Showing results for 
Search instead for 
Did you mean: 
Level 9

HIPS Activity Log

I'm creating some HIPS rules based on the activity log, but the log is confusing to me. For example here is an entry

Blocked Incoming TCP - Source (3269) Destination: (53065)

The machine that this entry came from is (the source). The way i'm reading that entry:

HIPS blocked an Incoming TCP packing froming from (the machine i'm on) and going to the only other thing that i can think of is the request initiated from so HIPS blocked the packet from going out, but why wouldnt it say "blocked outgoing tcp.."

0 Kudos
1 Reply
McAfee Employee

Re: HIPS Activity Log

You are reading the log correctly (for Incoming traffic, the Source IP is usually the Remote IP address; Destintation is usually the local IP address or broadcast/multicast address).

In this case, it appears the Source is trying to initate a new connection into  It's also possible that if the client did send this as an outgoing packet initially (which was allowed), the connection (in the state table) was closed by the time the response came back, hence HIPS will see it as a new (blocked) Inbound connection.

0 Kudos