Imperva Cyber Community

Hi,
I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

Regards
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Zuliani
------------------------------

Hi @Francesco Zuliani,

We don't have a policy blocking nmap out of the box,
but you can create a custom policy to achieve the same result.
Make sure you test it before moving to blocking to avoid false positives.
Best,​

------------------------------
Ira Miga
Imperva
Knowledge Engineer
------------------------------

Original Message:
Sent: 03-30-2021 04:56
From: Francesco Zuliani
Subject: nmap and port scanning

Hi,
I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

Regards
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Zuliani
------------------------------

Hi Ira,
Thanks for your reply.
my problem is that when I tried to create a policy, even a simple one, just based on source IP, if i tried a syn scan doesn't pop up any alert, otherwise, if I run some nmap scripts, making actual http request i see the alert.

Regards,

------------------------------
Zuliani
------------------------------

Original Message:
Sent: 04-07-2021 02:43
From: Ira Miga
Subject: nmap and port scanning

Hi @Francesco Zuliani,

We don't have a policy blocking nmap out of the box,
but you can create a custom policy to achieve the same result.
Make sure you test it before moving to blocking to avoid false positives.
Best,​

------------------------------
Ira Miga
Imperva
Knowledge Engineer

Original Message:
Sent: 03-30-2021 04:56
From: Francesco Zuliani
Subject: nmap and port scanning

Hi,
I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

Regards
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Zuliani
------------------------------

Hi,

Speaking from my own point of view, we expect a Web Application Firewall to protect against web service/application attacks. And it does its job, by letting you see the alert if you run scripts to emulate attacks by making actual HTTP request.

My idea is, if you are looking for a tool which, in general, generates alert "if someone try to do an nmap on a closed port", it does not sounds like you are looking for a "WAF".


Moreover, talking about Imperva On-premise WAF in bridge mode, for the protection to take effect you need to specify in advance the target server IPs and HTTP/S ports of which you would like to be protected by WAF gateway. That makes WAF focus on what it is designed to protect, that is, the ports you are providing web service to clients.

While in KRP mode, if you have all your incoming traffic routed to WAF (e.g. by a firewall NAT rule to map a public IP to the WAF VIP), WAF will drop all incoming traffic at ports which you have not configured in the Sites tree. Those blind scans won't pass through WAF, but I believe there is no alert can be configured for the blind port scans too.

Thanks.

------------------------------
Louis Tsoi
Technical Specialist
Cyberforce Limited
Kowloon
------------------------------

Original Message:
Sent: 04-07-2021 04:02
From: Francesco Zuliani
Subject: nmap and port scanning

Hi Ira,
Thanks for your reply.
my problem is that when I tried to create a policy, even a simple one, just based on source IP, if i tried a syn scan doesn't pop up any alert, otherwise, if I run some nmap scripts, making actual http request i see the alert.

Regards,

------------------------------
Zuliani

Original Message:
Sent: 04-07-2021 02:43
From: Ira Miga
Subject: nmap and port scanning

Hi @Francesco Zuliani,

We don't have a policy blocking nmap out of the box,
but you can create a custom policy to achieve the same result.
Make sure you test it before moving to blocking to avoid false positives.
Best,​

------------------------------
Ira Miga
Imperva
Knowledge Engineer

Original Message:
Sent: 03-30-2021 04:56
From: Francesco Zuliani
Subject: nmap and port scanning

Hi,
I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

Regards
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Zuliani
------------------------------

Hi Louis,
Thanks for your reply ^^

I completely agree with u, is surely not its job to do it...but, would be nice to have that feature ;)

Thanks again

------------------------------
Zuliani
------------------------------

Original Message:
Sent: 04-08-2021 07:23
From: Louis Tsoi
Subject: nmap and port scanning

Hi,

Speaking from my own point of view, we expect a Web Application Firewall to protect against web service/application attacks. And it does its job, by letting you see the alert if you run scripts to emulate attacks by making actual HTTP request.

My idea is, if you are looking for a tool which, in general, generates alert "if someone try to do an nmap on a closed port", it does not sounds like you are looking for a "WAF".


Moreover, talking about Imperva On-premise WAF in bridge mode, for the protection to take effect you need to specify in advance the target server IPs and HTTP/S ports of which you would like to be protected by WAF gateway. That makes WAF focus on what it is designed to protect, that is, the ports you are providing web service to clients.

While in KRP mode, if you have all your incoming traffic routed to WAF (e.g. by a firewall NAT rule to map a public IP to the WAF VIP), WAF will drop all incoming traffic at ports which you have not configured in the Sites tree. Those blind scans won't pass through WAF, but I believe there is no alert can be configured for the blind port scans too.

Thanks.

------------------------------
Louis Tsoi
Technical Specialist
Cyberforce Limited
Kowloon

Original Message:
Sent: 04-07-2021 04:02
From: Francesco Zuliani
Subject: nmap and port scanning

Hi Ira,
Thanks for your reply.
my problem is that when I tried to create a policy, even a simple one, just based on source IP, if i tried a syn scan doesn't pop up any alert, otherwise, if I run some nmap scripts, making actual http request i see the alert.

Regards,

------------------------------
Zuliani

Original Message:
Sent: 04-07-2021 02:43
From: Ira Miga
Subject: nmap and port scanning

Hi @Francesco Zuliani,

We don't have a policy blocking nmap out of the box,
but you can create a custom policy to achieve the same result.
Make sure you test it before moving to blocking to avoid false positives.
Best,​

------------------------------
Ira Miga
Imperva
Knowledge Engineer

Original Message:
Sent: 03-30-2021 04:56
From: Francesco Zuliani
Subject: nmap and port scanning

Hi,
I'd like to know if is possible to block a port scanning with the WAF, if someone try to do an nmap on a closed port i'd like to see an alert on that.

Regards
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Zuliani
------------------------------