The IDPS must provide an automated means to review and validate whitelists and blacklists entries.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000244-IDPS-000227	SRG-NET-000244-IDPS-000227	SRG-NET-000244-IDPS-000227_rule		Medium

Description
A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists, also known as hot lists, are typically used to allow the IDPS to recognize and block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match entries on the blacklists. Some the IDPS generate dynamic blacklists that are used to temporarily block recently detected threats (e.g., activity from an attacker's IP address). A whitelist is a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol-by-protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis. If these lists are not kept updated, the IDPS may not recognized newly created malicious attacks.

Description

A blacklist is a list of discrete entities, such as hosts, TCP or UDP port numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists, also known as hot lists, are typically used to allow the IDPS to recognize and block activity that is highly likely to be malicious, and may also be used to assign a higher priority to alerts that match entries on the blacklists. Some the IDPS generate dynamic blacklists that are used to temporarily block recently detected threats (e.g., activity from an attacker's IP address). A whitelist is a list of discrete entities that are known to be benign. Whitelists are typically used on a granular basis, such as protocol-by-protocol, to reduce or ignore false positives involving known benign activity from trusted hosts. Whitelists and blacklists are most commonly used in signature-based detection and stateful protocol analysis. If these lists are not kept updated, the IDPS may not recognized newly created malicious attacks.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43391_chk )
Review the dates and versions of the whitelists and blacklists used by the IDPS. Alternatively, review the update log to verify that an automated check and download of updates is performed. If the system does not provide an automated means of reviewing and validating whitelists and blacklists on an organizationally defined schedule, this is a finding.

Fix Text (F-43391_fix)
Configure the IDPS to automatically review and validate whitelists and blacklists on an organizationally defined schedule.