cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bperez
Level 10
Report Inappropriate Content
Message 1 of 5

What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

Recently we have been migrated to version 7.1.3.5 of NSM and in the threat Manager shows the result column as "inconclusive", in the KB56436 does not have that description.

Any suggestions?

Regards.

Bernardo.

1 Solution

Accepted Solutions
bperez
Level 10
Report Inappropriate Content
Message 2 of 5

Re: What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

Thats the response from Support T1:

• Attack Successful: the attack was either successful or possiblysuccessful. To easily find out if high-severity attacks have been successful,create a drill down alert result status for High Severity > Inbound >Successful.

Keep this window open to know immediately when there isan attack that requires your immediate attention.

• Inconclusive: theresult of the attack is not known. This is most likely due to a generic policy,such as the Default or All-Inclusive policy where the policy rules are notenvironment specific. For
example this may be the result if an attack occurs against an irrelevant node.

• Attack Failed: the attack had no impact.

N/A: the alert was raised for suspicious, butnot necessarily malicious, traffic. This result is common for Reconnaissance attacksdue to the nature of port scanning and host sweeping.

• Attack Blocked: attacks blocked by a "Drop packets" Sensorresponse.

• DoS Blocking Activated: applies to DoS traffic and indicates that the Sensor hasidentified traffic that is suspicious in nature that is exceeding its learnedthreshold or is not recognized based on its profile. The Sensor has startedblocking unknown traffic, while attempting (on a packet-by-packet basis) toblock only DoS traffic from a trusted source. The Sensor attempts to allowlegitimate traffic to flow from the trusted source. Because of the nature ofDoS attacks, one cannot be certain that 100% of bad traffic was blocked, northat 100% of 'good' traffic was permitted. For more in-depth description ofMcAfee Network Security Platform's DoS handling, see Denial of Service inMcAfee Network Security Platform IPS Administration Guide

View solution in original post

4 Replies
bperez
Level 10
Report Inappropriate Content
Message 2 of 5

Re: What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

Thats the response from Support T1:

• Attack Successful: the attack was either successful or possiblysuccessful. To easily find out if high-severity attacks have been successful,create a drill down alert result status for High Severity > Inbound >Successful.

Keep this window open to know immediately when there isan attack that requires your immediate attention.

• Inconclusive: theresult of the attack is not known. This is most likely due to a generic policy,such as the Default or All-Inclusive policy where the policy rules are notenvironment specific. For
example this may be the result if an attack occurs against an irrelevant node.

• Attack Failed: the attack had no impact.

N/A: the alert was raised for suspicious, butnot necessarily malicious, traffic. This result is common for Reconnaissance attacksdue to the nature of port scanning and host sweeping.

• Attack Blocked: attacks blocked by a "Drop packets" Sensorresponse.

• DoS Blocking Activated: applies to DoS traffic and indicates that the Sensor hasidentified traffic that is suspicious in nature that is exceeding its learnedthreshold or is not recognized based on its profile. The Sensor has startedblocking unknown traffic, while attempting (on a packet-by-packet basis) toblock only DoS traffic from a trusted source. The Sensor attempts to allowlegitimate traffic to flow from the trusted source. Because of the nature ofDoS attacks, one cannot be certain that 100% of bad traffic was blocked, northat 100% of 'good' traffic was permitted. For more in-depth description ofMcAfee Network Security Platform's DoS handling, see Denial of Service inMcAfee Network Security Platform IPS Administration Guide

View solution in original post

gfergus1
Level 11
Report Inappropriate Content
Message 3 of 5

Re: What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

Inconclusive was previously labeled "unknown" in prior releases.  They changed it to be more clear in 7.1.

dotax
Level 9
Report Inappropriate Content
Message 4 of 5

Re: What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

I happened to came across this old thread when i google for this attack result.

I wonder, how IPS able to determine the result of "inconclusive" , "attack successful" or "attack failed" of a list of attack under IPS Policy , which all response was set to "Send Alert to Manager" only? Since IPS is not able to know the details of the node behind it, how it able to determine whether it is successful, failed, or no result?

petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: What´s Means Result of "Inconclusive" in Threat Analyzer

Jump to solution

Hi Dotax,

Have a look at the section on Alert Relevance in the Network Security Platform IPS Admin Guide, it gives some explanation of how these results are calculated.

https://kc.mcafee.com/agent/index?page=content&id=KB76064

Regards

Peter

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community