Showing results for 
Show  only  | Search instead for 
Did you mean: 

HIPS 8 Patch 2 - HTTP Monitoring for POST Requests

I have McAfee Host IPS installed on several web application servers with the HTTP module enabled and running.  When reviewing the logs I see that HIPS is blocking Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks, which is good, but only on GET requests when the URL Query sting contains the attack...not for POST requests with the postdata contains the attack, which is bad. 

I regularly have my web applications scanned for application vulnerabilities (including XSS and SQLi) and I see hundreds to thousands of SQLi attacks against my web application every day, but HIPS does not block a single SQLi attack for POST requests only GET where the attack pattern is in the URL query string.  Since POST requests are the most common way SQLi attacks are conducted, I can't imagine that McAfee would just leave this functionality out of their product...So what am I doing wrong?

Is there any way to check and see if HIPS is correctly configured to monitor POST requests as well as GET requests?  I'm guessing this would be an ePO level setting if it exists.

1 Reply
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: HIPS 8 Patch 2 - HTTP Monitoring for POST Requests

I would start off with enabling all IIS signatures to a LOG or PREVENT status, applying it to a test IIS server, and retesting.  There are 120 IIS related signatures, and many of are LOW or DISABLED status.  Set your HIPS Protection Policy to a PREVENT status (say HIGH), then set all IIS sigantures to HIGH in a test IPS Rules policy for testing.

Also make sure you're including the McAfee Default policy for Trusted Application and IPS Rules policy assignments.

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

Page 38

FAQ — Multiple-instance policies

Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted

Applications. These policies allow the application of more than one policy concurrently on a

single client. All other policies are single-instance policies.

The McAfee Default versions of these policies are automatically updated each time Host Intrusion

Prevention security content is updated. For this reason, these policies always need to be assigned

to clients to ensure that security content updates are applied. When more than one instance is

applied, what results is a union of all the instances, called the effective policy.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community