Merge pull request #478 from splunk/mchavda-splunk/imperva-waf-test-c…

…ases-424 Mchavda splunk/imperva waf test cases 424
CSVD · May 21, 2020 · 19c54d7 · 19c54d7
2 parents 2ad58c9 + 091053b
commit 19c54d7
Show file tree

Hide file tree

Showing 7 changed files with 201 additions and 6 deletions.
diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md
@@ -40,7 +40,7 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as
 | SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
 | SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
 | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
-| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | 
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
 
 * NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
 many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
@@ -50,8 +50,58 @@ documentation for more information.
 
 An active site will generate frequent events use the following search to check for new events
 
-Verify timestamp, and host values match as expected    
+Verify timestamp, and host values match as expected
 
 ```
 index=<asconfigured> (sourcetype=cef source="Imperva:Incapsula")
 ```
+
+---
+
+## Product - On-Premises WAF (SecureSphere WAF)
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Splunk Add-on  | https://splunkbase.splunk.com/app/2874/                                                                 |
+| Product Manual | https://community.microfocus.com/dcvta86296/attachments/dcvta86296/partner-documentation-h-o/22/2/Imperva_SecureSphere_11_5_CEF_Config_Guide_2018.pdf |
+
+### Sourcetypes
+
+| sourcetype               | notes |
+|--------------------------|-------|
+| imperva:waf              | none  |
+| imperva:waf:firewall:cef | none  |
+| imperva:waf:security:cef | none  |
+
+### Index Configuration
+
+| key                        | index    | notes          |
+|----------------------------|----------|----------------|
+| Imperva Inc._SecureSphere  | netwaf   | none           |
+
+### Filter type
+
+MSG Parse: This filter parses message content
+
+### Options
+
+| Variable       | default        | description    |
+|----------------|----------------|----------------|
+| SC4S_LISTEN_CEF_TCP_PORT      | empty string      | Enable a TCP port for this specific vendor product using the number defined |
+| SC4S_LISTEN_CEF_UDP_PORT      | empty string      | Enable a UDP port for this specific vendor product using the number defined |
+| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
+| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
+
+* NOTE:  Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
+many ports are in use by this CEF source (or any others).  See the "Common Event Format" source
+documentation for more information.
+
+### Verification
+
+An active site will generate frequent events use the following search to check for new events
+
+Verify timestamp, and host values match as expected
+
+```
+index=<asconfigured> (sourcetype=imperva:waf*)
+```
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -34,6 +34,14 @@ template t_everything {
         template("${ISODATE} ${HOST} ${LEGACY_MSGHDR}${MESSAGE}");
         };
 
+# ===============================================================================================
+# CEF Header with message; useful for common event format (CEF)
+# ===============================================================================================
+
+template t_cef_hdr_msg {
+        template("${3}");
+        };
+
 # ===============================================================================================
 # Message Header with Message; for Palo Alto
 # ===============================================================================================

diff --git a/package/etc/conf.d/context/common_event_format_class.csv b/package/etc/conf.d/context/common_event_format_class.csv
@@ -0,0 +1,4 @@
+Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef
+Imperva Inc._SecureSphere_Signature,sourcetype,imperva:waf:security:cef
+Imperva Inc._SecureSphere_Protocol,sourcetype,imperva:waf:security:cef
+Imperva Inc._SecureSphere_Worm,sourcetype,imperva:waf:security:cef
diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv
@@ -11,4 +11,6 @@ Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows
 Microsoft_Microsoft Windows,index,oswinsec
 Incapsula_SIEMintegration,source,Imperva:Incapsula
 Incapsula_SIEMintegration,index,netwaf
+Imperva Inc._SecureSphere,sourcetype,imperva:waf
+Imperva Inc._SecureSphere,index,netwaf
 unknown,source,CEF:unknown
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -36,6 +36,15 @@ parser p_cef_source {
     );
 };
 
+parser p_cef_class {
+    add-contextual-data(
+        selector("${fields.cef_device_vendor}_${fields.cef_device_product}_${fields.cef_device_event_class}"),
+        database("conf.d/context/common_event_format_class.csv")
+        ignore-case(yes)
+        prefix(".splunk.")
+    );
+};
+
 log {
     junction {
 {{- if or (or (getenv  (print "SC4S_LISTEN_CEF_TCP_PORT")) (getenv  (print "SC4S_LISTEN_CEF_UDP_PORT"))) (getenv  (print "SC4S_LISTEN_CEF_TLS_PORT")) }}
@@ -74,8 +83,12 @@ log {
     }; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts
 
     #CEF TAs use the source as their bounds in props.conf
-    parser(p_cef_source);
-
+    if {
+        parser(p_cef_source);
+    };
+    if {
+        parser(p_cef_class);
+    };
     parser {
         p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}"));
     };
@@ -85,7 +98,16 @@ log {
     #We want to unset the fields we won't need, as this is copied into the
     #disk queue for network destinations. This can be very disk expensive
     #if we don't
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
+    if {
+        filter {
+            match('^Imperva\sInc\._SecureSphere$', value("fields.sc4s_vendor_product"))
+        };
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_cef_hdr_msg))" value("MSG")); };
+    }
+    else{
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+    };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CEF_HEC" "no")) }}
     destination(d_hec);

diff --git a/tests/test_cisco_wsa.py b/tests/test_cisco_wsa.py
@@ -22,7 +22,6 @@
 '{{ mark }}{{ bsd }} {{ host }} Mon May 04 12:59:49 2020 Info: Version: 9.0.0-485 SN: 848F69E6010F-JYFZWQ1',
 '{{ mark }}{{ bsd }} {{ host }} 04 May 2020 12:59:59 (GMT+5:00) Info: Firewall blocked TCP data from 10.0.0.3:1148 to 96.246.56.182.',
 '{{ mark }}{{ bsd }} {{ host }} Mon May 04 12:59:58 2020 Info: Time offset from UTC: 113 seconds',
-'{{ mark }}{{ bsd }} {{ host }} Mon May 04 12:59:59 2020 Info: Firewall noted TCP data from 10.0.0.15 to 61.79.37.205(www.xxxxxxx7.com):1283.'
 ]
 testdata_squid = [
 '{{ mark }}{{ bsd }} {{ host }} 1588851279.000 184 10.0.0.6 TCP_CLIENT_REFRESH_MISS/404 461 POST http://test_web.net/users/user2.jpg - DEFAULT_PARENT/www.xxxxxxx15.com application/javascript DEFAULT_CASE_184-NONE-CyberRange_DC_NoAuth-RFS_Transparent_Proxy_Test-random_policy-DefaultGroup-RoutingPolicy <IW_infr,9.2,-,"-",-,-,-,12,"AC238.zip",184,184,184,"3655277AA",-,-,"-","-",0,0,IW_infr,"0","-","-","ccccc","acbd","Avc_app_behaviour","ensrch",331.2241,0,[Remote],"-","-",12,"xyz",184,0,"AC238.pdf","ACC2BCCC5C0D035F7F09CE2DA65472714BAFF0FF5FBC20DA85F00A6CCF3B986C"> "abcd" 486',

diff --git a/tests/test_imperva_waf.py b/tests/test_imperva_waf.py
@@ -0,0 +1,110 @@
+# Copyright 2019 Splunk, Inc.
+#
+# Use of this source code is governed by a BSD-2-clause-style
+# license that can be found in the LICENSE-BSD2 file or at
+# https://opensource.org/licenses/BSD-2-Clause
+
+from jinja2 import Environment
+
+from .sendmessage import *
+from .splunkutils import *
+from .timeutils import *
+
+import pytest
+env = Environment()
+
+# Nov 15 23:57:28 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt=Nov 15 2019 15:52:28 cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=english.hku.hk Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, english.hku.hk cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID
+# Nov 15 23:45:44 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt=Nov 15 2019 15:45:42 cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID
+test_fallback_events = [
+    '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt={{ bsd }} cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=aaaa.bbb.cc Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, aaaa.bbb.cc cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID',
+    '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt={{ bsd }} cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID',
+]
+@pytest.mark.parametrize("event", test_fallback_events)
+def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
+    host = get_host_key
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<11>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf\" host=\"{{ host }}\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Jan 30 14:43:13 146.222.1.43 CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt=Jan 30 2020 08:43:15 cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+)  from 10.222.17.15 cs3Label=Description
+# Jan 30 14:50:39 146.222.1.43 CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt=Jan 30 2020 04:50:35 cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description
+# Jul 16 18:19:52 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt=Jul 16 2015 18:19:50 cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description
+test_security_events = [
+    '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt={{ bsd }} cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+)  from 10.222.17.15 cs3Label=Description',
+    '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt={{ bsd }} cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description',
+    '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt={{ epoch }} cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description',
+]
+@pytest.mark.parametrize("event", test_security_events)
+def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
+    host = get_host_key
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<111>", bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:security:cef\" host=\"{{ host }}\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+# Apr 19 10:29:53 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt=Jan 30 2020 14:41:23 cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description
+def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
+    host = get_host_key
+
+    dt = datetime.datetime.now()
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        '{{ bsd }}{{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description')
+    message = mt.render(bsd=bsd, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string(
+        "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:firewall:cef\" host=\"{{ host }}\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1