cancel
Showing results for 
Search instead for 
Did you mean: 
esvom
Level 7

McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi,

I manage the computers with the ePO and in the ePO I have enable de RSD,

I recently deployed McAfee HIPS8 in my organization,

When I enable the IPS, this block the RSD sensor.

In the Activity Log I see the signature:

Signature ID
NamePlatformSeverityNetwork IPS
3700TCP Port ScanWindowsHighNetwork IPS

The accion is blocked.

I made a Exception Rule in the IPS Rules with the following configuration:

But the block continue.

Please help.

Thank you.

1 Solution

Accepted Solutions
brentil
Level 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

This is how I do it.

Host Intrusion Prevention 8.0:IPS > IPS Rules (All Platforms) > My Default -> Exception Rules -> create a new exception rule

Status = Enabled

Signatures = 3700

Parameters = Ignore Executables and do a new Parameter with

If your Rogue system has more than 1 IP you have to add in all of the IPs it has.  For example our Rogue sensor is a VM with 13 IPs on it to cover all of our subnets.

0 Kudos
11 Replies
McAfee Employee

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

I don't see your exception rule screenshot (just shows an X), but for HIPS 8.0, an IPS exception with this Signature ID and the Remote IP Address parameter containing the single IP address or IP address range should be used.

Also, to clarify, this is by design for any type of port scanning software (McAfee RSD & Foundstone) or any other legitimate 3rd party port scan software, since Host IPS sees network traffic only.

Message was edited by: ktankink on 3/6/12 3:19:32 PM CST
0 Kudos
brentil
Level 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

This is how I do it.

Host Intrusion Prevention 8.0:IPS > IPS Rules (All Platforms) > My Default -> Exception Rules -> create a new exception rule

Status = Enabled

Signatures = 3700

Parameters = Ignore Executables and do a new Parameter with

If your Rogue system has more than 1 IP you have to add in all of the IPs it has.  For example our Rogue sensor is a VM with 13 IPs on it to cover all of our subnets.

0 Kudos
rstevekadish
Level 9

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi all,

We just upgraded to HIPS 8.  I was hoping that there might be some elegant solution for this problem that would account for changing sensors.  For instance, someone in IT might take an RSS offline, or add a new one, without anyone else becoming aware.  Even if they do follow proper change control, editing the network IPS exception is an extra step.  (We currently have 60 sensors.  I have NO idea why there's that many.)

Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?

I'm asking a lot, I know... just hoping that someone else knows something I don't know.   

Thanks,

- Steve

0 Kudos
McAfee Employee

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution
rstevekadish wrote:

Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?


Neither will work.  IPS configuration does not use Catalog items (these are for the Firewall).  Sig 3700/3701 event does not know what is generating the port scan.  HIPS does not know if it's a Rogue Sensor, or other type of network scanning software/device; it only sees the IP address.  The Rogue Sensor's fingerprinting option is what is triggering the port scan.

0 Kudos
rstevekadish
Level 9

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi Kary,

That's kind of what I thought.  Thanks a lot for the information!

- Steve

0 Kudos

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

McAfee told me they would not support multiple NIC/IP's on a VM set up for Sensors. For testing, I have set up one sensor with 4 vlans and it seems to be working except the 3 of the 4 subnets do not show up under sensor health as active and communicating.

the all 4 Subnets show as covered under covered subnets.

Are all your sensors set up on a VM with multiple nic's/subnets?

Have you had any issues?

0 Kudos
daryl.c.ash2
Level 7

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Did you ever get any help with this?  I am curious to know if there is a way to setup Virtual Machines that can be placed into multiple VLANs to cover more subnets with a single system.

0 Kudos
roxbury
Level 7

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

@ Brentil -

Sorry for replying to such an old blog, but you mentioned that you have one VM with RSD installed that has 12 IPs attached to cover all your subnets.

Can you provide some information on how you accomplished that?

Thank you.

Liz

0 Kudos
roychoy
Level 9

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

I know in MHIPS7, you cannot create exception for Network IPS signature ID.  It might be the same in MHIPS8.

We had the same problem but we chose to lower the severity level.

0 Kudos