Video Screencast Help

How to monitor HTTP POST and Get traffic on SCSP clients

Created: 31 Mar 2013 | 6 comments

Can anyone explicate about the rule/temple existing in SCSP to enable a rule for Network based indications for below traffic.

 

HTTP POST traffic containing:     

  • Name=GeorgeBush&userid<4 digit number>&other=

 

HTTP GET traffic to pages with paths:

 

  • Aspnet_client/report.asp
  • Resource/device_Tr.asp
  • Images/device_index.asp
  • News/media/info.html
  • Backsangho.jpg
  • addCats.asp
  • SmarNav.jpg
  • Nblogo2.jpg

 

Operating Systems:

Comments 6 CommentsJump to latest comment

chackco's picture

Hi

 

I think this should be done by Symantec Endpoint Protection Custom IPS signature

http://www.symantec.com/business/support/index?page=content&id=HOWTO18308

https://www-secure.symantec.com/connect/forums/custom-ips-signature-website-blocking

 

Firewall in SCSP is only basic function, it is mainly harden os system not network

please consider SEP ips signature for your requirement

premkumarGM's picture

Hi,

Thanks for the update.

unfortunetly i dont have SEP in place. still i would like to add the above said content in to the HIDS temple to monitor traffic.

can you please guide me if any fesability in HIDS. 

 

Chuck Edson's picture

Check out the System Attack Section section of the IDS Windows Baseline Detection Policy as a framework.  It monitors log files (like the W3SVC\*.log files) for specific calls.

While it will not actually block the event, you can monitor the HTTP calls and take action as necessary.

If a post helps you, please mark it as the solution to your issue.

premkumarGM's picture

Hi, Thank you very much.

Under Windows Baseline Detection Policy-->System Attack Section, i can see Alert only on

Successful Attack Attempts (code 200) for the spesific IIS HTTP success code and Error code.

There is no filed to add the above mentioned file path.

Can you please confirm if those files also included in the error code. 

 

 

Chuck Edson's picture

In the Global Settings of the System Attack Detection, you can see what file is being monitored.

Click the checkbox next to "Web Attack Detection Options" then hit Edit.  You will see the path to the W3SVC logs.

If a post helps you, please mark it as the solution to your issue.

premkumarGM's picture

Hi, we have SCP client installed on windows server 2008 SP 1 and deployed default Prevention and Detection configuration and couple of the policies, but the agent system is only detected event logs under prevention policy, no logs are detecting under Detection policies. i have enclosed the policy details along with the conguration.

can you please let me know what could be the reasion not detecting logs under Detection policy, is there nay group policy need to be deployed on the client system since the Agens are under Domain controler.

Els is there any configuration need to be enabled on the Agent from host end or HIDS management console(Version 5.2.6).

early support from anyone is highly apriciated.

AttachmentSize
Detection_DefaultCommonParameters.zip 773 bytes
Prevent_Default CommonParameters.zip 768 bytes