cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue System Sensor generating port scan attacks in HIPS

I am just in the process of rolling out RSS2 via epo4. One side effect that is very annoying is that our laptops with HIPS installed receive port scan attack warnings every day if connected to our domain when RSS does its scan. What is the easiest way to prevent these? The laptops are within trusted networks - I did notice however that in the trusted list each subnet has a checkbox called "Trust for network IPS" that is not checked. What is the purpose of this setting?
Tags (2)
3 Replies

RE: Rogue System Sensor generating port scan attacks in HIPS

After looking at the details of the triggered events, I have added a firewall rule to allow incoming tcp traffic on local networks on a local port of 88 (remote port varies hugely). I will see if this has the desired effect.

RE: Rogue System Sensor generating port scan attacks in HIPS

The purpose of "Trust for Network IPS" is to eliminate false positives from known or trusted sources. You don't want RSD or MNAC generating hundreds or thousands of events. It would be hard to filter out all the static to find the real events.

Joe

RE: Rogue System Sensor generating port scan attacks in HIPS



Thanks Joe - It sounds like that would fix this problem, but possibly be overkill? i.e. it will ignore any events from the same subnet, whether they are generated by RSD or true attacks... I had hoped there was a way to identify RSD by application in the firewall rules but it doesn't look like it. Kind of frustrating considering they are both McAfee products!