Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
681 Views 1 Reply Latest reply: Mar 19, 2013 6:43 PM by Kary Tankink RSS
jntfoster Newcomer 1 posts since
Mar 14, 2013
Currently Being Moderated

Mar 14, 2013 10:06 PM

HIPS 8 Patch 2 - HTTP Monitoring for POST Requests

I have McAfee Host IPS installed on several web application servers with the HTTP module enabled and running.  When reviewing the logs I see that HIPS is blocking Cross Site Scripting (XSS) and SQL Injection (SQLi) attacks, which is good, but only on GET requests when the URL Query sting contains the attack...not for POST requests with the postdata contains the attack, which is bad. 

 

I regularly have my web applications scanned for application vulnerabilities (including XSS and SQLi) and I see hundreds to thousands of SQLi attacks against my web application every day, but HIPS does not block a single SQLi attack for POST requests only GET where the attack pattern is in the URL query string.  Since POST requests are the most common way SQLi attacks are conducted, I can't imagine that McAfee would just leave this functionality out of their product...So what am I doing wrong?

 

Is there any way to check and see if HIPS is correctly configured to monitor POST requests as well as GET requests?  I'm guessing this would be an ePO level setting if it exists.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010

    I would start off with enabling all IIS signatures to a LOG or PREVENT status, applying it to a test IIS server, and retesting.  There are 120 IIS related signatures, and many of are LOW or DISABLED status.  Set your HIPS Protection Policy to a PREVENT status (say HIGH), then set all IIS sigantures to HIGH in a test IPS Rules policy for testing.

     

     

     

    Also make sure you're including the McAfee Default policy for Trusted Application and IPS Rules policy assignments.

     

    PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

    https://kc.mcafee.com/corporate/index?page=content&id=PD22894

     

     

    Page 38

    FAQ — Multiple-instance policies

    Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted

    Applications. These policies allow the application of more than one policy concurrently on a

    single client. All other policies are single-instance policies.

    The McAfee Default versions of these policies are automatically updated each time Host Intrusion

    Prevention security content is updated. For this reason, these policies always need to be assigned

    to clients to ensure that security content updates are applied. When more than one instance is

    applied, what results is a union of all the instances, called the effective policy.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points