cancel
Showing results for 
Search instead for 
Did you mean: 
Sohel
Level 9
Report Inappropriate Content
Message 1 of 3

NIPS Violation Blocked a Network exploit attempt

Jump to solution

Our Nessus scanner is getting blocked (see below) by Exploit prevention even after creating an exclusion rule for the ip-address. any thoughts how I resolved the issue?

 

================================================== 

Analyzer Detection Method:Exploit Prevention
Threat Name: ExP:NIPS Violation
Analyzer Rule Name:SMB Brute Force Attack
Description:ExP:NIPS Violation Blocked a Network exploit attempt.
Attack Vector Type:Network
Threat Source IP address: xx.xxx.xxx.xx

===================================================

 

 

 

1 Solution

Accepted Solutions

Re: NIPS Violation Blocked a Network exploit attempt

Jump to solution
I have an open case into engineering on something that may help.  The case I had dealt with having multiple entries under the exclusions sections of the Threat Prevent Exploit Prevent Policy.  In my case, I wanted a separate entry for each type of exclusion (1 for my internal Vuln scanners, 1 for external vuln scanner, etc).  After several back & forth, support suggested 2 options: 1) put all entries into a single entry with the signature (3700 I believe), or 2) Put first entry in with 3700 in signature, then any subsequent entries with no signature in the entry.  Also CIDR didn't seem to work for me, I had to enter them as single IPs and/or IP ranges.  Hope this helps.
2 Replies

Re: NIPS Violation Blocked a Network exploit attempt

Jump to solution
I have an open case into engineering on something that may help.  The case I had dealt with having multiple entries under the exclusions sections of the Threat Prevent Exploit Prevent Policy.  In my case, I wanted a separate entry for each type of exclusion (1 for my internal Vuln scanners, 1 for external vuln scanner, etc).  After several back & forth, support suggested 2 options: 1) put all entries into a single entry with the signature (3700 I believe), or 2) Put first entry in with 3700 in signature, then any subsequent entries with no signature in the entry.  Also CIDR didn't seem to work for me, I had to enter them as single IPs and/or IP ranges.  Hope this helps.
Sohel
Level 9
Report Inappropriate Content
Message 3 of 3

Re: NIPS Violation Blocked a Network exploit attempt

Jump to solution

Thanks for the updates. I ended up putting all entries under one rule and it seems to work. Previously I had them in 2 separate rules.

agree....it doesn't work when you create multiple rules for the same signature.

 

Thanks

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community