cancel
Showing results for 
Search instead for 
Did you mean: 
StefanT
Level 9

Application Service Monitoring

Can HIPS monitor services for other applications? For example can it detect and alert if a service is stopped?

Thanks

Stef

0 Kudos
10 Replies
smalldog
Level 12

Re: Application Service Monitoring

It's imposible

0 Kudos
sudeepg
Level 10

Re: Application Service Monitoring

Using the Services engine directive, you can create custom signatures to monitor for services for Start, Stop, Delete, Create, Pause etc.

Simple steps;

- Open IPS rules policy

- Add Signature Wizard

- Give Sig Name and hit next

- Select "Windows Service" Radio button and give the name of the service and save

- Done

You can do more finetuning by editing the signtaure after creating it.

Note: The service name should be the name of the Service as it appears in the registry or the Service Property and is different from the Display name of the service normally.

0 Kudos
smalldog
Level 12

Re: Application Service Monitoring

Thanks Sudeep Garg, im testing

0 Kudos
StefanT
Level 9

Re: Application Service Monitoring

OK, tried this but when the monitored service is stopped I get no notifications at all, have checked both ePO logs and HIPS client side but nothing.

Any ideas?

Stef

0 Kudos
bgable
Level 11

Re: Application Service Monitoring

Make sure you have specific the correct service name in your custom signature.

For example, open services.msc and right-click the Alerter service.

Note the Service name as apposed to the Display name. You need to use the Service name in the rule.

I tested creating my own signature to prevent Alerter from being stopped and it works correctly.

This will also work for any 3rd party service, other than Windows services.

0 Kudos
StefanT
Level 9

Re: Application Service Monitoring

Still nothing, can I ask where you are seeing the report/alert/log?

Stef

0 Kudos
bgable
Level 11

Re: Application Service Monitoring

If you were able to stop the service, there is something else wrong or you were in log only mode.

Enable IPS logging with security events and refer to KB54473 to verify a security event.

Here's 2 snips from my HipShield log.

The first was for a rule to prevent stopping the Windows Alerter service.  The second was to prevent stopping of the VMWare Authorization service.

02-04 10:49:24 [00640] VIOLATION: [1] ------- Violation  Logged ---- Size 555 ----
<Event> <!-- Level=High, Reaction=Prevent -->
  <EventData
  SignatureID="4027"
  SignatureName="My alerter test"
  SeverityLevel="4"
  Reaction="3"
  ProcessUserName="NT Authority\Local System"
  Process="C:\WINDOWS\system32\services.exe"
  IncidentTime="2010-02-04 10:49:21"
  AllowEx="True"
  SigRuleClass="Services"
  ProcessId="724"
  Session="0"
  SigRuleDirective="stop"/>
  <Params>
    <Param name="services">Alerter</Param>
    <Param name="display names">Alerter</Param>
    <Param name="Workstation Name">BG2K3TEST</Param>
  </Params>
</Event>
------------------------------

02-04 10:58:41 [00640] VIOLATION: [1] ------- Violation  Logged ---- Size 594 ----
<Event> <!-- Level=High, Reaction=Prevent -->
  <EventData
  SignatureID="4027"
  SignatureName="My service protection test"
  SeverityLevel="4"
  Reaction="3"
  ProcessUserName="NT Authority\Local System"
  Process="C:\WINDOWS\system32\services.exe"
  IncidentTime="2010-02-04 10:58:38"
  AllowEx="True"
  SigRuleClass="Services"
  ProcessId="724"
  Session="0"
  SigRuleDirective="stop"/>
  <Params>
    <Param name="services">VMAuthdService</Param>
    <Param name="display names">VMware Authorization Service</Param>
    <Param name="Workstation Name">BG2K3TEST</Param>
  </Params>
</Event>
------------------------------

0 Kudos
StefanT
Level 9

Re: Application Service Monitoring

Well this just point blank refuses to work for me! I have checked that the created signature settings are set to high and the reaction for high is set to prevent but nothing happens, no logging, no prevention, nothing.

Regards

Stef

0 Kudos
sudeepg
Level 10

Re: Application Service Monitoring

Please use the below KB to enable debug logging.

https://kc.mcafee.com/corporate/index?page=content&id=KB51517&actp=search&searchid=1266324329922

Collect the HIPShield.log, shield_db.log from client and the IPS rules policy export from ePO server.

Attach them here for review.

0 Kudos