I've setup a personal lab with 3 virtual machines to test Sophos UTM. I want to test the WAF launching an automatic web vulnerability scanner (Zap Proxy) from Kali Linux to inspect badstore (a vulnerable webapp) and check if Sophos detect the payloads launched by the scanner.
This is my setup:
1- Sophos VM interface list
********************
External: 192.168.0.105
KaliNet: 192.168.2.100
Webserver: 192.168.3.100
1- Kali VM
********************
IP: 192.168.2.50
2- Badstore VM
********************
IP: 192.168.3.50
192.168.2.100|192.168.3.100
[Kali] [UTM] [Badstore]
192.168.2.50 192.168.3.50
In the Webserver Protection I've set-up:
1- A real webserver:
www.badstore.com
192.168.3.50
2- A virtual webserver pointing to the real webserver Badstore and using the Advanced Protection profile.
If I start an active scan with ZAP Proxy, the IPS module detects SQL Inyection attacks and nothing else. However, the WAF also includes other categories (like XSS) and is not detecting anything. I can freely use the most basic attacks like
In the main dashboard I can see how the IPS has X attacks blocked, but the WAF shows always 0 attacks blocked. Does anybody knows what could be happening? If you need screenshots or any info just ask for it, please.
Thank you!
This thread was automatically locked due to age.
