The link to the UDS details is here
You can check the settings for each attack in the IPS policies before you deploy the changes to your sensors.
You need to be logged on to be able to see some of the KB articles.
Regarding your question of block settings - McAfee signatures do not block anything by default, simply because on the signature itself there isn't a response section - i.e. think of the Alert or Drop on a SNORT rule.
Since the signature itself does not block, then it will all depend on the policies you have configured and what response settings have you configured.
Thank you for the response Peter.
That is the one page I am able to find but nothing else regarding what the blocking action will be.
UDS-Malware: Locky Ransomware Activity Detected II
UDS Release Date: Attack id CVE number VIL/Other URL NA Protocol HTTP Response setting Attack Direction UDS to be included in next regular sigset? UDS has to be deleted manually after the following sigset release? Attack Encyclopedia Detail Description
This alert indicates that Locky Ransomware traffic was detected on your network
I may be mistaken but isn't there a way to review the blocking behavior prior to uploading to the NSM?
Thanks David. That makes sense.
I must have been thinking of something else.
Thank you again.
Did any of you ever faced issue whereby the UDS imported is not displaying under any default or cloned IPS policy except Master Attack Repository?
I found this issue in 22.214.171.124 and 126.96.36.199.1 (hotfix version) It seems not described in KB as well.
I did tried to clear cache, restart NSM, change browser, but the issue still persist.
Any thoughts on this ?
I am not seeing this issue on our NSMs, but they are on 188.8.131.52.7 (HF).
Have you checked on the database tables to see if the UDS is there without issues? You can run these 'select' commands to look for UDS sigs:
select * from iv_release_attack where attack_id like '0xc%';
select * from iv_signature where attack_id_ref like '0xc%';
select * from iv_filtered_attack_list where attack_id like '0xc%';
select * from iv_response where attackid like '0xc%';
select * from iv_impact where attack_id_ref like '0xc%'
select * from iv_vulnerability where attack_id like '0xc%'
select * from iv_attack where id like '0xc%';
If you find any issues you can delete the UDS signatures on your NSM and re-import them maybe? You can try deleting from the UI, saving changes, then re-import.. or if you prefer directly on the database, you can use the same mysql queries as above, but replace the "select * " with "delete ".
Yes, I have checked on the database tables, and the UDS is there.
I can also see from Master attack Repository that the UDS is imported successfully.
However, others IPS Policy such as Default Prevention, Default Detection and "cloned" policy does not showing any UDS attacks (even manager cache was cleared).
I did tried to delete , import the UDS again but the issue still persist.
I also tried to restart the NSM server, it does not help too.
What if you try creating a new policy? Does the UDS show as available?
Have you checked the Attack Set profiles for your policies?
Can you see other Exploit attacks in the policies?