Transcription
Technical GuidePrevoty RASP Content Package v2.0.0Installation and User GuidePrevoty, Inc. HQ11911 San Vicente Blvd. #355Los Angeles, CA sion Number: 2.0Version Date: May 20171
COPYRIGHT 2017 PREVOTY, INC.VERSION: 2-171905LEGAL NOTICE:ALL RIGHTS RESERVED. PRINTED IN THE UNITED STATES OF AMERICA. Prevoty, Inc. ("Prevoty") and itslicensors retain all ownership rights to this document (the "Document"). Use of the Document is governedby applicable copyright law. Prevoty may revise this Document from time to time without notice.THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALLPREVOTY BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANYKIND ARISING FROM ANY ERROR IN THIS DOCUMENT, INCLUDING WITHOUT LIMITATION ANY LOSS ORINTERRUPTION OF BUSINESS, PROFITS, USE OR DATA. PREVOTY RESERVES THE RIGHT TO MODIFY ORREMOVE ANY OF THE FEATURES OR COMPONENTS DESCRIBED IN THIS DOCUMENT FROM THE FINALPRODUCT, WITHOUT NOTICE.BRAND AND PRODUCT NAMES IN THIS DOCUMENT ARE TRADEMARKS OF THEIR RESPECTIVEOWNERS.Copyright 2017 Prevoty. All Rights Reserved.2
Table of ContentsPreface.4.5.6.72.2 Installing the Prevoty QRadar Extension .92.3 Onboarding the Prevoty Log Data.13.153.1 Validate Prevoty Custom Event Properties.153.2 Validate the Prevoty RASP DSM .173.3 Validate the Dashboard Information.213.4 Validate the Prevoty Saved Searches.224.0 Troubleshooting Issues and Resolutions.25Contact and Support Information.261.0 System Requirements2.0 Installation and Configuration2.1 Add the Prevoty QRadar Extension3.0 Validation and Reference Information.Copyright 2017 Prevoty. All Rights Reserved.3
PrefaceThe audience this guide is intended for includes network administrators, developers, and securitypersonnel in charge of deploying the Prevoty Application Security solution within theirorganization's premises, and also for company administrators in search for information aboutPrevoty, its requirements, and the available protection modules.Typographical ConventionsThis guide uses several text styles for an enhanced readability and several call-out features.Learn about their aspect and meaning from the table below.ConventionDescriptionCode Input# Code will be called out using this font and includes [brackets ] for easy identification of inputs. #HyperlinksClickable URLs embedded within the guide are blue andunderlined. Ex. www.prevoty.comImportant NoteThis alert flag indicates information which requires your attentionand should be noted.Cautionary FlagThis alert flag advises you to take caution making any modificationsto the recommended settings, without consulting with a PrevotySolutions Architect or technical support.Critical AlertThis alert flag advises against modifying or adjusting the defaultrecommended settings and may cause inoperability of the systemand compromise the application security.Copyright 2017 Prevoty. All Rights Reserved.4
1.0 System RequirementsThe following are the minimum hardware, software, and platform requirements for successfullyoperating the Prevoty RASP Content Package. Please read these recommendations and ensuresystem compatibility prior to installing.1.1 Memory Requirements for QRadar Virtual AppliancesThe following are minimum and optional memory requirement recommendations for running thePrevoty RASP Content package.ApplianceMinimum MemorySuggested MemoryQRadar VFlow Collector 12906 GB6 GBQRadar Event Collector Virtual 159012 GB16 GBQRadar SIEM Event Processor Virtual 169012 GB48 GBQRadar SIEM Flow Processor Virtual 179012 GB48 GBQRadar SIEM All-in-One Virtual 319024 GB48 GBQRadar Log Manager Virtual 319024 GB48 GBQRadar Risk Manager24 GB48 GBQRadar Vulnerability Manager Processor8 GB16 GBQRadar Vulnerability Manager Scanner2 GB4 GB1.2 General Systems RequirementsThe following are minimum system requirement recommendations for running the Prevoty RASPContent package.Number of processors4Performance based on QRadar appliancesLog manager 3190: 2500 events per second or less.Copyright 2017 Prevoty. All Rights Reserved.5
Log manager Event Processor 1690, or SIEM Event Processor 1690: 2500events per second or less.All-in-One 3190: 25000 flows per minute or less, 500 events per second orless.Flow Processor 1790: 150,000 flows per minute.Dedicated Console 31908Log manager 3190: 5000 events per second or less.Log manager Event Processor 1690, or SIEM Event Processor 1690: 5000events per second or less.All-in-One 3190: 50000 flows per minute or less, 1000 events per second orless.Flow Processor 1790: 300,000 flows per minute.12All-in-One 3190: 100,000 flows per minute or less, 1000 events per second orless.16Log manager Event Processor 1690, or SIEM Event Processor 1690: 20,000events per second or less.All-in-One 3190: 200,000 flows per minute or less, 5000 events per second orless.2.0 Installation and ConfigurationPlease complete the following steps to ensure the desired system is compatible and ready priorto beginning the installation of the Prevoty RASP Content Package.-Confirm that Prevoty Runtime Security is installed and operational.-Ensure the Prevoty-generated event log file(s) exist and are accurate.-Download the Prevoty RASP Content Package from the IBM url ht 2017 Prevoty. All Rights Reserved.6
2.1 Add the Prevoty QRadar ExtensionPlease complete the following steps to successfully upload and add the Prevoty RASP ContentPackage to the extensions management window. Step 1: Log into the Q1 Radar Console and click on the “Admin” tabThe “Admin” tab is available in the blue navigation spanning the top of the page. Thisstep enables user access to the host of administrative tools available within the QRadardashboard.Figure 2.1-1. QRadar Console Admin Tab Step 2: Locate and Add the Prevoty ContentPackage.zip fileTo locate the Prevoty file, select the “Extension Management” icon under the SystemConfiguration area. This will open a new window as indicated in Figure 2 below.Figure 2.1-2. Extensions Management Modal WindowClick on the “Add” button, then locate the Prevoty ContentPackage.zip file. Clickto open, as shown in Figure 3.Figure 2.1-3. Prevoty ContentPackage.zip fileCopyright 2017 Prevoty. All Rights Reserved.7
Step 3: Add the Prevoty ExtensionAfter selecting the .zip file, the “Add a New Extension” modal window will open. Click onthe “Add” button to include the Prevoty QRadar App as part of the available extensions.An example of this modal window is displayed in Figure 4.Figure 2.1-4. Add a New Extension Modal Window Step 4: Verify Prevoty RASP is an ExtensionUpon completing the above steps, the Prevoty RASP Content Package will have beenuploaded to the Q1 Radar Server and should be appearing in the Extensions Managementlist, as shown in Figure 5.Figure 2.1-5. Extensions Management Window Step 5: Upload Complete. Continue with InstallationThe extension is now ready to be installed, as explained in section 2.2 Installing thePrevoty QRadar Extension.Copyright 2017 Prevoty. All Rights Reserved.8
2.2 Installing the Prevoty QRadar ExtensionPlease complete the following steps to successfully install the Prevoty RASP Content Packagewithin the extensions management window. Step 1: Install the Prevoty RASP Content PackageFrom within the Extensions Management window in the IBM Security App Exchange,locate the Prevoty RASP Content Package, as shown in Figure 1. To begin the installationprocess, select the name of the application to expand the window, and then select the“Install” button.Figure 2.2-1. Select the Prevoty RASP Content PackageFor additional information and details about all of the files included within the PrevotyRASP Content Package, please click the “More Details” link, as shown in Figure 2 below.The “More Details” information section will expand displaying the Content directory.This directory reveals the hierarchy of folders and files within the package, andspecifications including the version number, supported languages, and verification thatthe package has been officially signed.Copyright 2017 Prevoty. All Rights Reserved.9
Figure 2.2-2. Additional Information and Details Step 2: Select to Overwrite or Keep Existing DataThe next window enables users to select the best method for managing any existingentries that are affected by the installation of the Prevoty RASP Content Package.Information is available on the actual updates being made, showing the Prevoty filesbeing added, as displayed in Figure 3.Users may select whether to “Overwrite” the original entries or “Keep Existing Data”.Note: If the existing installation contains entries that will be affected, which is common, an alertmessage window appears and displays the exact number of existing entries within the systemthat will be updated during the installation process.Copyright 2017 Prevoty. All Rights Reserved.10
Figure 2.2-3. Extension Updating Entries Window Step 3: Begin the Installation MethodSelect the “Install” button to begin the installation. A notification window will appearconfirming that the extension is being installed onto the system. This notification windowis displayed in Figure 4 below.Copyright 2017 Prevoty. All Rights Reserved.11
Figure 2.2-4. Installation Notification WindowOnce Prevoty RASP is finished installing, the main page will be automatically reloaded with an“Installed” status displayed to the right side, as shown in Figure 5. Continue to section 2.3 belowto setup the Prevoty Log source.Figure 2.2-5. Installation CompleteCopyright 2017 Prevoty. All Rights Reserved.12
2.3 Onboarding the Prevoty Log DataThis section ensures the Prevoty Custom Event Properties are accurately parsing the log files, byproviding initial test data. Step 1: Create the Prevoty Log SourceFrom the Q1 Radar console, select the “Admin” tab which is available in the bluenavigation spanning the top of the page. Under the “Data Sources” area, locate andselect the “Log Sources” icon, as shown in Figure 1 below.Figure 2.3-1. Log Sources icon within the Q1 Radar console Step 2: Create a ReceiverOnce the application has installed, it is necessary to create a receiver to capture thePrevoty logs. There are a several options which depend on the organization’s systempreferences and architecture requirements.The example below demonstrates one of these methods, using syslog server to send logsto the receiver to ingest the test Prevoty Leef Logs., as shown in Figure 2.Figure 2.4-2. Prevoty SCP Log Source ExampleCopyright 2017 Prevoty. All Rights Reserved.13
Step 3: Create New Log SourceClick the “Add” button to create a new Log Source . See Figure 3 for an example on howto configure forwarding Prevoty logs to Qradar.Figure 2.4-3. Sample SSH and IP Address values. Step 4: Prevoty RASP for Content Installation is CompleteOnce the log files are setup and verified, the installation process is complete. Foradditional assistance or with any questions, please contact Prevoty Support .Copyright 2017 Prevoty. All Rights Reserved.14
3.0 Validation and Reference InformationOrganizations and users may wish to continue with validation and reference the informationcontained within this section, to better understand the custom events and properties within thePrevoty RASP for Content package.3.1 Validate Prevoty Custom Event Properties Step 1: Locate the Prevoty Custom Event Properties.From the Q1 Radar console, select the “Admin” tab which is available in the bluenavigation spanning the top of the page. Under the “Data Sources” area, select the“Custom Event Properties” icon, as shown in Figure 1.Figure 3.1-1: Custom Event Properties icon Step 2: Validate the Prevoty Custom Event Properties.After completing the search, the entire list of Prevoty custom event properties will bedisplayed, allowing for validation of logging information. Users should repeat thefollowing steps for every custom event listed, in order to validate each property andconfirm necessary parsing and log information is accurate. Select “Edit” to open acustom event property, and view the initial test data provided.Copyright 2017 Prevoty. All Rights Reserved.15
Figure 3.1-2: Example Property windowA new “Custom Event Properties” window will open, displaying all of the definitions andexpressions that are specified for that specific custom event., as displayed in Figure 3. Thehighlighted section within the “Test Field” lists the related name and value pairs.Figure 3.1-3: Custom Event Properties window Continue this process with all of the Custom Event Properties for the Prevoty ContentPackage to complete validation.Copyright 2017 Prevoty. All Rights Reserved.16
3.2 Validate the Prevoty RASP DSM Step 1: Locate the Prevoty RASP Device Support Module (DSM)From the Q1 Radar console, select the “Admin” tab which is available in the bluenavigation spanning the top of the page. Under the “Data Sources” area, select the “DSMEditor” icon, as shown in Figure 1.Figure 3.2-1: Admin Tab Displaying the DSM Editor icon Step 2: Locate and Select the Prevoty RASP DSM.Once the DSM editor window opens, enter “Prevoty” into the Search input field. Select“Prevoty Runtime Application Self-Protection (RASP)” from the results list, and click theblue “Select” button.Copyright 2017 Prevoty. All Rights Reserved.17
Figure 3.2-2: Select Log Source Type Modal Step 3: Verify Prevoty FieldsEnter the term “Prevoty” in the available search input box, to bring up all the customPrevoty fields.Figure 3.2-3: Prevoty Custom Properties DSM window.Note: The Prevoty Event Names will not appear under Event Mappings. This is a known bug inQradar and will be fixed in the next patch for Qradar 7.3.0.Copyright 2017 Prevoty. All Rights Reserved.18
Step 4: Verify Prevoty Event MappingsClick on the “Event Mappings” tab. Please note that Prevoty custom events will not bedisplayed.Figure 3.2-4: Prevoty Custom Event MappingsTable 1. Event ID Mapping with QID Number DefinitionsHigh LevelCategory NameLow LevelCategory Name1AuditData UpdatePrevoty SQL Injection7ExploitSQL Injection1002250004Prevoty Clickjacking7ExploitWeb Exploit1002250005Prevoty Command Injection7ExploitCommandExecution1002250006Prevoty Cross-Site Request Forgery7ExploitWeb ExploitQID NumberName1002250000Prevoty Default Event31002250001Unknown31002250002Prevoty Statistics1002250003Copyright 2017 Prevoty. All Rights Reserved.Priority19
1002250007Prevoty Cross-Site Scripting7ExploitCross Site Scripting1002250008Prevoty CSRF Token Generation1ApplicationWeb1002250009Prevoty CSRF Token Validation1ApplicationWeb1002250010Prevoty Database Access Violation7ExploitDatabase Exploit1002250011Prevoty DOM Cross-Site Scripting7ExploitCross Site Scripting1002250012Prevoty HTML Injection7ExploitWeb Exploit1002250013Prevoty HTTP Method Tampering7ExploitWeb Exploit1002250014Prevoty HTTP Response Splitting7ExploitWeb Exploit1002250015Prevoty JSON Cross-Site Scripting7ExploitCross Site Scripting1002250016Prevoty JSON Injection7ExploitWeb Exploit1002250017Prevoty Link Spam1ExploitWeb Exploit1002250018Prevoty Logging SensitiveInformation5RiskData Loss Possible1002250019Prevoty MIME-Type Sniffing1ExploitWeb Exploit1002250020Prevoty Normal1ApplicationWeb1002250021Prevoty Path Traversal7ExploitWeb Exploit1002250022Prevoty Profanity1AuditGeneral Audit Event1002250023Prevoty Unauthorized Media1PolicyApplication PolicyViolation1002250024Prevoty Uncaught Exception5SystemError1002250025Prevoty Unprocessed Query1RiskData Loss Possible1002250026Prevoty Insecure Transport Protocol5RiskUn-Encrypted DataTransfer1002250027Prevoty Unvalidated Redirect7ApplicationWeb Redirected1002250028Prevoty Weak Authentication y Weak Browser CacheManagement5ApplicationWeb1002250030Prevoty XML Cross-Site Scripting7ExploitCross Site Scripting1002250031Prevoty XML External Entity7ExploitWeb Exploit1002250032Prevoty XML Injection7ExploitCode InjectionCopyright 2017 Prevoty. All Rights Reserved.20
3.3 Validate the Dashboard Information From the Q1 Radar console, select the “Dashboard” tab which is available in the bluenavigation spanning the top of the page. Select the “Prevoty Overview” option from the dashboard drop down list. Figure 1displays the drop down menu options for available dashboards.Figure 3.3-1: Dashboard drop down optionsUpon selecting the “Prevoty Overview” option will load the Prevoty dashboard, as shown below.Figure 3.3-2: Prevoty Overview DashboardCopyright 2017 Prevoty. All Rights Reserved.21
To validate the dashboard, ensure data is loading into each of the available panels, whichwill be evident by examining the charts and graphs. Continue this process for any other Prevoty dashboards to complete validation.Critical Note: If there is no data in the panels, revisit the “Log Sources” and make sure the system iscollecting logs or try searching for the Prevoty events using the Log Activity link in the navigation bar.3.4 Validate the Prevoty Saved Searches From the Q1 Radar console, select the “Log Activity” tab which is available in the bluenavigation spanning the top of the page. Selecting this tab will load recently loggedactivity into a new page.Figure 3.4-1: Log Activity Sample Page To begin a new search, select the “Search” option from the menu which will open a dropdown list of available options.Copyright 2017 Prevoty. All Rights Reserved.22
Select the “New Search” option from the drop down list, as displayed in Figure 2 below.Figure 3.4-2: New Search drop down option A new search page will open, which enables users to enter keyword search terms. Enterthe term “Prevoty” into the search input box or select “RASP” From the Group Drop down,as displayed in Figure 3.Figure 3.4-3: New Search window From the results listing, select any of the available Prevoty saved searches and select the“Load” button, which will load the search data results and modify the values on this page.Copyright 2017 Prevoty. All Rights Reserved.23
Figure 3.4-4: Loading a Prevoty Saved Search Next, select “Search” to return to the previous page, which is also visible by clicking onthe “Log Activity” Tab. The events listed within the log activity will now contain all of thevarious types of Prevoty events from the selected saved search.Figure 3.4-5 Prevoty Saved Search Log ActivityFigure 5 shows a sample Log Activity page after a saved search has been loaded. To viewadditional details related to a specific event, highlight and select the desired event to view the“Event Information” section.Copyright 2017 Prevoty. All Rights Reserved.24
Note: In the Event Information section, all of the Custom Event Properties associated with theselected event are available. This is another way to validate the custom event property fieldsand the information contained.Figure 3.4-6: Event Information Window4.0 Troubleshooting Issues and ResolutionsShould any issues arise with the Prevoty RASP Content Package, please read through thediscovered issues below and walk through the resolution steps.No. IssueCauseResolution1The dashboard, and logactivity are not populatingwith dataNo data is being ingestedinto the source logs.Repeat step 2.3 within this guide to validatethat data is being transmitted successfullywith the Qradar server.2No data in Dashboard butlogs being ingestedThe time window is toonarrow for yourenvironment.Change the default time window of eachpanel in the dashboard to something otherthan 1 min, like 3 hoursIf your issues are not resolved after trying the resolution steps noted above, and additionalassistance is required, please contact the Prevoty Support Team at support.prevoty.com .Copyright 2017 Prevoty. All Rights Reserved.25
Contact and Support InformationPrevoty is committed to ensuring your success every step of the way by providing world-classproducts and customer support, and by ensuring that clients have access to all the latestsoftware releases, features, optimizations and bug fixes in a timely manner. Our staff ofhighly-qualified technical engineers and solution architects, helps end users of all technical levelsand abilities understand and successfully employ the Prevoty products.If you have any questions or issues, please visit our support website and search the Prevotyknowledge base, read through documentation, or submit a support ticket. We also encourageyou to reach out to our support staff by selecting the most convenient method below.Headquarters Address :11911 San Vicente Blvd. #355Los Angeles, CA90049 U.S.A.Telephone : 1 310-499-4714 1 866-940-2540 (toll free)The standard business hours for Customer Support are M-F 6:00 am –6:00 pm Pacific Time, excluding holidays. Calls outside of businesshours will be responded to the following business day. If you attempt tocontact Customer Support via telephone during Normal Business Hoursand are directed to voicemail, please leave a message and a CustomerSupport Engineer will respond shortly.Severity 1 issues may contact support 24/7 via the toll-free number.ː Support Email:support@prevoty.comWhen a problem is submitted via email, you will receive an auto-replyfrom the ticketing system acknowledging receipt and assigning theticket a case number for future tracking. To ensure proper tracking ofyour ticket, please either reply to the automated email for all subsequentcommunications on the particular issue or enter the ticket number in theSubject line of any new email you send pertaining to this particular issue.ă Online Support Portal :https://support.prevoty.comThe support portal provides logged-in users access to FAQs, theKnowledge Base, and online documentation. Users can also entersupport issues directly into a Case Management System (CMS) . TheCMS allows users to submit, view, and check the status of cases at anytime. The CMS is the preferred method for submitting support cases –users can avoid waiting on the phone, document a question in detail atany hour, and have questions directed to the most appropriate supportengineer.At Prevoty, we welcome your feedback, value your comments andencourage you to contact us with any concerns or suggestions.Copyright 2017 Prevoty. All Rights Reserved.26
QRadar Vulnerability Manager Processor 8 GB 16 GB QRadar Vulnerability Manager Scanner 2 GB 4 GB 1.2 General Systems Requirements The following are minimum system requirement recommendations for running the Prevoty RASP Content package. Number of processors Performance based on QRadar appliances 4 Log manager 3190: 2500 events per second or .
