3 Replies Latest reply on Aug 4, 2011 7:24 AM by metalhead

    HIPS + TCP traffic detection

      Hello,

       

      Does anyone know if this is possible...

       

       

      I am tryign to track down sporadic TCP connection attempts from a PC which has HIPS installed.

       

      I'd like to know what process on the PC is making the attempts

       

      So, if the PC is trying to connect to say 1.1.1.1 i'd like to get HIPS to tell me which process is doing it

       

      any ideas?

       

      thanks

       

      A

        • 1. Re: HIPS + TCP traffic detection
          metalhead

          First I would create an allow rule with logging enabled for the specified target IP.

          The set the Firewall troubleshooting level to debug.

           

          On the client there should be a FIRESVC.LOG (or quiet similar ) in the %alluserprofile%\McAfee\Host Intrusion Prevention.

           

          Looking in this log for the specified rule should give you the answer.

          • 2. Re: HIPS + TCP traffic detection

            hi,

             

            i have tried that but it doesnt show anything of any value, just entries like this;

             

            08/04/2011 10:17:39 KRNLWRK[2000] VERBOSE  >> readUDP

            08/04/2011 10:17:39 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

            08/04/2011 10:17:39 KRNLWRK[2019] VERBOSE  << readUDP

            08/04/2011 10:17:39 KRNLWRK[591] VERBOSE  Waiting...

            08/04/2011 10:17:40 KRNLWRK[2000] VERBOSE  >> readUDP

            08/04/2011 10:17:40 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

            08/04/2011 10:17:40 KRNLWRK[2019] VERBOSE  << readUDP

            08/04/2011 10:17:40 KRNLWRK[591] VERBOSE  Waiting...

            08/04/2011 10:17:41 KRNLWRK[2000] VERBOSE  >> readUDP

            08/04/2011 10:17:41 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

            08/04/2011 10:17:41 KRNLWRK[2019] VERBOSE  << readUDP

            08/04/2011 10:17:41 KRNLWRK[591] VERBOSE  Waiting...

            08/04/2011 10:17:42 KRNLWRK[2000] VERBOSE  >> readUDP

            08/04/2011 10:17:42 KRNLWRK[2018] VERBOSE  Got WSAEWOULDBLOCK

            08/04/2011 10:17:42 KRNLWRK[2019] VERBOSE  << readUDP

            08/04/2011 10:17:42 KRNLWRK[591] VERBOSE  Waiting...

            08/04/2011 10:17:42 KRNLWRK[591] VERBOSE  Waiting...

            08/04/2011 10:17:42 KRNLWRK[602] VERBOSE  Got Windows Message

            08/04/2011 10:17:42 KRNLWRK[2207] VERBOSE  >> winProc

            08/04/2011 10:17:42 KRNLWRK[2223] VERBOSE  Got UDP data to read

            08/04/2011 10:17:42 KRNLWRK[2000] VERBOSE  >> readUDP

             

             

            What I need is it to log something like this:

             

            process name: telnet.exe

            destination 1.1.1.1

            Port: 23

            Protocol: TCP

             

             

             

            Can this be achieved ?

            • 3. Re: HIPS + TCP traffic detection
              metalhead

              Create a rule with the option "Log matching traffic" which allows traffic to the audit destination ip.

               

              Then check the EVENT.LOG at the client.