I have McAfee Host IPS installed on several web application servers with the HTTP module enabled and running. When reviewing the logs I see that HIPS is blocking Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks, which is good, but only on GET requests when the URL Query sting contains the attack...not for POST requests with the postdata contains the attack, which is bad.
I regularly have my web applications scanned for application vulnerabilities (including XSS and SQLi) and I see hundreds to thousands of SQLi attacks against my web application every day, but HIPS does not block a single SQLi attack for POST requests only GET where the attack pattern is in the URL query string. Since POST requests are the most common way SQLi attacks are conducted, I can't imagine that McAfee would just leave this functionality out of their product...So what am I doing wrong?
Is there any way to check and see if HIPS is correctly configured to monitor POST requests as well as GET requests? I'm guessing this would be an ePO level setting if it exists.
I would start off with enabling all IIS signatures to a LOG or PREVENT status, applying it to a test IIS server, and retesting. There are 120 IIS related signatures, and many of are LOW or DISABLED status. Set your HIPS Protection Policy to a PREVENT status (say HIGH), then set all IIS sigantures to HIGH in a test IPS Rules policy for testing.
Also make sure you're including the McAfee Default policy for Trusted Application and IPS Rules policy assignments.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
FAQ — Multiple-instance policies
Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted
Applications. These policies allow the application of more than one policy concurrently on a
single client. All other policies are single-instance policies.
The McAfee Default versions of these policies are automatically updated each time Host Intrusion
Prevention security content is updated. For this reason, these policies always need to be assigned
to clients to ensure that security content updates are applied. When more than one instance is
applied, what results is a union of all the instances, called the effective policy.