cancel
Showing results for 
Search instead for 
Did you mean: 
RozO
Level 7

How to test HIPS

Hello - I have been using HIPS 7.0 for some time and I have set myself up a notification to alert me every time a host intrustion prevention event is triggered. All has been fine and working with a couple alerts a week, but over two weeks I have received no reports of alerts.

Now I should be saying "Awesome! My users are being smarter about what they do on their computer" but I can't help but laugh at that statement. Anyways, I'm wondering if there is a way to test this. I want to perform an action that would trigger an alert.

Anyone have an idea on how I would do this?

Thanks,
0 Kudos
28 Replies
jawuk
Level 7

RE: How to test HIPS

download nMap or the windows version ZenMap and run an 'intensive scan' against a client (IP address).

It will alert of either TCP Scan or UDP scan IPS signature and block the host

rgds

J
0 Kudos
RozO
Level 7

RE: How to test HIPS

Thank you jawuk, that was exactly what I was looking for. Unfortunately, I was right. My users are the same users. HIPS is not reporting any events and it's not stopping anything even though the DATS are current which confirms that the client is talking to the server.

Not sure what is happening but I'm making a McAfee support call now.

Thank you,
0 Kudos

RE: How to test HIPS

Thanks for the post



John
Don Joao Resort
0 Kudos
DonTerrelli
Level 7

RE: How to test HIPS

You know what's funny, I've run nMap against a test server I have with HIPS installed and no signatures were triggered.
0 Kudos
bperez
Level 10

Re: RE: How to test HIPS

Check the activity log in hips client when the scan is running, also you must activate server rules in epo to translate epo events to DB. The latest patch for epo and extension versions must be installed in Epo 4.0/4.5.

0 Kudos
vinnce
Level 7

Re: RE: How to test HIPS

does zenMap will work if firewall is on

vinnce

http://www.bougainvilleagoa.com/

0 Kudos
Namster
Level 10

Re: How to test HIPS

If you want to test hips you can try to trigger id 413 "suspicious double file execution this assumes you are trying to test the IPS portion:

1. create a file with a double file extension and try to open it. like make a text file such as "hips test.com.txt" and try to open it. (on the client where hips is installed of course)

0 Kudos
hemantk
Level 12

Re: How to test HIPS

Hello Namster.

I tried your suggestion "If you want to test hips you can try to trigger id 413 "suspicious double file execution this assumes you are trying to test the IPS portion:

1. create a file with a double file extension and try to open it. like make a text file such as "hips test.com.txt" and try to open it. (on the client where hips is installed of course)" But HIPS was unable to trigger.

Please help...

0 Kudos
bgable
Level 11

Re: How to test HIPS

metasploit is a good testing tool

0 Kudos