The IDPS must implement signatures to detect specific attacks and protocols known to affect web servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000244-IDPS-000228	SRG-NET-000244-IDPS-000228	SRG-NET-000244-IDPS-000228_rule		Medium

Description
In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) that is relevant to that particular set of sensors. If more than one set of sensors will see the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4 through 7. The IDPS system administrator will ensure the sensor monitoring the web servers is configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326) The sensor monitoring the web servers should be capable of inspecting web traffic that is not received on web.

Description

In the Regional Enterprise Enclave different sets of sensors will see different traffic as a result of their location within the regional enclave. By establishing separate signature profiles for each set of sensors, each profile can then be tuned to generate alarms based on the traffic types seen, the attack signatures, and the specific traffic (string signatures) that is relevant to that particular set of sensors. If more than one set of sensors will see the same traffic types, then the same signature profile may be used for both sets. Alerting on specific connection signatures, general attack signatures, and specific string signatures provides focused segment analysis at Layers 4 through 7. The IDPS system administrator will ensure the sensor monitoring the web servers is configured for application inspection and control of all web ports (e.g., 80, 3128, 8000, 8010, 8080, 8888, 24326) The sensor monitoring the web servers should be capable of inspecting web traffic that is not received on web.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43392_chk )
Verify all http ports are defined and have the SA identify the signatures that will review applications using port redirection. If the system is not configured to implement signatures to detect specific attacks and protocols not allowed on network segments containing web servers, this is a finding.

Fix Text (F-43392_fix)
Install signatures for protecting against specific attacks on web servers. Review and tune as necessary the signatures that are specific to vulnerabilities in web servers.