cancel
Showing results for 
Search instead for 
Did you mean: 

How do I configure policy to automatically block all severity 7-9

Jump to solution

Greetings,

I want to configure a policy to automatically block or RfSB all severity 7,8,9 attacks in NSM v8.3

I know I can manually do this if I edit the policy and create a filter for all alerts 7,8,9 and bulk edit to Block or RfSB, but when new signatures get added or UDS uploaded these will have to be manually edited as well. This approach is inefficient and leaves a lot of room for human error.

I want to automatically block all severity 7,8,9 on the policy (my customized copy of the default outside firewall policy) so that when new signatures, new attacks get added in, they would be auto-blocked.

Thanks in advance

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I was curious so I did looked around the site for a little bit and found this preexisting PER request...

McAfee Ideas Forum: Automatic enable attack protection to blocking based on defined criteria (NSM)

If you haven;t already, go to site below, register and Vote for the PER.

8 Replies
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

Hi Shawn

Good question and idea.. I would suggest you push it to McAfee so they can modify the current options...as I believe what you want to do cannot be done without and admin doing some work..

You can create attack set profiles to include attacks based on severity, but I don't see how you would get NSM to modify the response settings to block as soon as they are added to the ruleset/policy.

I checked the API guide and could not find any block references either. So you either go with RFSB which should contain high confidence signatures (and from an Ops point of view, the signature confidence may be more important than the signature severity, especially if you are looking to drop packets...)

OR, you could look at the API guide again to see if there are any options there (I'm not an API user),

OR you could potentially look at how to script the modification of the response of the new signatures based on severity, directly on the MySQL database

I can't think of any other way to be honest...but I may be wrong. And if doable... then I as you, would like to know how to do it

Cheers

David

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

Hey thanks for the update and suggestions.

I'm not much of an SQL junkie, so I wont pursue that option, but its a good suggestion for anyone else with same question who may be more SQL inclined

What is the path to suggest this to McAfee?

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I personally would raise an SR with McAfee Support asking them if there is a way to achieve this auto-change on the response settings you can use...if the answer is No, they will suggest adding this to the Idea Portal. Here is the KB article on how to submit one.

Regards

David

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I personally would not want to create something like this. If you create something that will automatically set an alert with a Severity of 7,8, or 9 to block...then new signatures, which when released by McAfee do not block (by their design) would block...and thus any false positives could cause network down time or loss of service because you immediately set it to blocking. This issue is why McAfee release all of its signatures in Alert only state.

I understand the desire for the feature, but I think it would cause more overhead than simply manually doing the change. Just my 2 cents.

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

Thanks for your suggestion and contribution.

I have thought about that and the impact of possible false positives.

I want this applied to my outside firewall policy, so at the Internet facing traffic, I would much rather a default block on ALL 7-9 severities, for any new signatures rather than just an alert that I may miss or not be able to attend to in the appropriate time.

I definitely would not want this kind of blocking on my internal traffic.

In my network, I have found that false positives are seen more on my internal traffic and alerts on the internet facing traffic are pretty much accurate.

The concern about unnecessary downtime is also noted, however, given out current threat landscape, I would trade legit traffic gets blocked vs legit malware gets through and I miss the alert.

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I completely understand. You have created a PER for this feature request? If it gets enough support from the community, McAfee PM will review and make decision.

Per Site

https://www51.v1ideas.com/IntelIdeas/ISecGForum

Highlighted
Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I was curious so I did looked around the site for a little bit and found this preexisting PER request...

McAfee Ideas Forum: Automatic enable attack protection to blocking based on defined criteria (NSM)

If you haven;t already, go to site below, register and Vote for the PER.

Re: How do I configure policy to automatically block all severity 7-9

Jump to solution

I was actually looking around to see if there were any suggestion for this instead of creating a new one. looks like you found it before I did. Thanks so much. I appreciate.

That suggestion is pretty much is what I want. I have voted for it.

d_alloy and mjesmer please vote for it if you haven't already.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community