Managing Http Response Scanning - McAfee M-1250 - Network Security Platform Configuration Manual

Ips configuration guide version 5.1

Hide thumbs Also See for M-1250 - Network Security Platform:

Upgrade manual (58 pages)

Deployment manual (36 pages)

Manual (32 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

page of 259

/ 259
Contents
Table of Contents
Bookmarks

Table of Contents

McAfee® Network Security Platform 5.1

Alert filter association using the Threat Analyzer

You can select a particular alert and configure an Alert Filter. If necessary, you can create

a new Alert Filter and apply it to the selected alert. You apply an Alert Filter to the resource

for which the alert is raised and the attack for which the alert is raised and the direction of

the attack.

Managing HTTP response scanning

The HTTP Response settings enables you to configure Network Security Platform to

inspect HTTP responses for exploits on a per-monitoring port and direction basis. The

Sensor will be able to scan plain HTML text responses (but not traffic containing zipped,

encrypted or MIME-encoded content)

Note the following:

•

Based on the needs of your organization, you may want to enable HTTP response

inspection for inbound traffic, outbound traffic, or both directions. Consider the examples

below.

Example 1

Assume a scenario where port 1A on your Sensor is connected to the outside network and

1B is connected to your internal network [for example, a Web server]. When a client

machine from outside your network sends a connect request and the Web Server

responds back with malicious traffic, this is treated as outgoing attack. However, since the

origin of the attack is outside your network, enable HTTP response scan on the inbound

traffic.

Steps:

HTTP response processing is disabled by default.

You can enable it in each direction on an interface pair.

McAfee recommends that you enable HTTP response processing only if you

anticipate malicious traffic activity on your Web server.

To minimize the potential performance impact on the Sensor, enable HTTP response

processing on the minimum number of ports and in only the required directions to

achieve your protection goals. For performance information, see

IPS Settings > Policies > HTTP Response Scanning

Go to

Sensor / IPS Failover Pair > HTTP Response Scanning

IPS Settings > Sensor_Name > IPS

page.

160

The IPS Sensor_Name node

Best Practices Guide

Table of Contents

This manual is also suitable for:

Network security platform

Managing Http Response Scanning - McAfee M-1250 - Network Security Platform Configuration Manual

Managing HTTP response scanning

Related Manuals for McAfee M-1250 - Network Security Platform

Related Content for McAfee M-1250 - Network Security Platform

This manual is also suitable for:

Table of Contents