cancel
Showing results for 
Search instead for 
Did you mean: 
ncasqueiro
Level 7

Threat source column and threat target column are equal

We are using ePO 4.5 and HIPS 7.0.0.1102 with Patch 7. When we run a query to show, for example, the desktop with more triggered HIPS signatures and we use threat source column and threat target column in the result table to show the IPv4 address we get the same value in both columns, wich is IPv4 address of the system name. Is this normal? How could we get the threat source?

Regards.

0 Kudos
6 Replies
McAfee Employee

Re: Threat source column and threat target column are equal

This is actually the expected behavior. HIPS modules by the time they process API and system calls at the OS level no longer have the target IP addresses available. The generic template it uses to populate information for security events does have section for source and destination IP addresses. It simply populates with the system's IP address.

0 Kudos
ncasqueiro
Level 7

Re: Threat source column and threat target column are equal

Ok, but then how can we determine the source of the attack? How should we troubleshot the attacks?

0 Kudos
McAfee Employee

Re: Threat source column and threat target column are equal

Host IPS essentially provides shielding for potential vulnerabilities on your system and is not necessarily slanted towards or scaled for data forensics for attack sources. It intercepts API and system calls and source IPs aren't mostly not available they also typically don't have much context at that OS level.

0 Kudos
ncasqueiro
Level 7

Re: Threat source column and threat target column are equal

Once HIPS has signatures of type Network IPS to us it makes perfect sense that we can detect the source of the attacks.

0 Kudos
McAfee Employee

Re: Threat source column and threat target column are equal

You should be able to see the source IPs in the NIPS sigs.

0 Kudos
ncasqueiro
Level 7

Re: Threat source column and threat target column are equal

You're right. Thank you.

0 Kudos