4 Replies Latest reply: Nov 14, 2012 11:04 AM by gstam RSS

    How to enable NIPS rule? HIPS 7 & 8

    gstam

      Hi, all. I'm taking over HIPS implementation and trying to get started with carrying over policies from another product. To begin with, I want to enable a basic NIP rule for blocking TCP port scan. I think I may be missing some fundamental philosophy of managing MFE HIPS, although I've read the product guides for 7 & 8 & best practices document.

       

      In ePO I navigate to Host Intrusion Prevention 7.0.4:IPS > IPS Rules (All Platforms) and select my IPS rules policy. I select Network IPS under type to filter on IPS network rules, and there is my TCP port scan rule. If I further filter on Client Rules: enabled, this rule is not shown, indicating it's not enabled.

       

      I have an IPS Options policy that enables IPS, and a protection policy that blocks high severity events, so I assumed that would enable the rule, at least if the policies are applied correctly. But I don't see how a policy catalog can say "enabled" or "disabled" for a given NIPS rule without referring to a particular group in the tree.

       

      I feel I'm missing some basic understanding of how to consider the application of policies in terms of interpreting what I'm seeing. I'm working with both version 7 & 8 although they seem to work indentically in this respect.

       

      Can anyone please help clear up my confusion?

        • 1. Re: How to enable NIPS rule? HIPS 7 & 8
          Kary Tankink
          If I further filter on Client Rules: enabled, this rule is not shown, indicating it's not enabled.

          The Client Rules option states that this signature will automatically create IPS exceptions when Host/Network IPS is put in Adaptive mode.  Signature 3700 (TCP Port Scan) does not automatically create client rules in Adaptive mode....by default.  This should be ignored though, as it's not relevant to what you are trying to accomplish.

           

          Can anyone please help clear up my confusion?

          To block TCP Port Scan events, you'll want to ensure the following on a system:

          1. This client has an IPS Options policy that enables Network IPS.
          2. This client has an IPS Protection policy that enables HIGH Severity to BLOCK.
          3. This client has an IPS Rules policy that has Signature 3700 set to HIGH Severity (it is by default).
          4. This client has an IPS Rules policy that has no IPS exceptions for Signature 3700 (there are none by default).

           

          To test this on a client, you can use port scanner software (i.e. NMAP; I use the default scan task) to scan this system and Signature 3700 will trigger (does not matter if the HIPS Firewall is on or off).

          • 2. Re: How to enable NIPS rule? HIPS 7 & 8
            gstam

            Thanks, Kary, that is what I understood. To further refine my question, I still don't understand what the "enabled/disabled" filter on my IPS Rules policy is showing me. I navigated to a part of the tree where NIPS was enabled, protection was set to block high severity, and rule 3700 was set as high. We have no exception policies.

             

            Yet when I set the search filters on the IPS rules page to "Network IPS" under "Type" and "Enabled" under "Client rules" I get no results.

             

            If this rule is enabled for at least part of the system tree, why doesn't it show up as "enabled" when I search in the IPS rules screen?

            • 3. Re: How to enable NIPS rule? HIPS 7 & 8
              Kary Tankink

              The filter you are using shows the signatures that have LOG STATUS and CLIENT RULES set to Enabled or Disabled.

               

              1.jpg

               

               

              2.jpg

              • 4. Re: How to enable NIPS rule? HIPS 7 & 8
                gstam

                Thanks for the clarification, that makes sense now.