Onboarding Imperva WAF to Wazuh
On April 15, 2022
On Monday,October 4, 2021, The Imperva WAF (Web Application Firewall) is a security solution designed to fight against web application security risks. SQL injection, remote file inclusion, cross-site scripting, and other OWASP Top 10 and Automated Top 20 risks are all protected by it. Imperva security researchers monitor the threat landscape and update WAF as needed.
With Wazuh, we can monitor the Imperva WAF Logs in a single location with many visualizations to make the monitoring and correlation easy. For that we need the custom rules and decoders to let get Wazuh know to trigger alerts if any anomaly is there.
We have syslog server which will be fetchingfetch the Imperva WAF Logs in a single log file and we will then puchbe pushing the Imperva WAF Log files via the Wazuh agent so that it can be analysed and monitored.
Imperva configuration
To configure log integration:
Log into your my.imperva.com account and navigate to the Logs Setup page:
On the top menu bar, click Account > Account Management. On the sidebar, click SIEM Logs > WAF Log Setup.
Pull mode: Download logs using a script
Select Imperva API.
Click the links to download the API Connector and the Settings.Config Log configuration file. The Connector is a sample script you can use to download the logs after they are generated.
Under Connection, copy the API Key before exiting the window. You will need it later. If you forget to copy the key, you can come back to this window later and click Generate API Key https://docs-be.imperva.com/bundle/cloud-application-security/page/settings/Images/generate_API_key.png?_LANG=enus to create a new key.
The Log Server URL field specifies the URL of your Imperva log repository in the Imperva cloud. Use this location to download the generated logs.
Download the logs:
If you choose to manage your logs using the Imperva log integration API, you need to download the logs after they are generated. A sample Python script for implementing the API, referred to as the Connector, as well as installation and configuration instructions, are given below. The script is managed by the open-source community.
A Python script for downloading log files from Imperva CloudWAF
Clone the repository:
git clone https://github.com/imperva/incapsula-logs-downloader.git
Dependencies:
This script requires Python 3
The script has the following jsdependencies that may require additional installation modules, according to the operating system that is used.
pycrypto
M2Crypto
A requirements.txt file is included in the script directory, so that the following can be used to install requirements and dependencies:
pip install -r requirements.txt
Getting Started:
Create a local folder for holding the script configuration, this will be referred as path_to_config_folder
Copy the Settings.Config file to this folder
Create a subfolder named keys under the path_to_config_folder folder
In the keys subfolder, create a subfolder with a single digit name. This digit should specify whether this is the first encryption key uploaded (1), the second (2) or so on
Inside that folder, save the private key with the name Private.key:
Executing The Script:
An example for calling the script is below:
js LogsDownloader.py \
-c path_to_config_folder \
-l path_to_system_logs_folder \
-v system_logs_level
The -c and -l and –v parameters are optional
The default value for path_to_config_folder is /etc/incapsula/logs/config
The default value for path_to_system_logs_folder is /var/log/incapsula/logsDownloader/
The default value for system_logs_level is info
The path_to_system_logs_folder is the folder where the script output log file is stored. NOTE: This is for the script output only. The location to store the CloudWAF logs is defined in the Settings.Config file or IMPERVA_LOG_DIRECTORY environment variable.
The system_logs_level configuration parameter holds the logging level for the script output log. The supported levels are info, debug and error
You can run LogsDownloader.py -h to get help
Running The Script as A Service:
SysVinit :
You can run the script as a service on Linux systems by using the configuration file - linux_service_configuration/incapsulaLogs.conf
You should modify the following parameters in the configuration file according to your environment:
$USER$ - The user that will execute the script
$GROUP$ - The group name that will execute the script
$PYTHON_SCRIPT$ - The path to the LogsDownloader.py file, followed by the parameters for execution of the script
On your system, copy the incapsulaLogs.conf file and place it under the /etc/init/ directory
sudo cp incapsulaLogs.conf /etc/init/incapsulaLogs.conf
sudo initctl reload-configuration
sudo ln -s /etc/init/incapsulaLogs.conf /etc/init.d/incapsulaLogs
sudo service incapsulaLogs start
You can use start/stop/status as any other Linux service
Docker:
A dockerfile is provided to build your own image locally. At this time, a dockerhub image is not available.
Configuration:
The connector script will look for the following environment variables, and fall back to the configuration file if the environment variable is not set:
IMPERVA_API_KEY (required)
IMPERVA_API_ID (required)
IMPERVA_API_URL (required)
IMPERVA_LOG_DIRECTORY (optional)
IMPERVA_SAVE_LOCALLY (optional)
IMPERVA_USE_PROXY (optional)
IMPERVA_PROXY_SERVER (optional)
IMPERVA_SYSLOG_ENABLE (optional)
IMPERVA_SYSLOG_ADDRESS (optional)
IMPERVA_SYSLOG_PORT (optional)
IMPERVA_SYSLOG_PROTO (optional)
IMPERVA_USE_CUSTOM_CA_FILE (optional)
IMPERVA_CUSTOM_CA_FILE (optional, see note below)
Note - In order to use a custom CA file, you will need to either build a docker image with the file embedded, or mount a persistent data volume to the image and provide the full path to the file as this variable value.
Encrypted Logs:
The recommended method would be to mount a persistent data volume at /etc/incapsula/logs/config/keys that contains numbered subfolders with key files as detailed in Preparations for using the script.
You can also use the dockerfile in this repo to build the image with your keys baked in.
Downloading Imperva Logs - Process overview:
This section provides an overview of the process you need to follow to download Imperva logs.
Download the Imperva logs.index file:
In the Imperva Cloud Security Console, in the Logs > Log Setup page, under Connection, locate the Log Server URL.
To access the index file, append logs.index to the end of the Log Server URL, in the format <Log_Server_URL>/<Specific_Log_File>.
The index file lists the log entries that are currently available in the Imperva log repository.
Authentication for access to the logs is performed using the API ID and API Key.
Send an HTTPS call for each file listed in the index file that you want to download. As new log files are generated, they are numbered sequentially, but may occasionally skip integers.
If using encryption, decrypt the files to read the contents, as follows:
Decrypt the key value with the appropriate private key, according to the publicKeyId value. For details, see Log File Structure.
Use the decrypted symmetric key to decrypt the log content.
Decompress the files.
This example shows how to decompress a log file using Linux bash commands:
csplit -sz 123_345.log -f 123_345.log. /\|\=\=\|/
sed -i '/|==|/d' 123_345.log.01
cat 123_345.log.00 > 123_345.log.decompressed
zlib-flate -uncompress < 123_345.log.01 >> 123_345.log.decompressed
rm 123_345.log.0*
Format of the logs will be in CEF.
Click Save to save all changes.
On the sidebar, click Log Levels. The following window displays:
Select a log level for each site to enable logging, or leave disabled. There are two levels of logs:
Security Logs include the Imperva security events log.
All Logs comprises a comprehensive log of every request and response (access logs), as well as the security events log.
Imperva Syslog Server Configuration
Once the logs are started, we will fetch those from the Syslog server via Wazuh Agent. But there is one catch, Imperva creates a new log file every time and we cannot specify each and every log file in our Wazuh Agent’s Configuration.
So, to resolve this problem we will be using the Incron service. It works similarly in a similar manner as the standard cron service. Filesystem events such as the creation, deletion, or modification of files or directories triggers the Incron jobs. So, in our case an Incron job will be triggered when any new log file is created and it will append all the log files into one.
Install the Incron service:
For Debian Packages:
apt-get install incron
For RPM Packages:
yum install epel-release
yum install incron
To configure incron access we have to configure /etc/incron.allow and /etc/incron.deny files.
/etc/incron.allow: If this file exists only users listed here may use incron.
/etc/incron.deny: If this file exists only users NOT listed here may use incron.
If none of these files exist, any user on the system can use incron.
Syntax:
Event Symbols (Masks):
IN_ACCESS: File was accessed (read). IN_ATTRIB: Metadata changed (permissions, timestamps, extended attributes, etc.). IN_CLOSE_WRITE: File opened for writing was closed. IN_CLOSE_NOWRITE: File not opened for writing was closed. IN_CREATE: File/directory created in watched directory. IN_DELETE: File/directory deleted from watched directory. IN_DELETE_SELF: Watched file/directory was itself deleted. IN_MODIFY: File was modified. IN_MOVE_SELF: Watched file/directory was itself moved. IN_MOVED_FROM: File moved out of watched directory. IN_MOVED_TO: File moved into watched directory. IN_OPEN: File was opened.
The following wildcards may be used inside the command specification. $$: Prints a dollar sign $@: Add the watched filesystem path $#: Add the event-related file name $%: Add the event flags (textually) $&: Add the event flags (numerically)
After the changes done in the configuration, the wazuh-agent’s service needs to be restarted.
For Systemd:
systemctl start incron.service
For SysV Init:
/etc/init.d/incrond start
We will now add the /var/log/imperva/fail path for monitoring and if any new log file is created, we will set a command to append those log files to /var/log/imperva.log.
Edit the incrontab:
incrontab -e
/var/log/imperva/fail <Suitable Mask> cat <Suitable Wildcard> >> /var/log/imperva.log
Enter any Suitable mask such as IN_MOVED_TO and your command with wildcards such as $% as per your needs.
Wazuh configuration for Imperva
The new log file is created and we can use this for monitoring.
Open the Wazuh Agent’s configuration:
vi /var/ossec/etc/ossec.conf
Add the following block:
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/imperva.log</location>
</localfile>
</ossec_config>
After the changes done in the configuration, the wazuh-agent’s service needs to be restartrestarted.
For Systemd:
systemctl restart wazuh-agent
For SysV Init:
service wazuh-agent restart
Adding Decoders and Rules in Wazuh
To let Wazuh understand the logs of Imperva WAF and trigger alerts for any anomalies, we’ll use the below decoders and rules and will place it in local_decoder.xml and local_rules.xml files. Add the following decoders in the /var/ossec/etc/decoders/local_decoders.xml file or use the WUI
<decoder name="Imperva">
<prematch>CEF:0\|Incapsula\|SIEMintegration</prematch>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>\|SIEMintegration\|(\.+)\sfileId=</regex>
<order>IncapRules</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>fileId=(\.+)\ssourceServiceName=</regex>
<order>fileID</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>sourceServiceName=(\.+)\ssiteid=</regex>
<order>sourceServiceName</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>siteid=(\.+)\ssuid=</regex>
<order>siteid</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>requestClientApplication=(\.+)\sdeviceFacility=</regex>
<order>requestClientApplication</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>deviceFacility=(\.+)\scs2=</regex>
<order>deviceFacility</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs2=(\.+)\scs2Label=</regex>
<order>cs2</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs2Label=(\.+)\scs3=</regex>
<order>cs2Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs3=(\.+)\scs3Lable=</regex>
<order>cs3</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs3Label=(\.+)\scs1=</regex>
<order>cs3Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs1=(\.+)\scs1Lable=</regex>
<order>cs1</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs1Label=(\.+)\scs4=</regex>
<order>cs1Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs4=(\.+)\scs4Lable=</regex>
<order>cs4</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs4Label=(\.+)\scs5=</regex>
<order>cs4Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs5=(\.+)\scs5Lable=</regex>
<order>cs5</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs5Label=(\.+)\scs6=</regex>
<order>cs5Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs6(\.+)\scs6Lable=</regex>
<order>cs6</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs6Label=(\.+)\scs7=</regex>
<order>cs6Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs7=(\.+)\scs8Lable=</regex>
<order>cs7</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs7Label=(\.+)\scs8=</regex>
<order>cs7Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs8=(\.+)\scs8Lable=</regex>
<order>cs8</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs8Label=(\.+)\scustomer=</regex>
<order>cs8Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>customer=(\.+)\sstart=</regex>
<order>customer</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>start=(\.+)\srequest=</regex>
<order>start</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>request=(\.+)\srequestMethod=</regex>
<order>request</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>requestMethod=(\.+)\sapp=</regex>
<order>requestMethod</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>app=(\.+)\sact=</regex>
<order>app</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>act=(\.+)\sdeviceExternalId=</regex>
<order>act</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>deviceExternalId=(\.+)\scpt=</regex>
<order>deviceExternalId</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cpt=(\.+)\ssrc=</regex>
<order>cpt</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>src=(\.+)\s=ver</regex>
<order>src</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>ver=(\.+)\send=</regex>
<order>ver</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>end=(\.+)\sfileType=</regex>
<order>end</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>fileType=(\.+)\sfilePermission=</regex>
<order>fileType</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>filePermission=(\.+)\scs9=</regex>
<order>filePermission</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs9=(\.+)\scs9Label=</regex>
<order>cs9</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs9Label=(\.+)</regex>
<order>cs9Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>src=(\.*)\s</regex>
<order>src</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>xff=(\.*)\s</regex>
<order>xff</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>sip=(\.*)\s</regex>
<order>sip</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>spt=(\.*)\s</regex>
<order>spt</order>
</decoder>
And add the following rule in the /var/ossec/etc/rules/local_rules.xml file or use the WUI
<rule id="100216" level="4">
<decoded_as>Imperva</decoded_as>
<match>$Imperva_Rule_Name</match>
<description>$(IncapRules) $(sourceServiceName) $(act) </description>
</rule>
After the changes done in the configuration, the wazuh-manager’s service needs to be restarted.
For Systemd:
systemctl restart wazuh-manager
For SysV Init:
service wazuh-manager restart
Adding Decoders and Rules in Wazuh
To let Wazuh understand the logs of Imperva WAF and trigger alerts for any anomalies, we’ll use the below decoders and rules and will place it in local_decoder.xml and local_rules.xml files. Add the following decoders in the /var/ossec/etc/decoders/local_decoders.xml file or use the WUI
<decoder name="Imperva">
<prematch>CEF:0\|Incapsula\|SIEMintegration</prematch>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>\|SIEMintegration\|(\.+)\sfileId=</regex>
<order>IncapRules</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>fileId=(\.+)\ssourceServiceName=</regex>
<order>fileID</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>sourceServiceName=(\.+)\ssiteid=</regex>
<order>sourceServiceName</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>siteid=(\.+)\ssuid=</regex>
<order>siteid</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>requestClientApplication=(\.+)\sdeviceFacility=</regex>
<order>requestClientApplication</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>deviceFacility=(\.+)\scs2=</regex>
<order>deviceFacility</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs2=(\.+)\scs2Label=</regex>
<order>cs2</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs2Label=(\.+)\scs3=</regex>
<order>cs2Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs3=(\.+)\scs3Lable=</regex>
<order>cs3</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs3Label=(\.+)\scs1=</regex>
<order>cs3Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs1=(\.+)\scs1Lable=</regex>
<order>cs1</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs1Label=(\.+)\scs4=</regex>
<order>cs1Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs4=(\.+)\scs4Lable=</regex>
<order>cs4</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs4Label=(\.+)\scs5=</regex>
<order>cs4Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs5=(\.+)\scs5Lable=</regex>
<order>cs5</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs5Label=(\.+)\scs6=</regex>
<order>cs5Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs6(\.+)\scs6Lable=</regex>
<order>cs6</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs6Label=(\.+)\scs7=</regex>
<order>cs6Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs7=(\.+)\scs8Lable=</regex>
<order>cs7</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs7Label=(\.+)\scs8=</regex>
<order>cs7Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs8=(\.+)\scs8Lable=</regex>
<order>cs8</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs8Label=(\.+)\scustomer=</regex>
<order>cs8Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>customer=(\.+)\sstart=</regex>
<order>customer</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>start=(\.+)\srequest=</regex>
<order>start</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>request=(\.+)\srequestMethod=</regex>
<order>request</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>requestMethod=(\.+)\sapp=</regex>
<order>requestMethod</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>app=(\.+)\sact=</regex>
<order>app</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>act=(\.+)\sdeviceExternalId=</regex>
<order>act</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>deviceExternalId=(\.+)\scpt=</regex>
<order>deviceExternalId</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cpt=(\.+)\ssrc=</regex>
<order>cpt</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>src=(\.+)\s=ver</regex>
<order>src</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>ver=(\.+)\send=</regex>
<order>ver</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>end=(\.+)\sfileType=</regex>
<order>end</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>fileType=(\.+)\sfilePermission=</regex>
<order>fileType</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>filePermission=(\.+)\scs9=</regex>
<order>filePermission</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs9=(\.+)\scs9Label=</regex>
<order>cs9</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>cs9Label=(\.+)</regex>
<order>cs9Label</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>src=(\.*)\s</regex>
<order>src</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>xff=(\.*)\s</regex>
<order>xff</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>sip=(\.*)\s</regex>
<order>sip</order>
</decoder>
<decoder name="Imperva_child">
<parent>Imperva</parent>
<regex>spt=(\.*)\s</regex>
<order>spt</order>
</decoder>
Once the configuration is done the logs will be collected by Wazuh and the alerts will be shown.
Login to your Invinsense Portal and open Wazuh
You can create custom Dashboards according to your needs.
Conclusion:
In this article, we have integrated Imperva WAF events, we can analyze Imperva WAF events in Wazuh to keep track of everything that happens in your Web Application and can catch any suspicious activity happening. With multiple visualization and dashboards, we can easily monitor the complex incoming data.
