cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
greatscott
Level 12
Report Inappropriate Content
Message 1 of 5
‎09-19-2012 04:54 AM

"Treat match as intrusion" and "Log Matching Traffic" Query

Does anyone know how to create a query to see events, when in the HIPS Firewall, a rule is created, and the checkboxes "Treat match as intrusion" and "Log matching traffic" is set? I want to track this specific traffic via ePO if possible.

Is this even possible?

0 Kudos
Reply
4 Replies
greatscott
Level 12
Report Inappropriate Content
Message 2 of 5
‎09-19-2012 07:32 AM

Re: "Treat match as intrusion" and "Log Matching Traffic" Query

Nm found my own answer.

https://community.mcafee.com/message/105490

0 Kudos
Reply
maxsteel12
Level 7
Report Inappropriate Content
Message 3 of 5
‎08-22-2017 12:58 PM

Re: "Treat match as intrusion" and "Log Matching Traffic" Query

The Firewall rule which you need to monitor for a specific or multiple system.

Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

Send a wake up agent and you will be able to see the firewall logs on ePO console.

**Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

0 Kudos
Reply
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5
‎08-22-2017 01:20 PM

Re: "Treat match as intrusion" and "Log Matching Traffic" Query 

maxsteel12 wrote:
The Firewall rule which you need to monitor for a specific or multiple system.
Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.
Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.
Send a wake up agent and you will be able to see the firewall logs on ePO console.
**Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

This is not firewall event monitoring.  Triggering Signature 3702 is generating Network IPS events that do contain some bits of detail (like IP, protocol, ports, directory, etc.) involved, but they are not Firewall events (no details about which FW triggered the intrusion, app names, etc.).  HIPS 8.0 cannot generate Firewall events back to the ePO server; use ENS 10.x if you wish to have true firewall event logging (in ENS, use the LOG MATCHING TRAFFIC per FW rule to send ePO events back to ePO).

0 Kudos
Reply
maxsteel12
Level 7
Report Inappropriate Content
Message 5 of 5
‎08-22-2017 02:21 PM

Re: "Treat match as intrusion" and "Log Matching Traffic" Query

JFYI

IP : Source & Destination IP can be found in log

Protocol : Can be found in log

Port : Remote & Local port can be found in log

Directory : I am not sure what are you talking. This is not belongs to FW log.

Action taken : Can be found in log

Traffic Direction : Can be found in log

Which is sufficient to read FW log

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC