I'm trying to install open-appsec in a a Linux vm and deploying it using nginx. I've followed the online documentation (also the video tutorial) but it seems that for some reason the traffic is not detected/inspected (similar to #45).
luca@luca-virtual-machine:~$ sudo open-appsec-ctl -s
---- open-appsec Nano Agent ----
Version: 1.0.0-open-source
Status: Running
Management mode: Local management
Policy files:
/etc/cp/conf/local_policy.yaml
Policy load status: Success
Last policy update: 2023-08-18T09:29:48.793731
---- open-appsec Orchestration Nano Service ----
Type: Public, Version: 1.0.0-open-source, Created at: 2023-08-18T03:06:14+0300
Status: Running
---- open-appsec Attachment Registrator Nano Service ----
Type: Public, Version: 1.0.0-open-source, Created at: 2023-08-18T03:06:14+0300
Status: Running
---- open-appsec Http Transaction Handler Nano Service ----
Type: Public, Version: 1.0.0-open-source, Created at: 2023-08-18T03:06:14+0300
Registered Instances: 4
Status: Running
{"eventTime": "2023-08-17T12:32:27.826","eventName": "Web AppSec Policy Loaded Successfully","eventSeverity": "Info","eventPriority": "Low","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Threat Prevention"],"eventSource": {"agentId": "689f04c1-0086-4e34-bfcb-61a615e2a089","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "1.0.0-open-source","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 4}}
{"eventTime": "2023-08-17T14:11:31.460","eventName": "Web AppSec Policy Loaded Successfully","eventSeverity": "Info","eventPriority": "Low","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Threat Prevention"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 1}}
{"eventTime": "2023-08-17T14:11:34.336","eventName": "Check Point Nano-service started","eventSeverity": "Info","eventPriority": "Medium","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Informational"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "1.0.0-open-source","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 2,"serviceName": "HTTP Transaction Handler"}}
{"eventTime": "2023-08-17T14:14:56.983","eventName": "Web AppSec Policy Loaded Successfully","eventSeverity": "Info","eventPriority": "Low","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Threat Prevention"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 1}}
{"eventTime": "2023-08-17T14:14:59.185","eventName": "Check Point Nano-service started","eventSeverity": "Info","eventPriority": "Medium","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Informational"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "1.0.0-open-source","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 2,"serviceName": "HTTP Transaction Handler"}}
{"eventTime": "2023-08-17T15:18:07.208","eventName": "Web AppSec Policy Loaded Successfully","eventSeverity": "Info","eventPriority": "Low","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Threat Prevention"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 1}}
{"eventTime": "2023-08-17T15:18:10.331","eventName": "Check Point Nano-service started","eventSeverity": "Info","eventPriority": "Medium","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Informational"],"eventSource": {"agentId": "9b21d1d9-281e-418e-9b1c-24bf1f8d7ab2","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "1.0.0-open-source","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 2,"serviceName": "HTTP Transaction Handler"}}
{"eventTime": "2023-08-18T07:36:52.478","eventName": "Web AppSec Policy Loaded Successfully","eventSeverity": "Info","eventPriority": "Low","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Threat Prevention"],"eventSource": {"agentId": "b3705d29-7eb7-4fed-90a6-9ffee996c1d0","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 1}}
{"eventTime": "2023-08-18T07:36:56.667","eventName": "Check Point Nano-service started","eventSeverity": "Info","eventPriority": "Medium","eventType": "Event Driven","eventLevel": "Log","eventLogLevel": "info","eventAudience": "Security","eventAudienceTeam": "","eventFrequency": 0,"eventTags": ["Informational"],"eventSource": {"agentId": "b3705d29-7eb7-4fed-90a6-9ffee996c1d0","eventTraceId": "","eventSpanId": "","issuingEngineVersion": "1.0.0-open-source","serviceName": "HTTP Transaction Handler","serviceId": "4"},"eventData": {"logIndex": 2,"serviceName": "HTTP Transaction Handler"}}
I've tried some classic injection (i.e. SQL injection and similar) but it seems that thet are not detected nor prevented.
Also, to check if the traffic was actually inspected by open-appsec
I've set the all-web-requests
to true
(and applied the policy again). However, I can't see any log related to HTTP requests (using open-appsec-ctl -vl
). So I presume that the traffic is not inspected at all.