Critical System Protection

 View Only

  • 1.  How to monitor HTTP POST and Get traffic on SCSP clients

    Posted Mar 31, 2013 04:42 AM

    Can anyone explicate about the rule/temple existing in SCSP to enable a rule for Network based indications for below traffic.

     

    HTTP POST traffic containing:     

    • Name=GeorgeBush&userid<4 digit number>&other=

     

    HTTP GET traffic to pages with paths:

     

    • Aspnet_client/report.asp
    • Resource/device_Tr.asp
    • Images/device_index.asp
    • News/media/info.html
    • Backsangho.jpg
    • addCats.asp
    • SmarNav.jpg
    • Nblogo2.jpg

     



  • 2.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted Apr 14, 2013 11:30 AM

    Hi

     

    I think this should be done by Symantec Endpoint Protection Custom IPS signature

    http://www.symantec.com/business/support/index?page=content&id=HOWTO18308

    https://www-secure.symantec.com/connect/forums/custom-ips-signature-website-blocking

     

    Firewall in SCSP is only basic function, it is mainly harden os system not network

    please consider SEP ips signature for your requirement



  • 3.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted Apr 15, 2013 02:02 AM

    Hi,

    Thanks for the update.

    unfortunetly i dont have SEP in place. still i would like to add the above said content in to the HIDS temple to monitor traffic.

    can you please guide me if any fesability in HIDS. 

     



  • 4.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted Apr 15, 2013 02:39 PM

    Check out the System Attack Section section of the IDS Windows Baseline Detection Policy as a framework.  It monitors log files (like the W3SVC\*.log files) for specific calls.

    While it will not actually block the event, you can monitor the HTTP calls and take action as necessary.



  • 5.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted May 05, 2013 07:25 AM

    Hi, Thank you very much.

    Under Windows Baseline Detection Policy-->System Attack Section, i can see Alert only on

    Successful Attack Attempts (code 200) for the spesific IIS HTTP success code and Error code.

    There is no filed to add the above mentioned file path.

    Can you please confirm if those files also included in the error code. 

     

     



  • 6.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted May 09, 2013 11:59 AM

    In the Global Settings of the System Attack Detection, you can see what file is being monitored.

    Click the checkbox next to "Web Attack Detection Options" then hit Edit.  You will see the path to the W3SVC logs.



  • 7.  RE: How to monitor HTTP POST and Get traffic on SCSP clients

    Posted Aug 05, 2013 02:57 AM

    Hi, we have SCP client installed on windows server 2008 SP 1 and deployed default Prevention and Detection configuration and couple of the policies, but the agent system is only detected event logs under prevention policy, no logs are detecting under Detection policies. i have enclosed the policy details along with the conguration.

    can you please let me know what could be the reasion not detecting logs under Detection policy, is there nay group policy need to be deployed on the client system since the Agens are under Domain controler.

    Els is there any configuration need to be enabled on the Agent from host end or HIDS management console(Version 5.2.6).

    early support from anyone is highly apriciated.