WAF log after pentestig

RE: WAF log after pentestig

Vishal_R — Thu, 03 Mar 2022 04:58:24 GMT

Hi Service Informatique2 Unfortunately no direct settings are available to increase the size of log files. No signature found can appear due to the URL hardening feature. You may do the needful as per below KBA:

Sophos Firewall: Error "No signature found" in WAF.

https://support.sophos.com/support/s/article/KB-000036415?language=en_US

For the Form hardening related details you may check some old discussions in the community if that helps to fix your error:

community.sophos.com/.../434778

RE: WAF log after pentestig

Service Informatique2 — Wed, 02 Mar 2022 16:28:27 GMT

Vishal I have some questions :

Can I increase the size of the reverseproxy.log.0 ?

In the log,I have many line like :

[Wed Mar 02 13:51:05.978373 2022] [cookie:error] [pid 16671:tid 140440103700224] [client xx.xx.xx.xx:53022] No signature found

And :

[Wed Mar 02 12:19:02.598863 2022] [form_hardening:error] [pid 25351:tid 140439994595072] [client xx.xx.xx.xx:55719] Form validation failed: Received unhardened form data, referer: https://URL/

Can I do some exceptions for Website ?

RE: WAF log after pentestig

Service Informatique2 — Wed, 02 Mar 2022 13:26:20 GMT

Thank for your quick answer

I've downloaded the reverseproxy.log.0

220 000 lines but ony one day of history.

I think I have too many information in logs...

RE: WAF log after pentestig

Vishal_R — Wed, 02 Mar 2022 13:17:48 GMT

Hi Service Informatique2: Yes too old logs will not be there as all log file has limited storage logic to avoid disk filling up problem and the logline will be rotated automatically. If an appliance is a higher model then it may contain the "log.0" as well for that service log ( example - reverseproxy.log.0).

RE: WAF log after pentestig

Service Informatique2 — Wed, 02 Mar 2022 13:07:33 GMT

Hello, thanks for you reponse.

I've download localy the reverseproxy.log on my computer.

But I have only the log for last one hour. And we have 36000 lines !

So I can't see log a month ago...

Thank you

RE: WAF log after pentestig

Vishal_R — Wed, 02 Mar 2022 05:50:43 GMT

Hi Service Informatique2 : You may copy or download the logs in the local system and then may analyze them in notepad ++ or may use grep or vi editors to see the response code status for URLs submitted to WAF.

You may also check rule id which has triggered anomaly for any URLs and you may check those have been false positive or true detection etc with your Internal server team.

support.sophos.com/.../KB-000035562

RE: WAF log after pentestig

Service Informatique2 — Tue, 01 Mar 2022 16:48:37 GMT

My policy settings :