4 Replies Latest reply on Aug 22, 2017 4:21 PM by maxsteel12

    "Treat match as intrusion" and "Log Matching Traffic" Query

    greatscott

      Does anyone know how to create a query to see events, when in the HIPS Firewall, a rule is created, and the checkboxes "Treat match as intrusion" and "Log matching traffic" is set? I want to track this specific traffic via ePO if possible.

       

      Is this even possible?

        • 2. Re: "Treat match as intrusion" and "Log Matching Traffic" Query
          maxsteel12

          The Firewall rule which you need to monitor for a specific or multiple system.

          Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

           

          Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

           

          Send a wake up agent and you will be able to see the firewall logs on ePO console.

           

          **Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

          • 3. Re: "Treat match as intrusion" and "Log Matching Traffic" Query
            Kary Tankink

            maxsteel12 wrote:

             

            The Firewall rule which you need to monitor for a specific or multiple system.

            Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

             

            Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

             

            Send a wake up agent and you will be able to see the firewall logs on ePO console.

             

            **Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

            This is not firewall event monitoring.  Triggering Signature 3702 is generating Network IPS events that do contain some bits of detail (like IP, protocol, ports, directory, etc.) involved, but they are not Firewall events (no details about which FW triggered the intrusion, app names, etc.).  HIPS 8.0 cannot generate Firewall events back to the ePO server; use ENS 10.x if you wish to have true firewall event logging (in ENS, use the LOG MATCHING TRAFFIC per FW rule to send ePO events back to ePO).

            • 4. Re: "Treat match as intrusion" and "Log Matching Traffic" Query
              maxsteel12

              JFYI

              IP : Source & Destination IP can be found in log

              Protocol : Can be found in log

              Port : Remote & Local port can be found in log

              Directory : I am not sure what are you talking. This is not belongs to FW log.

              Action taken : Can be found in log

              Traffic Direction : Can be found in log

               

              Which is sufficient to read FW log