Imperva Cyber Community

 View Only
  • 1.  Flexing with IncapRules

    Posted 6 days ago

    Use Case: Retrieve content from a 3rd party or location while masking the Origin. When a client accesses www.example.com/PathHere the content will be retrieved from destination.example.org/PathHere 

    Your Site: www.example.com
    3rd Party: destination.example.org

    You must have the load balancing module to define data centers.


    This can be accomplished using forward and rewrite rules.

    Define destination.example.org as a Data Center and check the box to Support only forward rules.

    Create a new Forward rule with the following filter criteria:

         URL == "/PathHere"

    Adjust the match criteria as desired. For example, the statement above is a strict match ( == ) on "/PathHere" and will not match "/PathHere/".

    For the Rule Action, select Forward to Data Center and select the destination.example.org Data Center.

    Give the rule a name and click Save.

    Imperva Cloud will now Forward all requests for www.example.com/PathHere (client facing) to destination.example.org/PathHere. (backend) and retrieve the content. The clients address bar will display www.example.com/PathHere.

    Please note however that a Rewrite rule is also typically required in conjunction with a Forward rule. This is because the Origin Data Center usually won't respond because the original Host header is sent. Additionally, the SSL handshake can fail with the Origin server if the Host names do not match.

    Create a Rewrite matching the same path as the Forward rule.

         URL == "/PathHere"

    For the Rule Action, select Rewrite Header.

    For the Header Name, enter Host

    Leave the From empty and in the To enter destination.example.org

    Enter a name for the rule and click Save.

    Reply to this thread to share your IncapRules with the community!


    Helpful Links

    IncapRule Syntax Guide
    https://docs.imperva.com/bundle/cloud-application-security/page/rules/rule-syntax.htm


    Simplified Redirect Rules

    https://docs.imperva.com/bundle/cloud-application-security/page/rules/simplified-redirect.htm

    Scheduler Syntax
    https://docs.imperva.com/bundle/cloud-application-security/page/rules/scheduler.htm

    Variable$ Galore!
    https://docs.imperva.com/bundle/cloud-application-security/page/rules/create-rule.htm 


    Custom Rate Rules

    https://docs.imperva.com/bundle/cloud-application-security/page/rules/rates.htm

    #CloudWAF(formerlyIncapsula)

    WARNING: Please follow your organization's change control procedures, and always test rules before adding to production


  • 2.  RE: Flexing with IncapRules

    Posted 5 days ago
    Is there a location to see logs of rules that were matched, including Time, client IP, browser, etc?

    ------------------------------
    John Schoenstein
    IT Security Analyst
    Glendale AZ
    ------------------------------



  • 3.  RE: Flexing with IncapRules

    Posted 5 days ago
    Hi John,

    There are 2 locations to review this information.

    Within the UI under Security Events. The label will "Security Rules". Also, on the right, you can filter for specific Security Rules if desired.


    Additionally, if you are gathering SIEM logs, it should be under the Request Result section for the security rule that is triggered. 

    https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm  



  • 4.  RE: Flexing with IncapRules

    Posted 5 days ago
    When Log4j Hit last year, I utilized IncapRules to implement quick restrictions.  Example:

    If: Full-URL contains "jndi" & Full-URL not-contains "bWFzdGVyfGltYWdlc3wxMzc5NHxpbWFnZS9wbmd8aW1hZ2VzL2gyOS9oYjMvODc5NzY3NTE1OTU4Mi5wbmd8MGUxYTJiNjUzNTE2ZjNkM2I4ZjY4M2QxZDAxMjAzNmY3OGFkYTQ1MDM0ZmRhZDNmMGMwNjA3OWJjNDIyNjg2Mw"
    Then: Block Request

    This assisted to block attempts, before we implemented the full fix.


    ------------------------------
    David Gorman
    eCommerce Service Manager
    GlaxoSmithKline
    Collegeville NJ
    ------------------------------



  • 5.  RE: Flexing with IncapRules

    Posted 4 days ago

    Use Case: Provide additional protection to a path. (eg: Login page)

    Click Add Rule

    The filter criteria will be:

         MaliciousIPList == TorIPs & MaliciousIPList == AnonymousProxyIPs & URL contains "^/login"


    For rule action, select Require Javascript Support.

    Summary: This rule requires any client originating from a TOR node or Anonymous Proxy to process a JS challenge if they are accessing the login page. 

    This accomplishes two things:

    1.) Keeps low level BOTs off your login page. Good BOTs (like search engine crawlers) will not be using TOR nodes or Anonymous Proxies.
    2.) If there is a an advanced BOT or automation technique accessing your login page, we now have a fingerprint (via the JS challenge) that can be used to block it. 

    Options: Taylor this rule to your liking. Perhaps you adopt an aggressive measure and require CAPTCHA support or block.


    A variation of this rule would be:

         IPReputationRiskLevel >= High & URL contains "^/login"

    Rule action: Require JavaScript Support or CAPTCHA



  • 6.  RE: Flexing with IncapRules

    Posted 4 days ago
    I just implemented a rule that blocks access to a certain URL if you are not coming from our internal IP ranges. Is this the best way to create this rule?

    URL contains "^/<path>/" & ClientIP != x.x.x.0/24 & ClientIP != y.y.y.0/24 & ClientIP != z.z.z.0/24 & ClientIP != a.a.a.0/24

    Also, could I get a link to the page that talks about using incap rules to facilitate a certification pass through? I have some sites that use this that I cannot onboard to the WAF and would love a possible workaround.

    ------------------------------
    Caleb Larson
    Information Security Engineer
    Appleton MN
    ------------------------------



  • 7.  RE: Flexing with IncapRules

    Posted 4 days ago
    Hi Caleb,

    That technically works, however, a more efficient method would be to leverage a ; as a separator for the IP/Network list. Also, please be aware that the Cloud WAF cannot "see" your internal IP addresses. Are you referring to your corporate network ranges? (NAT)

         URL contains "^/<path>/" & ClientIP != x.x.x.0/24;y.y.y.0/24;z.z.z.0/24;a.a.a.0/24

    For information on configuring client-certificate support, please see:

    • https://docs.imperva.com/bundle/cloud-application-security/page/more/client-certificate-support.htm 
    • https://docs.imperva.com/bundle/cloud-application-security/page/manage-client-certificate.htm ("Delivery Rules" referenced in this document are IncapRules)

    Thanks.


  • 8.  RE: Flexing with IncapRules

    Posted 4 days ago
    Yes, I am referring to our corporate network ranges.

    As for the client cert support in CWAF, I think the issue we ran into is that we need to use certain certs for certain paths, not just the entire site which is what the CWAF allows for if I am remembering correctly. I was wondering if there was a way that rules could help pass along certificate information to the origin. Is that what this section is talking about? Imperva Documentation Portal

    ------------------------------
    Caleb Larson
    Information Security Engineer
    Appleton MN
    ------------------------------



  • 9.  RE: Flexing with IncapRules

    Posted 4 days ago
    Ah, yes; you are correct. As it stands today, client certificate support is per domain and cannot be configured per URL.

    I recommend submitting this as a feature request at https://imperva.uservoice.com/

    Thanks.