cancel
Showing results for 
Search instead for 
Did you mean: 
stan4d
Level 7

Can you sort HIPS events by API name?

I'm working on tuning events from HIPS signature 3819 - Vulnerability in HTML Help ActiveX Control.  In attempting to isolate false positives I would like to sort events by "API Name" which is part of each HIPS event info.  However, in the query builder chart and filter pages there are no "API Name" options.  I can put the data into the table and add a column for "API Name" but it's under Endpoint Security Threat Events, not Host IPS Event Info.  In any case the field is blank since the data did not come from ENS.

Does anyone have experience here or thoughts on this?  Any other tips on working with this signature?  Thanks!

0 Kudos
5 Replies
Peacekeeper
Level 20

Re: Can you sort HIPS events by API name?

Moved to HIPS area

0 Kudos
McAfee Employee

Re: Can you sort HIPS events by API name?

There are no query/filter options for most of the HIPS event parameter details you see at the bottom of events.

0 Kudos
stan4d
Level 7

Re: Can you sort HIPS events by API name?

Kary,

Thanks, I was afraid of that.  I think I've spoken with you via McAfee support.

Still wondering if anyone has any practical experience or lessons learned regarding tuning this signature.

0 Kudos
McAfee Employee

Re: Can you sort HIPS events by API name?

Generally speaking, follow KB73399 for IPS tuning.

KB73399 - FAQs for Host Intrusion Prevention 8.0

https://kc.mcafee.com/corporate/index?page=content&id=KB73399

Review the section titled “Top Issues -> Client IPS/FAQ - IPS Events”.

For Sig 3819, it covers CVE-2007-0214 (see signature description), which is a Win XP/2000/2003 vulnerability.  For vulnerability-based signatures, this is how you'll tune basically.

  • Is this occurring on different Affected software/OS versions that the vendor vulnerability?
  • If so, then it's a false positive; create an exception or disable it.
  • If not, has the system been patched?
  • If the system has been patched, create an exception or disable it.
  • If the system has not been patched, then signature violations are not false positives; patch the system, then disable the signature.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0214

http://www.microsoft.com/technet/security/Bulletin/MS07-008.mspx

0 Kudos
wouterr
Level 10

Re: Can you sort HIPS events by API name?

The epo has bad support for the so called "IPS parameters" data. Except from file name none of them can be searched or sorted from the ePo webinterface.

So ony way i was able to do something usefull with hips events is by doing sql query's directly on the database (as excel can sort much better :-) )

0 Kudos