cancel
Showing results for 
Search instead for 
Did you mean: 
af77
Level 9

HIPS + TCP traffic detection

Hello,

Does anyone know if this is possible...

I am tryign to track down sporadic TCP connection attempts from a PC which has HIPS installed.

I'd like to know what process on the PC is making the attempts

So, if the PC is trying to connect to say 1.1.1.1 i'd like to get HIPS to tell me which process is doing it

any ideas?

thanks

A

0 Kudos
3 Replies
metalhead
Level 12

Re: HIPS + TCP traffic detection

First I would create an allow rule with logging enabled for the specified target IP.

The set the Firewall troubleshooting level to debug.

On the client there should be a FIRESVC.LOG (or quiet similar ) in the %alluserprofile%\McAfee\Host Intrusion Prevention.

Looking in this log for the specified rule should give you the answer.

0 Kudos
af77
Level 9

Re: HIPS + TCP traffic detection

hi,

i have tried that but it doesnt show anything of any value, just entries like this;

08/04/2011 10:17:39 KRNLWRK[2000] VERBOSE  >> readUDP

08/04/2011 10:17:39 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

08/04/2011 10:17:39 KRNLWRK[2019] VERBOSE  << readUDP

08/04/2011 10:17:39 KRNLWRK[591] VERBOSE  Waiting...

08/04/2011 10:17:40 KRNLWRK[2000] VERBOSE  >> readUDP

08/04/2011 10:17:40 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

08/04/2011 10:17:40 KRNLWRK[2019] VERBOSE  << readUDP

08/04/2011 10:17:40 KRNLWRK[591] VERBOSE  Waiting...

08/04/2011 10:17:41 KRNLWRK[2000] VERBOSE  >> readUDP

08/04/2011 10:17:41 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

08/04/2011 10:17:41 KRNLWRK[2019] VERBOSE  << readUDP

08/04/2011 10:17:41 KRNLWRK[591] VERBOSE  Waiting...

08/04/2011 10:17:42 KRNLWRK[2000] VERBOSE  >> readUDP

08/04/2011 10:17:42 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

08/04/2011 10:17:42 KRNLWRK[2019] VERBOSE  << readUDP

08/04/2011 10:17:42 KRNLWRK[591] VERBOSE  Waiting...

08/04/2011 10:17:42 KRNLWRK[591] VERBOSE  Waiting...

08/04/2011 10:17:42 KRNLWRK[602] VERBOSE  Got Windows Message

08/04/2011 10:17:42 KRNLWRK[2207] VERBOSE  >> winProc

08/04/2011 10:17:42 KRNLWRK[2223] VERBOSE  Got UDP data to read

08/04/2011 10:17:42 KRNLWRK[2000] VERBOSE  >> readUDP

What I need is it to log something like this:

process name: telnet.exe

destination 1.1.1.1

Port: 23

Protocol: TCP

Can this be achieved ?

0 Kudos
metalhead
Level 12

Re: HIPS + TCP traffic detection

Create a rule with the option "Log matching traffic" which allows traffic to the audit destination ip.

Then check the EVENT.LOG at the client.

0 Kudos