Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Imperva OneBox demo is not capturing Alerts or Violations

    Posted 01-26-2024 16:20

    Hello I have installed the OneBox LAB in my PC with the SuperVeda Webserver and followed the instructions  and when I check the Profile learning pages I can see the profile is learning about the websites, however when I check the alerts and Violaitions after try the classic SQL injection code 1+1; I dont see any message. So not sure why is not repoting any alert. Any idea?


    #AllImperva
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Gerson Acevedo
    Engineer
    Sisap - Sistemas Aplicativos
    Guatemala
    ------------------------------


  • 2.  RE: Imperva OneBox demo is not capturing Alerts or Violations

    Posted 01-26-2024 17:52

    Did you checked if the traffic pass trough the bridge interfaces with tcpdump?



    ------------------------------
    Alejandro Hernandez
    Consultant and Trainer
    Soluciones Integrales en Capacitacion SA de CV (SICAP)
    Mexico D.F
    ------------------------------



  • 3.  RE: Imperva OneBox demo is not capturing Alerts or Violations

    Posted 01-30-2024 09:54

    Hi @Gerson Acevedo,

    I checked in with our support team and was advised that Onebox has been deprecated since the start of version 14 (14.1 to be precise), so it would be important to understand what version the customer/partner is using.

    In general terms though, you need to do what @Alejandro Hernandez  recommended and verify traffic is flowing as expected, and that it has the default policies applied to it in the config.

    Without seeing the configuration it is very difficult to be precise with anything as there are so many different things that could be wrong. It is clear that some of the config is correct if you see profile learning, but beyond this, it's hard to make other recommendations. What happens if they disable profile learning?

    I hope this is helpful and thank you @Alejandro Hernandez for your input.

    Thanks,



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 4.  RE: Imperva OneBox demo is not capturing Alerts or Violations

    Posted 01-31-2024 04:38
    Edited by John Thompson 01-31-2024 04:40

    @Gerson Acevedo - Is the URL in the Profile of the web application you're attacking with your SQL Injection in learning mode or protect mode?

    I'm asking because my first thought is that, if you've only been running your WAF for a few days in a lab, and if you have not manually switched the Web Profile (or the specific URLs) to Protect Mode, then the SQL Injection Rule in the policy will not trigger the Web Profile Policy, or the Correlated Attack Validation (CAV) that's used in Correlation Policies will not be triggered because that specific URL is in all likelihood still in a Learning Mode because it has not received enough different traffic over enough time to lock the profile on that URL into protect mode yet.

    A few helpful articles to review could include:

    .

    A few articles in the Imperva Community that you may also find helpful are:

    Separately, the other suggestion below regarding basic network troubleshooting with tcpdump is a solid suggestion, just to confirm that the attack is making it from the client through to the origin server.

    I am looking forward to hearing back regarding how your troubleshooting goes.

    ps.. any other ideas/suggestions @Jaired Anderson ?



    ------------------------------
    John Thompson
    Director, Channel Presales
    Imperva
    San Diego CA
    ------------------------------



  • 5.  RE: Imperva OneBox demo is not capturing Alerts or Violations

    Posted 02-01-2024 10:22

    I will second and third what Alejandro and John said; a TCPDump is always a good place to start - especially in a lab or virtual environment. You'll want to confirm that you see traffic enter and exit the correct interfaces.

    It's odd that you are seeing Web profile traffic, but not alerts - these are typically mutual. In other words, whatever issue that's stopping the alerts from being seen will also prevent the profile from being populated. (with a default configuration)

    You might try sending a "/ c m d . e x e" (remove the spaces) to trigger an alert. 



    ------------------------------
    Jaired Anderson
    Imperva
    https://www.imperva.com/
    ------------------------------



  • 6.  RE: Imperva OneBox demo is not capturing Alerts or Violations

    Posted 02-01-2024 11:02
    Edited by John Thompson 02-08-2024 07:46

    @Gerson Acevedo, @Jaired Anderson's suggestion to send a "/ c m d . e x e" (*remove spaces) as an attack in the URL is a great idea because that will trigger against a signature, rather than against the profile.  Excellent troubleshooting step Jaired!  

    @Ira Miga's blog article above references a great diagram modeled to the OSI model that everyone's familiar with (*including the very important "layer-8"), but I also like this Imperva OnPrem WAF / WAF Gateway diagram showing the different layers of security inspection performed.  Both provide interesting perspectives when troubleshooting security policy questions.

    https://docs.imperva.com/bundle/v15.0-web-application-firewall-user-guide/page/1140.htm



    ------------------------------
    John Thompson
    Director, Channel Presales
    Imperva
    San Diego CA
    ------------------------------