1 2 Previous Next 11 Replies Latest reply on Jan 21, 2016 1:55 AM by roxbury

    McAfee HIPS 8 is blocking Rogue System sensor.

    esvom

      Hi,

       

      I manage the computers with the ePO and in the ePO I have enable de RSD,

       

      I recently deployed McAfee HIPS8 in my organization,

       

      When I enable the IPS, this block the RSD sensor.

       

      In the Activity Log I see the signature:

       

      Signature ID
      NamePlatformSeverityNetwork IPS
      3700TCP Port ScanWindowsHighNetwork IPS

       

       

      The accion is blocked.

       

      I made a Exception Rule in the IPS Rules with the following configuration:

       

       

       

       

      But the block continue.

       

      Please help.

       

      Thank you.

        • 1. Re: McAfee HIPS 8 is blocking Rogue System sensor.
          Kary Tankink

          I don't see your exception rule screenshot (just shows an X), but for HIPS 8.0, an IPS exception with this Signature ID and the Remote IP Address parameter containing the single IP address or IP address range should be used.

           

          Also, to clarify, this is by design for any type of port scanning software (McAfee RSD & Foundstone) or any other legitimate 3rd party port scan software, since Host IPS sees network traffic only.

           

          Message was edited by: ktankink on 3/6/12 3:19:32 PM CST
          • 2. Re: McAfee HIPS 8 is blocking Rogue System sensor.
            brentil

            This is how I do it.

             

            Host Intrusion Prevention 8.0:IPS > IPS Rules (All Platforms) > My Default -> Exception Rules -> create a new exception rule

             

            Status = Enabled

            Signatures = 3700

            Parameters = Ignore Executables and do a new Parameter with

             

            If your Rogue system has more than 1 IP you have to add in all of the IPs it has.  For example our Rogue sensor is a VM with 13 IPs on it to cover all of our subnets.

            • 3. Re: McAfee HIPS 8 is blocking Rogue System sensor.
              roychoy

              I know in MHIPS7, you cannot create exception for Network IPS signature ID.  It might be the same in MHIPS8.

               

              We had the same problem but we chose to lower the severity level.

              • 4. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                brentil

                The method I describe above works in HIPS7 & HIPS8, we've been doing it for 2+ years now.

                • 5. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                  Kary Tankink

                  Network IPS exceptions will work in HIPS 8.0, but they do not work in HIPS 7.0.

                   

                  KB66283 - Documentation Correction - Host Intrusion Prevention 7.0 Product Guides for ePO 3.6.1 & 4.0, Network IPS signature exception

                   

                  KB70876 - New features in Host Intrusion Prevention 8.0

                   

                  New features for the IPS Rules policy:

                  - Exceptions based on IP address for Network IPS signatures

                  1 of 1 people found this helpful
                  • 6. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                    rstevekadish

                    Hi all,

                     

                    We just upgraded to HIPS 8.  I was hoping that there might be some elegant solution for this problem that would account for changing sensors.  For instance, someone in IT might take an RSS offline, or add a new one, without anyone else becoming aware.  Even if they do follow proper change control, editing the network IPS exception is an extra step.  (We currently have 60 sensors.  I have NO idea why there's that many.)

                     

                    Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?

                     

                    I'm asking a lot, I know... just hoping that someone else knows something I don't know.   

                     

                    Thanks,

                    - Steve

                    • 7. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                      Kary Tankink
                      rstevekadish wrote:

                      Is there any way to create a group in the IPS Catalog that will dynamically update itself with the IPs of rouge sensors?  Or a way to define a Network IPS Exception with a parameter that would match a sensor?


                       

                      Neither will work.  IPS configuration does not use Catalog items (these are for the Firewall).  Sig 3700/3701 event does not know what is generating the port scan.  HIPS does not know if it's a Rogue Sensor, or other type of network scanning software/device; it only sees the IP address.  The Rogue Sensor's fingerprinting option is what is triggering the port scan.

                      • 8. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                        rstevekadish

                        Hi Kary,

                         

                        That's kind of what I thought.  Thanks a lot for the information!

                         

                        - Steve

                        • 9. Re: McAfee HIPS 8 is blocking Rogue System sensor.
                          littlechrista

                          McAfee told me they would not support multiple NIC/IP's on a VM set up for Sensors. For testing, I have set up one sensor with 4 vlans and it seems to be working except the 3 of the 4 subnets do not show up under sensor health as active and communicating.

                          the all 4 Subnets show as covered under covered subnets.

                          Are all your sensors set up on a VM with multiple nic's/subnets?

                          Have you had any issues?

                          1 2 Previous Next