The IDPS must reject or delay network traffic generated above configurable traffic volume thresholds as defined by the organization.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34614 | SRG-NET-999999-IDPS-00212 | SV-45483r1_rule | Medium |
| Description |
|---|
| If the IDPS becomes unable to write events to the sensor events log, a critical resource needed for event analysis would be lost. One method of exploiting this vulnerability is for an attacker to cause an auditable event to occur in rapid succession in an attempt to overwhelm the log capacity. The IDPS must provide methods for preventing log processing failures, such as traffic congestion and threshold management mechanisms. The IDPS must have the capability to reject or delay network traffic based on configured threshold levels to prevent overwhelming the sensor log processing capability. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-42830r1_chk ) |
|---|
| Verify there is a rule or signature which monitors for traffic volume thresholds. Verify there is a rule for dropping traffic that exceeds these thresholds. Examine the traffic priority screens to see if this feature is used by the organization. If the IDPS does not reject or delay network traffic based on normal volume thresholds, this is a finding. |
| Fix Text (F-38880r1_fix) |
|---|
| Configure IDPS to monitor for traffic volume patterns that exceed the norm for the network. Configure the IDPS to notify, alert, drop or delay suspect traffic based on excessive volume. Configure the network with organizationally defined traffic priorities. |