HIPS 8 Patch 2 - HTTP Monitoring for POST Requests
I have McAfee Host IPS installed on several web application servers with the HTTP module enabled and running. When reviewing the logs I see that HIPS is blocking Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks, which is good, but only on GET requests when the URL Query sting contains the attack...not for POST requests with the postdata contains the attack, which is bad.
I regularly have my web applications scanned for application vulnerabilities (including XSS and SQLi) and I see hundreds to thousands of SQLi attacks against my web application every day, but HIPS does not block a single SQLi attack for POST requests only GET where the attack pattern is in the URL query string. Since POST requests are the most common way SQLi attacks are conducted, I can't imagine that McAfee would just leave this functionality out of their product...So what am I doing wrong?
Is there any way to check and see if HIPS is correctly configured to monitor POST requests as well as GET requests? I'm guessing this would be an ePO level setting if it exists.
Re: HIPS 8 Patch 2 - HTTP Monitoring for POST Requests
I would start off with enabling all IIS signatures to a LOG or PREVENT status, applying it to a test IIS server, and retesting. There are 120 IIS related signatures, and many of are LOW or DISABLED status. Set your HIPS Protection Policy to a PREVENT status (say HIGH), then set all IIS sigantures to HIGH in a test IPS Rules policy for testing.
Also make sure you're including the McAfee Default policy for Trusted Application and IPS Rules policy assignments.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.