cancel
Showing results for 
Search instead for 
Did you mean: 

Not Getting High Severity Alerts

Hi All,

Can anyone help me I am facing some strange issue on NSM.I was getting high low and medium alerts on nsm IPS report but sudden high severity alarms disappeared from report.This issue persisting from few days.I have disable proxy server on nsm.Is this change can cause of not getting high alarms.Sorry for my bad english.

6 Replies
fkazi04 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Not Getting High Severity Alerts

Hi @User27622125 

There are no changes in the signature set where high/medium signatures will be disabled. 

To validate if it is reporting an issue, kindly check whether the high severity alerts are seen in attack logs. If yes, look for the same alerts in the report. This should give us clarity on where to investigate.

Also, kindly confirm which report are you generating?

 

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Not Getting High Severity Alerts

Hi

We are generating report after correlating with siem integration and this report contains severity alarms

Re: Not Getting High Severity Alerts

Hi

Kindly check this error I am getting in server logs:

 

[Thread-32004::Top Attacks, ] [logCorId1580290967140] com.intruvert.ruleEngine.DAO.updates.IUS_DAO - Error While Processing the request for url, IOException https://menshen1.intruvert.com/main2.xml, the error is Connection timed out: connect

 

Can u tell me what is the issue?

fkazi04 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Not Getting High Severity Alerts

Hi @User27622125 

Network Security Manager downloads the signature set update from menshen1.intruvert.com server. From the error, it seems signature set download is failing because of the connectivity issue between NSM & the download server.

 

I would suggest you investigate the connectivity between the two devices.

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: Not Getting High Severity Alerts

I am not getting high severity alerts so how I can troubleshoot this issue.One thing more I test just by running cmd.exe on browser to check if IPS detect it but when I checked attack log there was no event seen this means that either sensor is not detecting or not displaying it on nsm?What you suggest to troubleshoot?

fkazi04 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Not Getting High Severity Alerts

Hi @User27622125 

For high Sev. alerts not coming:

1. Check the policy if they are enabled.

2. If high severity alerts are enabled then please check if Sent alert to manager is enabled or not.

3. Do you see all high Sev alerts have stopped coming? or there have been some specific alerts reduced. If there is any specific alert, it might be possible the traffic is no longer seen. We must take packet capture to confirm the same. 

For cmd.exe alert not detected:

1. Validate the policy applied has cmd.exe enabled.

2. Confirm the system used for testing is inline to the Sensor [take a packet capture on the Sensor for host IP]

3. If the traffic is received, then check the alert status counter via status command on the Sensor. If the counters are increasing that implies Sensor is sending alerts.

4. Now, check on the manager the alert should be present.

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community