cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to create rules based on Ips_sid

Jump to solution

Hi Guys & Girls,

I have som internet traffic I know I need, but it is blocked by IPS !!

Does anyone know how to create an firewall rule based on IPS_SID or

how to find this IPS_SID and allow it ??:

Attackip            192.168.100.15

Attackzone       internal

Category           signature_ips

Cmd                   httpp

Date                   2012-11-15

Dest Geo           FI

Dest Port          80

Dest Zone         external

Dstip                  193.66.251.201

Event                 Signature IPS drop

Facility               http_proxy

Hostname        

Information     Content matched an IPS signature.

Ips_classtype   IPS:DOS

Ips_sid               20056116

Ips_sig_category                        HTTP-General

Ips_signame     Host.Old-HTTP.Suspicious

Netsessid          d328150a4e348

Protocol            tcp

Reason              Traffic matched an IPS signature and the corresponding network session was dropped.

Rule Name       Internet Services

Source Port      62765

Source Zone     internal

Srcip                   192.168.100.15

Syslog                Critical (2)

Time                  12:42:48 +0000

It work off course when disabling IPS on the rule but I still want to use the IPS on rules !!

The product is McAfee Firewall Enterprise 8.3.0 Virtual

KR /Tom

1 Solution

Accepted Solutions
mtuma
Level 13
Report Inappropriate Content
Message 2 of 3

Re: How to create rules based on Ips_sid

Jump to solution

Hello,

You should be able to look at the signature browser and disable that IPS signature. To do this:

Go to Policy>IPS>Signature Browser and search for 20056116. Then you can right click and disable it. At that point it should not be enforced.

-Matt

View solution in original post

2 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 3

Re: How to create rules based on Ips_sid

Jump to solution

Hello,

You should be able to look at the signature browser and disable that IPS signature. To do this:

Go to Policy>IPS>Signature Browser and search for 20056116. Then you can right click and disable it. At that point it should not be enforced.

-Matt

View solution in original post

Re: How to create rules based on Ips_sid

Jump to solution

Hi Matt,

Off course it is, thanks ! 🙂

/Tom

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community