1 2 Previous Next 10 Replies Latest reply on Feb 16, 2010 7:50 AM by StefanT

    Application Service Monitoring

    StefanT

      Can HIPS monitor services for other applications? For example can it detect and alert if a service is stopped?

       

      Thanks

       

      Stef

        • 1. Re: Application Service Monitoring
          smalldog

          It's imposible

          • 2. Re: Application Service Monitoring
            Sudeep Garg

            Using the Services engine directive, you can create custom signatures to monitor for services for Start, Stop, Delete, Create, Pause etc.

            Simple steps;

            - Open IPS rules policy

            - Add Signature Wizard

            - Give Sig Name and hit next

            - Select "Windows Service" Radio button and give the name of the service and save

            - Done

             

            You can do more finetuning by editing the signtaure after creating it.

             

            Note: The service name should be the name of the Service as it appears in the registry or the Service Property and is different from the Display name of the service normally.

            • 3. Re: Application Service Monitoring
              smalldog

              Thanks Sudeep Garg, im testing

              • 4. Re: Application Service Monitoring
                StefanT

                OK, tried this but when the monitored service is stopped I get no notifications at all, have checked both ePO logs and HIPS client side but nothing.

                 

                Any ideas?

                 

                Stef

                • 5. Re: Application Service Monitoring

                  Make sure you have specific the correct service name in your custom signature.

                   

                  For example, open services.msc and right-click the Alerter service.

                  Note the Service name as apposed to the Display name. You need to use the Service name in the rule.

                  I tested creating my own signature to prevent Alerter from being stopped and it works correctly.

                   

                  This will also work for any 3rd party service, other than Windows services.

                  • 6. Re: Application Service Monitoring
                    StefanT

                    Still nothing, can I ask where you are seeing the report/alert/log?

                     

                    Stef

                    • 7. Re: Application Service Monitoring

                      If you were able to stop the service, there is something else wrong or you were in log only mode.

                      Enable IPS logging with security events and refer to KB54473 to verify a security event.

                       

                      Here's 2 snips from my HipShield log.

                       

                      The first was for a rule to prevent stopping the Windows Alerter service.  The second was to prevent stopping of the VMWare Authorization service.

                       

                      02-04 10:49:24 [00640] VIOLATION: [1] ------- Violation  Logged ---- Size 555 ----
                      <Event> <!-- Level=High, Reaction=Prevent -->
                        <EventData
                        SignatureID="4027"
                        SignatureName="My alerter test"
                        SeverityLevel="4"
                        Reaction="3"
                        ProcessUserName="NT Authority\Local System"
                        Process="C:\WINDOWS\system32\services.exe"
                        IncidentTime="2010-02-04 10:49:21"
                        AllowEx="True"
                        SigRuleClass="Services"
                        ProcessId="724"
                        Session="0"
                        SigRuleDirective="stop"/>
                        <Params>
                          <Param name="services">Alerter</Param>
                          <Param name="display names">Alerter</Param>
                          <Param name="Workstation Name">BG2K3TEST</Param>
                        </Params>
                      </Event>
                      ------------------------------

                       

                      02-04 10:58:41 [00640] VIOLATION: [1] ------- Violation  Logged ---- Size 594 ----
                      <Event> <!-- Level=High, Reaction=Prevent -->
                        <EventData
                        SignatureID="4027"
                        SignatureName="My service protection test"
                        SeverityLevel="4"
                        Reaction="3"
                        ProcessUserName="NT Authority\Local System"
                        Process="C:\WINDOWS\system32\services.exe"
                        IncidentTime="2010-02-04 10:58:38"
                        AllowEx="True"
                        SigRuleClass="Services"
                        ProcessId="724"
                        Session="0"
                        SigRuleDirective="stop"/>
                        <Params>
                          <Param name="services">VMAuthdService</Param>
                          <Param name="display names">VMware Authorization Service</Param>
                          <Param name="Workstation Name">BG2K3TEST</Param>
                        </Params>
                      </Event>
                      ------------------------------

                      • 8. Re: Application Service Monitoring
                        StefanT

                        Well this just point blank refuses to work for me! I have checked that the created signature settings are set to high and the reaction for high is set to prevent but nothing happens, no logging, no prevention, nothing.

                         

                        Regards

                         

                        Stef

                        • 9. Re: Application Service Monitoring
                          Sudeep Garg

                          Please use the below KB to enable debug logging.

                           

                          https://kc.mcafee.com/corporate/index?page=content&id=KB51517&actp=search&search id=1266324329922

                           

                          Collect the HIPShield.log, shield_db.log from client and the IPS rules policy export from ePO server.

                          Attach them here for review.

                          1 2 Previous Next