Skip to content
Log In

Intrusion Detection and Prevention Systems Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-NET-000018

    Group
    Show

  • SRG-NET-000019

    Group
    Show

  • The IDPS must restrict or block harmful or suspicious communications traffic between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.

    The IDPS enforces approved authorizations by controlling the flow of information between interconnected networks to prevent harmful or suspicious traffic does spread to these interconnected network...
    Rule Medium Severity
    Show

  • SRG-NET-000019

    Group
    Show

  • SRG-NET-000074

    Group
    Show

  • SRG-NET-000075

    Group
    Show

  • The IDPS must produce audit records containing information to establish when (date and time) the events occurred.

    Without establishing the time (date/time) an event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Associating the date and ti...
    Rule Medium Severity
    Show

  • SRG-NET-000076

    Group
    Show

  • SRG-NET-000077

    Group
    Show

  • The IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.

    Associating the source of the event with detected events in the logs provides a means of investigating an attack or suspected attack. While auditing and logging are closely related, they are not t...
    Rule Medium Severity
    Show

  • SRG-NET-000078

    Group
    Show

  • SRG-NET-000091

    Group
    Show

  • The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools.

    Centralized review and analysis of log records from multiple IDPS components gives the organization the capability to better detect distributed attacks and provides increased data points for behavi...
    Rule Medium Severity
    Show

  • SRG-NET-000113

    Group
    Show

  • SRG-NET-000113

    Group
    Show

  • The IDPS must provide audit record generation capability for events where communication traffic is blocked or restricted based on policy filters, rules, signatures, and anomaly analysis.

    Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. While au...
    Rule Medium Severity
    Show

  • SRG-NET-000113

    Group
    Show

  • The IDPS must provide audit record generation with a configurable severity and escalation level capability.

    Without the capability to generate audit records with a severity code it is difficult to track and handle detection events. While auditing and logging are closely related, they are not the same. L...
    Rule Medium Severity
    Show

  • SRG-NET-000131

    Group
    Show

  • The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).

    An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and applications increase the attack surface (sum o...
    Rule Medium Severity
    Show

  • SRG-NET-000131

    Group
    Show

  • The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.

    An IDPS can be capable of providing a wide variety of capabilities. Not all of these capabilities are necessary. Unnecessary services, functions, and applications increase the attack surface (sum o...
    Rule Medium Severity
    Show

  • SRG-NET-000132

    Group
    Show

  • SRG-NET-000192

    Group
    Show

  • SRG-NET-000228

    Group
    Show

  • The IDPS must detect, at a minimum, mobile code that is unsigned or exhibiting unusual behavior, has not undergone a risk assessment, or is prohibited for use based on a risk assessment.

    Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution ...
    Rule Medium Severity
    Show

  • SRG-NET-000229

    Group
    Show

  • SRG-NET-000235

    Group
    Show

  • SRG-NET-000236

    Group
    Show

  • SRG-NET-000246

    Group
    Show

  • SRG-NET-000248

    Group
    Show

  • SRG-NET-000249

    Group
    Show

  • The IDPS must block malicious code.

    Configuring the IDPS to delete and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network.
    Rule Medium Severity
    Show

  • SRG-NET-000249

    Group
    Show

  • SRG-NET-000249

    Group
    Show

  • The IDPS must send an immediate (within seconds) alert to, at a minimum, the system administrator when malicious code is detected.

    Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be i...
    Rule Medium Severity
    Show

  • SRG-NET-000251

    Group
    Show

  • The IDPS must automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy.

    Failing to automatically update malicious code protection mechanisms, including application software files, signature definitions, and vendor-provided rules, leaves the system vulnerable to exploit...
    Rule Medium Severity
    Show

  • SRG-NET-000273

    Group
    Show

  • SRG-NET-000273

    Group
    Show

  • The IDPS must block malicious ICMP packets by properly configuring ICMP signatures and rules.

    Internet Control Message Protocol (ICMP) messages are used to provide feedback about problems in the network. These messages are sent back to the sender to support diagnostics. However, some messag...
    Rule Medium Severity
    Show

  • SRG-NET-000318

    Group
    Show

  • SRG-NET-000318

    Group
    Show

  • To protect against unauthorized data mining, the IDPS must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack ...
    Rule Medium Severity
    Show

  • SRG-NET-000318

    Group
    Show

  • To protect against unauthorized data mining, the IDPS must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack ...
    Rule Medium Severity
    Show

  • SRG-NET-000319

    Group
    Show

  • To protect against unauthorized data mining, the IDPS must detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.

    Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks that use unauthorized data mining techniques to attack ...
    Rule Medium Severity
    Show

  • SRG-NET-000319

    Group
    Show

  • SRG-NET-000319

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules