apply it to specific objects
Task 1: Observe the default behavior of SecureSphere for a failed authentication
Task 2: Configure an “action set” to send events to a Syslog server
Task 3: Test the System event policy and Action Set
TASK LIST
Task #
1
Task Description
Observe the default behavior of SecureSphere for a failed authentication:
1. Open the Imperva GUI. The GUI is available at https: //192.168.VLAN.100: 8083
2. try to login with your account and a wrong password
3. Login with your correct credentials
4. Navigate to Main > Monitor > System Events
5. Type in your username in the Quick Filter field:
6. Investigate the event
Copyright © 2016 Imperva. All rights reserved.
27
SecureSphere Lab Guide
Question
Q1 : What is the message of that event?
____________________________________________________
Q2 : What is the severity of the event?
______________________________________________________
TASK LIST
Task #
2
Task Description
Configure and “action set” to send events to a Syslog server
Install Syslog Watcher server on your workstation. A free version is provided by your instructor.
Install it by accepting all the defaults during installation.
Under File / Setup / Inputs add the IP of your SecureSphere so it’s allowed to send Syslog (IP:
192.168.VLAN.100)
1. Open the Imperva GUI.
2. Navigate to Main > Policies > Action Sets
a) Click on the
symbol to add a new "Action set":
b) Assign the name Syslog_Student <VLAN>
c) In the dropdown “Apply to event type” select “Any Event type”:
d) Click on "Create"
3. Configure the new "Action set"
a) Select "Server System Log > Log system event to System Log(syslog) using the CEF
standard" action interface by clicking on the green arrow on the left:
b) Configure the action interface:
c) Extend the criteria
d) Name the action interface Send to Syslog
e) In the Syslog Host field, enter the value corresponding to the syslog server IP (in
this case the IP of your workstation!)
f)
Check "Run on Every Event"
Copyright © 2016 Imperva. All rights reserved.
28
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
4. Create a new System Event policy
a) Navigate to Main > Policies > System Events
b) Click the
Symbol and create a New Policy
c) Name the Policy Syslog Policy Student <VLAN>
d) Select from the dropdown list the type "Login Failed"
5. Add a Followed Action
a) Click on the Followed Action Tab and select your newly created Action Set from the List.
6. Save the changes
Copyright © 2016 Imperva. All rights reserved.
29
SecureSphere Lab Guide
TASK LIST
Task #
3
Task Description
Test the System event policy and Action Set:
1. Open the Imperva GUI.
2. and try to login with your account and a wrong password
3. Go to the syslog server, you should see a Syslog message similar to this:
Copyright © 2016 Imperva. All rights reserved.
30
SecureSphere Lab Guide
Lab 7 – Followed Actions
Objectives
Learn the use additional actions available in policy definition
Task 1: Create a Custom Action Set
Task 2: Set the Action Set as followed Action in your custom policy
Task 3: Test the policy
Copyright © 2016 Imperva. All rights reserved.
31
SecureSphere Lab Guide
TASK LIST
Task #
1
Task Description
Create a Custom Action Set:
1. Open the Imperva GUI
2. Navigate to Main  Policies  Action Sets
3. Create a new "action set" that will block an IP for 60 Seconds
4. Click on the
symbol to add a new "Action set":
a) Name it “BlockIP_Student <VLAN>” where <VLAN> is your VLAN ID
b) In the drop-down list “Apply to event type” select the field “Security Violations ‐ All”
c) Click on "Create"
5. Configure the new Action set
a) Select " IP Block> Block an IP " action interface by clicking on the green arrow on
the left:
b) Configure the action interface:
c) Display the details of thic action by clicking the + icon
d) Name the action interface “Block 60 seconds”
Question
Q1: Two Action Sets are available by default for blocking IP addresses during a time window. What are
these actions set?
_____________________________________________________________________________________
Copyright © 2016 Imperva. All rights reserved.
32
SecureSphere Lab Guide
Q2: How long do these two Action Sets Block the IP?
_____________________________________________________________________________________
Q3: What are the values of the field "Trusted IPs"?
_____________________________________________________________________________________________
TASK LIST
Task #
2
Task Description
Set the Action Set as followed Action in your custom policy:
1. Navigate to Main > Policies > Security and locate your custom Policy Policy_StudentX
To find your policy faster you can filter the policies. Extent the Policy Origin
criteria and select User Defined and hit Apply. Only user defined policies are
displayed.
2. Select your custom Policy and configure a Followed Action in the Policy Details screen.
3. Extend the drop-down menu next to Followed Action and select the Action Set
BlockIP_Student <VLAN>
4. Save the Changes
TASK LIST
Task #
3
Task Description
Test the policy:
1. Go to the home page of SuperVeda: http://192.168.<VLAN>.110
Copyright © 2016 Imperva. All rights reserved.
33
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
2. Sign in with the following account: bugsb / carrots
3. Add at least one product to your shopping card and place an order.
4. This will trigger the security policy and followed action.
Questions
Q4: After performing the above, is the URL accessible?
__________________________________________________________________
Q5: If the URL is still accessible, why?
__________________________________________________________________
Imperva keeps a list of currently blocked and recently released sources,
navigate to Main > Monitor > Blocked Sources to access these lists. From
here it is also possible to release a blocked IP.
Copyright © 2016 Imperva. All rights reserved.
34
SecureSphere Lab Guide
Lab 8 ‐ Profiling
Objectives
The goal of this Lab is to understand how our profiling and the associated security mechanism work.
TASK LIST
Task #
1
Task Description
View an application profile:
7. Open the Imperva GUI.
8. Go to Main> Profile> Overview
9. Extend the Site tree and select the Default Web Application under the SuperVeda
Webserver.
5. On the left panel, click on "URLs (List View). All URLs learned so far are displayed in this
view.
Questions
Q1: In the Lab 2, we asked you to access the URL: http: //192.168.VLAN.100/cmd.exe . Was the URL
/cmd.exe profiled? Why?
Copyright © 2016 Imperva. All rights reserved.
35
SecureSphere Lab Guide
_____________________________________________________________________________________
Q2: What is the URL for the login page of the SuperVeda shop?
_____________________________________________________________________________________
Q3: How many parameters were profiled on this URL? What are the names and Value Types of the
parameters learned?
Parameter name
__________________________________
Value type
__________________________________
TASK LIST
Task #
1
Task Description
Manually change an application profile
1. Set the login.jsp page to "Protect" mode
a. Right‐click on the site's authentication URL login.jsp
b. In the context menu, click on "Switch to Protect"
It is now possible to change the profile information of the URL
2. Change the Parameter values for the field password
a. Click on the link under Value Type for the parameter password
b. Uncheck all special characters
c. In the "Primary Value Type" select Latin Characters
Copyright © 2016 Imperva. All rights reserved.
36
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
e. Save by clicking
4. Generate a profile violation
a. Go to the home page of SuperVeda Server http: //192.168.<VLAN>.110
b. Connect with the following account:
Username: bobby Password: “twenty_one”
Questions
Q1: Is access possible?
_________________________________________________________________________
Q2: Why?
___________________________________________________________________________________
TASK LIST
Task #
2
Task Description
Review the violation
1. Open the Imperva GUI
2. Go to Main> Monitor > Alerts
3. Filter alerts with the By User Name Filter (Equals “bobby”)
Copyright © 2016 Imperva. All rights reserved.
37
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
4. Find triggered the violation
TASK LIST
Task #
3
Task Description
Optional: Clone and modify the Default Profile Policy
1. Open the Imperva GUI.
2. Navigate to Main  Policies  Security
3. Apply a filter to display only Web Profile Policies (By Type – Application Level – Web Profile)
4. Create a new profile policy based on the Web Profile Default Policy
a) Click on
b) Select Web Application and name it Custom - Web Profile Policy
c) Select Use existing and choose Web Profile Policy
5. Edit the cloned policy to block (and not alert) when a parameter type violation is detected
6. Apply the policy and perform the Login from Task 1.4 again
Questions
Q1: What happens?
Copyright © 2016 Imperva. All rights reserved.
38
SecureSphere Lab Guide
______________________________________________________
Copyright © 2016 Imperva. All rights reserved.
39
SecureSphere Lab Guide
Lab 9 ‐ User Tracking
Objectives
The goal of this Lab is to configure the User Tracking feature of SecureSphere. With this function,
SecureSphere learns the username of an application user and shows it in the logs.
TASK LIST
Task #
1
Task Description
Determine the authentication mechanisms of the website
7. Open the SecureSphere Web Interface.
8. Perform a failed Login in SuperVeda
a. open SuperVeda and enter a fake login / password (trigger a failed login)
b. Click on "Sign In"
Question
Q1: What is the error message that appears on the screen and returned by the WebShop
_____________________________________________________________?
Copyright © 2016 Imperva. All rights reserved.
40
SecureSphere Lab Guide
TASK LIST
Task #
3
Task Description
Configure User Tracking
1. Open the SecureSphere Web Interface
2. Go to Main> Profile> Overview
3. In the site tree, select the "Default Web Application" under the http Service of the SuperVeda
Server group:
4. Select the User Tracking feature on the left panel
5. The login url has normally been profiled automatically. If this is not the case manually
configure it:
a. Click on the
symbol on the central frame
b. In the "Action URL" field, enter the following values:
c. Click on Create
6. Configure the method (right panel)
a. In the drop‐down bar, select "Active"
b. Delete the type discovered and add a new decision rule
c.
click on
and type in the following:
d. Save your changes by clicking on
Copyright © 2016 Imperva. All rights reserved.
41
SecureSphere Lab Guide
TASK LIST
Task #
3
Task Description
Test the User tracking feature
1. Trigger a Security violation as an web shop user
a) Browse to the SuperVeda Webshop
b) Login as a user (Logout and Login if you are still in an session)
c) Perform a simple XSS attack on the search field
d) Enter the following string in search:
<script>alert(document.cookie);</script>
2. Review the Alert in SecureSphere, it should look like this:
Question
Q4: Is the Username and Session ID correctly displayed?
_________________________________________________________________________
Copyright © 2016 Imperva. All rights reserved.
42
SecureSphere Lab Guide
Lab 10 - Reporting
TASK LIST
Task #
1
Task Description
Creating an annual report on alerts:
8. Go to – Main – Reports – Manage Reports
9. Create an new Report of type “Alerts”
a) Provide a name and create from scratch
10. Select and Configure the new report
a) General Details:
i. Leave as Default
Copyright © 2016 Imperva. All rights reserved.
43
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Data Scope:
Enable Field “Last Few Days” and set to: “Last: 365 days”
Tabular:
Disable Tabular View
Copyright © 2016 Imperva. All rights reserved.
44
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Data Analysis Views:
Enable and Configure “Data Analysis View 1”
Title: Top 10 Server Group Distribution
Chart Type: Pie
X-Axis: Server Group
Y-Axis: Num. of Events
Copyright © 2016 Imperva. All rights reserved.
45
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
ii. Enable and Configure “Data Analysis View 2”
1. Title: Top 10 events by Alert Name
2. Chart Type: Pie
3. X-Axis: Alert Name
4. Y-Axis: Num. of events
Enable and Configure “Data Analysis View 3”
Title: Top 10 Source IPs
Chart Type: Pie
X-Axis: Source IP
Y-Axis: Num. of events
Copyright © 2016 Imperva. All rights reserved.
46
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Enable and Configure “Data Analysis View 4”
Title: Distribution of events by Severity
Chart Type: Pie
X-Axis: Severity
Y-Axis: Num. of events
Disable “Data Analysis View 5”
Copyright © 2016 Imperva. All rights reserved.
47
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
b) Scheduling:
i. Leave as Default
Results:
No changes possible
Permissions:
Leave as Default
Save the new report by clicking on
2
Creating a weekly report on system events:
1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and create from scratch
Copyright © 2016 Imperva. All rights reserved.
48
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Select and Configure the new report
General Details:
Leave as Default
Data Scope:
Enable Field “Last Few Days” and set to:
Last: 7
Tabular:
Disable Tabular View
Data Analysis Views:
Enable and Configure “Data Analysis View 1”
Title: Number of System Events by Subsytem
Chart Type: Pie
X-Axis: Subsystem
Y-Axis: Occurrences
Copyright © 2016 Imperva. All rights reserved.
49
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
Disable other Data Analysis Views (2 to 5)
Scheduling:
Leave as Default
Results:
No changes possible
Permissions:
Leave as Default
Save the new report
3
Creating a weekly report on User system events:
1. Go to – Main – Reports – Manage Reports
2. Create an new Report of type “System Events”
a) Provide a name and use existing from above (task 2)
Copyright © 2016 Imperva. All rights reserved.
50
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
3. Select and Configure the new report
a) General Details:
i. Leave as Default
b) Data Scope:
i. Last View Days:
1. Last: 7
ii. Subsystem:
1. Selected: User
c) Tabular:
i. Enable Tabular View
Copyright © 2016 Imperva. All rights reserved.
51
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
ii. Add the following columns:
1. Severity
2. Message
3. Create time
ii. Configure Sorting:
1. Severity – Ascending
2. Message – Ascending
d) Data Analysis Views:
i. Disable all “Data Analysis Views”
e) Scheduling:
i. Leave as Default
f)
Results:
i. No changes possible
g) Permissions:
Copyright © 2016 Imperva. All rights reserved.
52
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
i. Leave as Default
4. Save the new report
3a
Creating a system event policy for user X
Example: Send message to SIEM (syslog) when the Super-User “admin” logs in:
1. Go to – Main – Policies – System Events
2. Create an new System Event Policy of Type “User logged in”
3. Define the Policy Details
a) Matching Text Segment: User admin logged in
4. Define the Followed Action
a) Followed Action: “LAB - Send System Event to syslog” (*)
b) Send to SOM: no
Copyright © 2016 Imperva. All rights reserved.
53
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
(*) In case there is no appropriate Followed Action for System Events available, follow the below
steps to create one:
1. Go to – Main – Policies – System Events
2. Create an new Action Set
a) Provide a name and Apply to events of type “System Events”
3. Configure the new Action Set:
a) Select the Action Interface:
“Server System Log > Log system event to System Log (syslog) using the CEF
standard”
b) Syslog Host:IP of your workstation (Kiwi)
c) Syslog Log Level: INFO
d) Facility: KERN
e)
4
OPTIONAL: Creating a report on specific violations:
1. Go to – Main – Reports – Manage Reports
Copyright © 2016 Imperva. All rights reserved.
54
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
2. Create an new Report of type “Alerts”
a) Provide a name and use existing from above (task 1)
3. Select and Configure the new report
a) General Details:
i. Leave as Default
b) Data Scope:
i. Last Few Days
1. Last: 365
ii. Violations
1. Parameter Value Length Violation
2. Parameters Type Violation
3. Unknown Parameter
4. Required Parameter Not Found
c) Tabular:
i. Enable Tabular View
ii. Add the following columns:
1. Alert Name
Copyright © 2016 Imperva. All rights reserved.
55
SecureSphere Lab Guide
TASK LIST
Task #
Task Description
2. Alert Description
3. Num. of Events
4. URL
iii. Configure Sorting:
1. Alert Name – Ascending
2. Num. of Events – Descending
iv.
d) Data Analysis Views:
i. Leave all Data Analysis Views as copied
e) Scheduling:
i. Leave as Default
f)
Results:
i. No changes possible
g) Permissions:
i. Leave as Default
4. Save the new report !!!
Copyright © 2016 Imperva. All rights reserved.
56
SecureSphere Lab Guide
Copyright © 2016 Imperva. All rights reserved.
57
SecureSphere Lab Guide
Results – How to Test/Demo the Use-cases
The following steps allow you to demo the use-case scenario described in this lab guide:
Reports
For the reports (Tasks 1,2, 3, and 4) – run each report and view the results

Run Report:
o
o
Run now: Main - Reports - Manage Reports

General Details Tab

Action Menu
Scheduled

Scheduling Tab
Copyright © 2016 Imperva. All rights reserved.
58
SecureSphere Lab Guide

View Report:
o
Open/Download after Run now
o
Main - Reports - Manage Reports -> Results Tab of individual report
definitions/templates
o
Main - Reports - View Results
System Event Policy
For the system event policy (Tasks 3a) – do the following:

Login to MX GUI as admin one or more times

Login to UDS Splunk as admin/password (or to Kiwi on UDS Server)

In Splunk define a search filter: host=”10.255.0.100”
Copyright © 2016 Imperva. All rights reserved.
59
SecureSphere Lab Guide

Verify the result:
Copyright © 2016 Imperva. All rights reserved.
60
SecureSphere Lab Guide
Appendix
Report Examples
Annual_Alerts_Repor
t
Weekly_System_Eve
nts_Report
Weekly_USER_Syste
m_Events_Report
Specific_Violations_R
eport
Copyright © 2016 Imperva. All rights reserved.
61