Once again, greatscott comes to the rescue! Thanks for highlighting this - I am currently working through a post related to some specific signature filtering, and a related point to that (to come) post was how people tune HIPS properly (the simple answer is, I suspect that a large number of people are *not* tuning HIPS properly, or as properly as it could be done). GS - your initial feedback alludes to this enhanced extension being DoD only - is this the case, and if not, is there any way of obtaining this extension as I havent seen mention of it before (although admit I have not had a dig around yet, following the above!).
I believe this is DoD only. If I were on the outside looking in, id be demanding this functionality. As I said, tuning is nearly impossible without the capability to filter based upon IPS Param Value and IPS Param Names. I would suggest anyone who wants this, to submit a PER. Strength in numbers.
I can't find the feature so it looks to be DoD. If that is the case I'm very disapointed in McAfee that this is an optional feature.
I also posted this to the EPO product manager so I will see how this is evolving. Thanks for helping.
I need this feature to indeed tune the HIPS events. Without this, it is impossible to tune it and looks that Hips is just for the happy few waiting for others to be hacked.
Many thanks for the input. Now I'm more convinced this must be delivered soon and already looks to be available so should have this in days ;-).
Quick google for McAfee PER found:
https://kc.mcafee.com/corporate/index?page=content&id=KB60021 (dated 15 July 2014)
Took the latter option - followed the McAfee customers registration link as it did not accept my McAfee support logon (You can never be sure how systems are linked in the background - it looks like this is indeed separate, and in my opinion should be explicitly called out in the KB).
As an aside, found a PER from Dec 8, 2011 that is 'under review' 🙂
New PER requested - REF: 32137 (Importance set to 'MUST') - I will be forwarding to a number of contacts to push this through, and would advise that others do the same
Title: Enhanced reporting required for Host IPS
As per community post 357808 (https://community.mcafee.com/message/357808), it is believed that non DoD clients do not have the reporting capability available to them as DoD clients. This restriction looks to apply to all Host IPS specific fields, and looks to have a great impact on clients being able to correctly tune the HIPS product, and also respond efficiently to potential attacks. I can not see any reason why this functionality would not be available to non-DoD customers, unless the enhanced reporting extensions noted in the community post can not be fully supported for some reason. If this is the case, then work really needs to be done on this to ensure that it can be supported - in my opinion McAfee have provided a product that is not possible to use in the way that it needs to be used!
I am happy to talk about this further.
I also have very bad experience with PER. I escalated 4 weeks ago (mine are not yet reviewed since 2010). Action plan is started. Backlog should shrink in comming months and new PER request should be given feedback within one month.
If it exists for DoD. Than it should be available for everyone. So PER shouldn't be needed. I keep updating this one. I escalated to product manager EPO.
I don't understand why this is a DoD-only software enhancement. Tuning HIPS events properly is impossible without this tool. I'm not even trying to exaggerate here, it is not possible to PROPERLY tune without this functionality. I suppose yo could do it if you had maybe 5 endpoint clients and just looked at their individual events all day, but for those of us who prefer queries, this tool is much needed. It is a joke that this functionality is not built into the HIPS extension.
I think we all agree with your frustration, damageinc - what we need now is for the community to speak via PERs - if you could raise one, cross reference the above, along with this community post, and then get as many people as you can who work with Host IPS to do the same, we may get a push on this one!
I'll chime in here and say the work I do with HIPs would be literally impossible without the use of a popular and powerful log aggregator. We don't touch ePO to dig through events at all.
Thanks for chiming in 🙂 The more comments the better, and this helps our cause
For reference, the current status of my above PER is 'Already in product' with no further feedback. I have escalated with account manager, as I was not overly impressed with that response - we know it is already in the product, but it is not ruddy well available to everybody, which was the purpose of the PER!
My escalation is still on-going. Account manager not so pleased and mentioned PER. I referred to your experience that that is no option for me ;-).
Keep you informed ;-). Certainly please all keep on pushing and yes CREATE THE PER's. Hope my escalation to product management works and if needed I will ask here for the PER numbers to motivate them in delivering this soon.