Moved to HIPS area
There are no query/filter options for most of the HIPS event parameter details you see at the bottom of events.
Thanks, I was afraid of that. I think I've spoken with you via McAfee support.
Still wondering if anyone has any practical experience or lessons learned regarding tuning this signature.
Generally speaking, follow KB73399 for IPS tuning.
KB73399 - FAQs for Host Intrusion Prevention 8.0
Review the section titled “Top Issues -> Client IPS/FAQ - IPS Events”.
For Sig 3819, it covers CVE-2007-0214 (see signature description), which is a Win XP/2000/2003 vulnerability. For vulnerability-based signatures, this is how you'll tune basically.
- Is this occurring on different Affected software/OS versions that the vendor vulnerability?
- If so, then it's a false positive; create an exception or disable it.
- If not, has the system been patched?
- If the system has been patched, create an exception or disable it.
- If the system has not been patched, then signature violations are not false positives; patch the system, then disable the signature.
The epo has bad support for the so called "IPS parameters" data. Except from file name none of them can be searched or sorted from the ePo webinterface.
So ony way i was able to do something usefull with hips events is by doing sql query's directly on the database (as excel can sort much better :-) )