cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 12

McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi,

I manage the computers with the ePO and in the ePO I have enable de RSD,

I recently deployed McAfee HIPS8 in my organization,

When I enable the IPS, this block the RSD sensor.

In the Activity Log I see the signature:

Signature ID
NamePlatformSeverityNetwork IPS
3700TCP Port ScanWindowsHighNetwork IPS

The accion is blocked.

I made a Exception Rule in the IPS Rules with the following configuration:

But the block continue.

Please help.

Thank you.

1 Solution

Accepted Solutions
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

This is how I do it.

Host Intrusion Prevention 8.0:IPS > IPS Rules (All Platforms) > My Default -> Exception Rules -> create a new exception rule

Status = Enabled

Signatures = 3700

Parameters = Ignore Executables and do a new Parameter with

If your Rogue system has more than 1 IP you have to add in all of the IPs it has.  For example our Rogue sensor is a VM with 13 IPs on it to cover all of our subnets.

View solution in original post

11 Replies
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

I don't see your exception rule screenshot (just shows an X), but for HIPS 8.0, an IPS exception with this Signature ID and the Remote IP Address parameter containing the single IP address or IP address range should be used.

Also, to clarify, this is by design for any type of port scanning software (McAfee RSD & Foundstone) or any other legitimate 3rd party port scan software, since Host IPS sees network traffic only.

Message was edited by: ktankink on 3/6/12 3:19:32 PM CST
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

This is how I do it.

Host Intrusion Prevention 8.0:IPS > IPS Rules (All Platforms) > My Default -> Exception Rules -> create a new exception rule

Status = Enabled

Signatures = 3700

Parameters = Ignore Executables and do a new Parameter with

If your Rogue system has more than 1 IP you have to add in all of the IPs it has.  For example our Rogue sensor is a VM with 13 IPs on it to cover all of our subnets.

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi all,

We just upgraded to HIPS 8.  I was hoping that there might be some elegant solution for this problem that would account for changing sensors.  For instance, someone in IT might take an RSS offline, or add a new one, without anyone else becoming aware.  Even if they do follow proper change control, editing the network IPS exception is an extra step.  (We currently have 60 sensors.  I have NO idea why there's that many.)

Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?

I'm asking a lot, I know... just hoping that someone else knows something I don't know.   

Thanks,

- Steve

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution
rstevekadish wrote:

Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?


Neither will work.  IPS configuration does not use Catalog items (these are for the Firewall).  Sig 3700/3701 event does not know what is generating the port scan.  HIPS does not know if it's a Rogue Sensor, or other type of network scanning software/device; it only sees the IP address.  The Rogue Sensor's fingerprinting option is what is triggering the port scan.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Hi Kary,

That's kind of what I thought.  Thanks a lot for the information!

- Steve

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

McAfee told me they would not support multiple NIC/IP's on a VM set up for Sensors. For testing, I have set up one sensor with 4 vlans and it seems to be working except the 3 of the 4 subnets do not show up under sensor health as active and communicating.

the all 4 Subnets show as covered under covered subnets.

Are all your sensors set up on a VM with multiple nic's/subnets?

Have you had any issues?

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

Did you ever get any help with this?  I am curious to know if there is a way to setup Virtual Machines that can be placed into multiple VLANs to cover more subnets with a single system.

Former Member
Not applicable
Report Inappropriate Content
Message 9 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

@ Brentil -

Sorry for replying to such an old blog, but you mentioned that you have one VM with RSD installed that has 12 IPs attached to cover all your subnets.

Can you provide some information on how you accomplished that?

Thank you.

Liz

roychoy
Level 9
Report Inappropriate Content
Message 10 of 12

Re: McAfee HIPS 8 is blocking Rogue System sensor.

Jump to solution

I know in MHIPS7, you cannot create exception for Network IPS signature ID.  It might be the same in MHIPS8.

We had the same problem but we chose to lower the severity level.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community