Hacker News new | ask | show | jobs
by dataflow 590 days ago
> they’re generally left them in “audit only mode”, sending logs to a destination accessed by no-one.

Aren't these still useful for figuring out what happened if you're hacked?
1 comments
lmm 590 days ago
Maybe, if the attacker didn't bother to hack into the WAF itself (generally a softer target than whatever's behind it) and if you bothered keeping or understanding the logs (extremely unlikely to be a good use of resources).
link
dataflow 590 days ago
You don't need to understand the logs at the time you gather them for this, you just need to keep them long enough to cover the breach, and to be able to understand them after the fact. Hardly seems like an obvious waste to me, and well worth $500/mo.
link
lmm 590 days ago
> you just need to keep them long enough to cover the breach, and to be able to understand them after the fact

And avoid leaking customer information/passwords/etc. through them until then, which is the hard part.

link
djbusby 590 days ago
Yep. I've seen WAF in "audit mode" and it's got load of client API keys in there, among other fun things.

Check the box for WAF but adds a new risk.

link