Is there any documentation relating to why a signatures default status is disabled, and any risks or impacts to take into account before enabling them?
Taking 6003 through 6008 (Generic SQL Injection) as an example, all of these signatures have a default setting of disabled, and all, with exception of 6005 and 6008, have the same description. The content release notes relating to these signatures dont tend to give too much away either (updates only - I cannot seem to find the release notes for content 3709, which is the version where they were introduced).
Main reason for my question is that we are looking to protect Internet facing web servers. If I leave these signatures disabled, then obviously we are missing *some* form of protection. However, on the flip side, I am not sure if there are any relevant risks involved in enabling them (we can of course, enable one at a time and 'see what happens' but I prefer to be a little bit more armed before doing so...). Although I am not a big fan of the phrase, is there any 'best practise' guidance around these signatures?
Thanks in advance!
Set your HIPS IPS Protection policy to log informational on those servers (or create a group to place those servers in and set the group to log informational) modify the signature values to be informational. Doing this you can then create a query to review the specific signature fires on that group or servers. You will see what signatures would impact the servers performance and make the decision if you want to turn the signature up to a blocking value. If I recall one of them is quite noisy but I have seen a number of them turned on with no negative impact.
Thanks for the reply, bookz :-)
Yeah, there was no way I was going to map them to a prevent action! I am familiar with the deployment technique (slight modification - I was going to map them to 'low' due to the fact that I rarely recommend anything other than 'ignore' for informational. Saying that, we have got a SIEM environment which may benefit from the informational sigs..., so I may bring this up as a discussion point...
I think what I would like to see from McAfee is something along the lines of 'the signatures have been disabled as they are not relevant to a general deployment, but we recommend using them on web application servers'. And if this *is* the case, it is disappointing not to see an 'out of the box' IPS rules policy for these situations. Not to mention better descriptions for the signatures! Would you agree?