cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 4

HIPS - Managing HIPS events and information - Please share your thoughts

I have spoken to a couple of customers who have mentioned that querying and running HIPS related data/events is very cumbersome . Can you please share your experience around this ? What are the challenges you face and what would you like to see to make your job easier ?

Thanks

Endpoint product Management

3 Replies
wouterr
Level 10
Report Inappropriate Content
Message 2 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

Investigating allot of IPS events is indeed impossible using ePo. therefore we query ePo database directly.

Why we are not using ePo:
no possibility to filter in IPS event parameters (HIP8_IPSEventParameter table) other then the file parameter in queries or in the system tree view

the "Host IPS 8.0" reporting module is just way too slow. Also here it's impossible to filter on IPS Event parameters, so you can only process one event at a time in stead of processing them in bulk.

note: if you mention Mcafee SIEM: same problem exists here: impossible to filter on IPS Event parameters


So with this arguments we switched from ePo to a simple SQL query which can query >100000 events in one second in a way we can investigate them properly

With the SQL query we transpose the HIP8_IPSEventParameter table and then join it with the EPOEvents, HIP8_EventInfo, EPOLeafNode and EPOBranchNode tables

this gives us a single view containing all IPS events on which we can easily query and filter for investigating these events.

c14us
Level 7
Report Inappropriate Content
Message 3 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

I'm pretty much love HIPS, but there are a lot of information you simply can not select in the queries. And often it's excatly those data you (I) want to get. I want to be allowed to query all information, that is available.

Then ther is the much annoying New Data field not in being in clear text, but must be DeHex'ed

ex: 720075006e0064006c006c00330032002e006500780065002000730074007200650061006d00630069002c00530074007200650061006d0069006e0067004400650076006900630065005300650074007500700020007b00390037006500620061006100630063002d0039003500620064002d0031003100640030002d0061003300650061002d003000300061003000630039003200320033003100390036007d002c007b00350033003100370032003400380030002d0034003700390031002d0031003100440030002d0041003500440036002d003200380044004200300034004300310030003000300030007d002c007b00350033003100370032003400380030002d0034003700390031002d0031003100440030002d0041003500440036002d003200380044004200300034004300310030003000300030007d000000

=

rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}

How do I even start making queries/Threats/custom rules when data also is unreadable. It's more than frustrating.

That said. When working a lot with HIPS, you get a bit used to the flaws. And I love the versatility of the product.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: HIPS - Managing HIPS events and information - Please share your thoughts

Thank you team . This is useful info to have . Appreciate your time and thoughts on this