Imperva Cyber Community

Expand all | Collapse all

Incaprules for bots

Jump to Best Answer
  • 1.  Incaprules for bots

    Posted 10-28-2020 16:09
    Hello people, I need create a incaprule to detect malicius traffic that incapsula is passing trought WAF. Explain better, I´m looking requests from clients and all are passing the captcha test and later the request is malicius ( reputation IP and other OSINT are reporting as bad). I need support to develop a new custom incarule to detect this kind of traffic.

    I´ve implemented different rules:
    If: ClientType == VulnerabilityScanner;DDoSBot;ClickBot;CommentSpamBot;HackingTool;SpamBot;Worm;MaskingProxy
    If: NumberOfUserAgents > 2
    If: NumOnSession > 40 & Rate > {get-page-ip;20} & ClientType != Browser;SearchBot;SiteHelper

    Could someone ideas to detect bots? Now are in alert mode, I´m thinking to set cookie support,could be a good idea?

    Thanks!
    Rafa

    #CloudWAF(formerlyIncapsula)

    ------------------------------
    rafael lopez martinez
    evolutio
    madrid
    ------------------------------


  • 2.  RE: Incaprules for bots

    Community Manager
    Posted 10-28-2020 16:39
    @rafael lopez martinez,

    While we wait for someone that might be able to answer this more specifically, here are a few things that could help:

    Five Real-World Cloud WAF Rules - Community Webinar​ - In this webinar @Kunal Anand goes through an in depth look at Imperva's Cloud WAF Rules. He showed how customers can address specific real-world problems with the diverse set of Cloud WAF Rules available today. Kunal covers unique Cloud WAF's unique predicates with a live web application and API.

    Security Rule Use Case Examples - Block malicious clients Similar to the default Block Bad Bots security setting but more aggressive. Also talks about Anti-scraper engine - CAPTCHA for bots

    Cloud WAF Onboarding (Previously Incapusla) - Several FAQ's at the bottom for Cloud WAF Rules. 

    I hope this helps!


    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: Incaprules for bots
    Best Answer

    Imperva Employee
    Posted 10-28-2020 19:22
    Hi Rafa, 

    Imperva CWAF have various solutions with different modeling that provides coverage for a different type of risks to your site, for example 
    - WAF is a True Negative model that will block known malicious request 
    - API security is a True Positive model that will allow only request matching the API spec 

    But when it comes to OWASP Automated Threats to Web Applications the client classification is only a part of a solution that needs to be combined with different modeling like rate limiting, hidden challenges. The challenges can be progressively made difficult on the condition and filter usage.  The features, rules, and action can be based on specific use cases coverage, ability to parse data to model risk, ability to work with Imperva SOC that has many advanced filters, and experience for many use cases. 

    For example, IncapRules will only parse requests and not payload responses to verify the action from origin whereas  ATO can model action based on response data and provide mitigation based on severity easily without rules needs like incaprule. 
     
    Advanced bot protection is also a great solution for preventing automation and scope to specific resources for controlling business risks. Scope the High-Value Target (HVT) paths as selectors in the ABP for the Site Group, Create a policy that mimics the default policy named after the use case, enable the managed conditions in that policy assigned to the use case selector, and fine-tune to avoid any false positives.  

    So if you can share your use case and issue and subscription for your account, specific guidance can be provided based on the scenario, client and coverage needed


  • 4.  RE: Incaprules for bots

    Posted 10-29-2020 09:11
    Hi abhishek,

    indeed the Advanced Bot Protection module is great, but it's very advanced. You need to thoroughly understand the network, your traffic. I got an opportunity to try this module but it started blocking the legitimate traffic. So, incaprules is much better.

    ------------------------------
    Nikhil Chodankar
    Prudential Services Asia
    ------------------------------



  • 5.  RE: Incaprules for bots

    Imperva Employee
    Posted 10-30-2020 11:29
    Hi Nikhil,

    Thanks for your feedback. May I suggest
    -  Start testing rules on staging first
    -  Reach out to your Account team for proper self training or hands on paid training programs
    -  Review docs for ABP

    If you have any questions the awesome community is here. 


    ------------------------------
    Abhishek Gupta
    Customer Success team
    Imperva
    ------------------------------