A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause?
B
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/
ChatGPT says ... C. HTTP traffic is not forwarding to HTTPS to decrypt. This means that the WAF is not able to inspect the encrypted traffic because it is not being decrypted. As a result, the WAF is not able to log or detect any malicious activity that might be occurring within that encrypted traffic. Option A, that the user agent client is not compatible with the WAF, would not prevent the WAF from logging traffic, but it might prevent the WAF from blocking certain types of traffic. Option B, that a certificate on the WAF is expired, would not prevent the WAF from logging traffic or detecting malicious activity, but it might prevent users from being able to access the web application. Option D, that old, vulnerable cipher suites are still being used, might result in vulnerabilities that could be exploited by attackers, but it would not necessarily prevent the WAF from logging traffic or detecting malicious activity.
It should be B
this literally makes no sense. HTTPS does not decrypt HTTP. do more research. the certificate is expired son. B
You do know chat ghpt is not 100% correct
I think people have points about C being incorrect because HTTP does not get forwarded to HTTPS to decrypt. That makes no sense. However, neither does an expired certificate. The cert validity should have no bearing on logging. If you tell the browser to continue anyway, you're still using the cert, you're just ignoring the errors. Either way, logging should be completely unaffected. My guess is this question just has a typo in the wording. If you changed it to HTTPS was not being decrypted forwarded to HTTP, everything makes sense.
While horribly worded, C makes the most sense. If the server is not redirecting HTTP traffic to HTTPS (think of connecting to http://google.com - you will be redirected to https://google.com) and the WAF is configured to only monitor https traffic, then there would be a gap in monitoring.
HTTP to HTTPS to decrypt does not make sense. The other way around would
B is the correct answer as WAF logs both http and https traffic. There is no such a way to log "http" traffic as "https". Don't even makes sense.
B is the only one that makes some sense.
Isn't the keyword (statement) here "not being logged"?
What about the fact that HTTPS doesn't decrypt HTTP?
If HTTP traffic is not being forwarded to HTTPS, the WAF may not be able to inspect and log the traffic properly. WAFs typically operate by decrypting HTTPS traffic to analyze its contents and protect the web application. If traffic remains on HTTP, the WAF might not intercept it, leading to a lack of visibility and logging. B is incorrect because An expired certificate would typically prevent HTTPS traffic from being established at all, causing SSL/TLS errors. This would result in failed connections rather than unlogged traffic.
The MOST likely cause for the specific traffic not being logged, and there being no visibility from the Web Application Firewall (WAF) for the web application, is: C. HTTP traffic is not forwarding to HTTPS to decrypt. Explanation: HTTP to HTTPS Redirect: If the web server is supposed to be secured with HTTPS, but the incoming traffic is not being redirected from HTTP to HTTPS, then the WAF, which is often designed to inspect and control encrypted (HTTPS) traffic, may not be seeing the traffic. The WAF might be configured to handle and log only encrypted traffic.
Ok, to start with the argument that it's a typo and it should be HTTPS is not forwarding to HTTP. I agree that is how things should work with a WAF if it's configured for it. So this brings us to the next question if the "typo" was corrected, then what would cause that issue? Perhaps an expired cert? Chances are it's not a typo and not the correct answer. However, an expired cert on the WAF could most definitely cause issues with logging. Generally, a WAF or any type of layer 7 filtering application create and issue certificates or are issued a certificate to inspect SSL/TLS traffic. If the certificate on the WAF were expired, then it would not be able to inspect the SSL/TLS traffic passing through it. Now, that being said, it's an assumption on my part that the specific traffic is HTTPS that the analyst is expecting in the logs since malicious individuals typically don't go doing shady stuff all out in the open and using HTTP. Just my way of looking at this. I'm sure there are things I'm overlooking as well.
C. HTTP traffic is not forwarding to HTTPS to decrypt. If the web application firewall (WAF) is configured to only monitor or manage HTTPS traffic and there is traffic on the network that is not being automatically redirected from HTTP to HTTPS, it could result in that traffic not being visible to the WAF. This could be a reason why the WAF isn't logging specific traffic. The other options are less likely to result in a lack of visibility from the WAF. An incompatible user agent client (A) or expired certificate (B) could cause issues, but they would typically lead to error messages or connection failures rather than traffic simply not being logged. Similarly, while using old and potentially vulnerable cipher suites (D) is a security risk, it wouldn't typically cause certain traffic to not be logged by the WAF.
how about B? The WAF is a security solution that sits between the external traffic and the web server, and it is responsible for inspecting traffic and blocking any malicious activity. If the WAF's certificate has expired, it can cause traffic to not be logged and result in no visibility of the web application's traffic. CHATGPT You are correct that a WAF certificate being expired could also be a possible cause of the issue. If the certificate on the WAF is expired, it can cause the WAF to not function correctly and may prevent it from inspecting the traffic. This could result in specific traffic not being logged, and there may be no visibility from the WAF for the web application. Therefore, option B could also be a possible cause. However, the answer choice "MOST likely cause" implies that there is one cause that is more probable than the others. In this case, I believe that option C (HTTP traffic not forwarding to HTTPS to decrypt) is the most likely cause because it is a common issue that can result in the described behavior. However, it is important to note that other causes, such as an expired WAF certificate, should also be investigated and ruled out.
C. HTTP traffic is not forwarding to HTTPS to decrypt. This could occur if the web server is configured to use HTTPS for secure communication, but the WAF is not configured to decrypt HTTPS traffic, and instead, only HTTP traffic is being forwarded to the web server. In this case, any malicious traffic sent via HTTPS would not be visible to the WAF, which could result in the specific traffic not being logged and no visibility from the WAF for the web application.
Can someone explain why the answer is B? My justification as to why it might be B: I think the question is asking about a web server our organization owns. If our server does not have valid SSL certificates, then clients connecting to the session would be considered invalid. They can continue to access the server using the "advanced" options in the web browser. However, this traffic would not be covered by the standard configuration of our WAF. WAF protection rules will also fail to take effect if the certificate is expired.
I agree with your reasoning on this. Also, A - just doesn't make sense, C - it doesn't work like that, D - if they were using old suites it would be easy to decrypt & log. B is the only reasonable answer
Its B. C. is wrong because, if the traffic is already unencrypted in HTTP why would it need to forward to HTTPS for it to be inspected by the WAF? That would mean encrypting the traffic. Keep in mind that WAFs can be configured in two ways: 1. HTTPS Traffic is decrypted before it reaches the WAF, allowing the clear-text traffic to be inspected. 2. HTTPS traffic is decrypted by the WAF using the Certs installed on it. So what do you think happens in Scenario 2 when the cert used for decrypting the HTTPS traffic expires? You will not have visibility of any new logs from that web server! Correct Answer: B. A certificate on the WAF is expired.
The Answer should be B. Using an expired certificate makes clients vulnerable to cyber attacks, which can break their trust. Therefore, it is not recommended to use an expired certificate. A website would not last long with an expired one. The only way answer C. makes sense if it was written as follows: HTTPs traffic is not forwarding to HTTP to decrypt.