Adaptive mode can help you here. It does the same thing as Learn mode, but doesn't constantly prompt the user to make a decision. Also, see page 14 of the Host IPS Best Practices Guide.
PD20748 - Host Prevention 7.x Adaptive Mode
PD20796 - Adopting Host Intrusion Prevention - Best practices for quick success
Yes.....But the huge issue with that is this.
When running Skype for instance, it floods the rule table. And before in Learn mode, I would get constant alert messages appearing over and over again even if I clicked on ALLOW....I mean it literally had me flooded with alert messages.....
So what can I do about these programs such as Skype then? How can stop these alerts flooding my rule table?
Also, these were from randon ports and stuff.....
It only does this behaviour when running programs like Skype. I get these constant alert warnings even if I click on ALLOW.
All the rest of the apps dont do this such as Outlook, Google Earth and etc.
Message was edited by: mcuser999 on 2/28/11 1:17:15 PM CST
Add rules for Skype in your fw policy applied to the end nodes and enforce the policy. Learn Mode shouldn't pop up if your system has a rule in your applied policy already.
The reason I mentioned Learned Mode, is that was the way I did it before I learned about Adaptive Mode.
But in Adaptive Mode, it just flooded my rule table.
And I guess this would be the case for phoning applications since these programs tend to LISTEN out ever time so the FW policy is constantly alerting users of this.
But its not a malware thats trying to "phone out" its Skype....
Please explain or please post some examples of end nodes.
What rule should policy should I have?
I would appreciate some examples on how you would apply it for Skype..
Now, I have >> Permit >> TCP on the following ports >> 1024-65535
Local Service is left with >> ANY for Skype..
Send a TCPView (sysinternals.com) snap shot of a working skype converstaion (without the fw) and we'll suggest firewall rules accordingly. Or, you can open a case with HIPS support for further assistance.
I created a rule set for Skype with Permit mode for ANY Local and Remote services. That should do it.