Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1309 Views 4 Replies Latest reply: Nov 14, 2012 11:04 AM by gstam RSS
gstam Newcomer 23 posts since
Nov 9, 2012
Currently Being Moderated

Nov 12, 2012 12:21 PM

How to enable NIPS rule? HIPS 7 & 8

Hi, all. I'm taking over HIPS implementation and trying to get started with carrying over policies from another product. To begin with, I want to enable a basic NIP rule for blocking TCP port scan. I think I may be missing some fundamental philosophy of managing MFE HIPS, although I've read the product guides for 7 & 8 & best practices document.

 

In ePO I navigate to Host Intrusion Prevention 7.0.4:IPS > IPS Rules (All Platforms) and select my IPS rules policy. I select Network IPS under type to filter on IPS network rules, and there is my TCP port scan rule. If I further filter on Client Rules: enabled, this rule is not shown, indicating it's not enabled.

 

I have an IPS Options policy that enables IPS, and a protection policy that blocks high severity events, so I assumed that would enable the rule, at least if the policies are applied correctly. But I don't see how a policy catalog can say "enabled" or "disabled" for a given NIPS rule without referring to a particular group in the tree.

 

I feel I'm missing some basic understanding of how to consider the application of policies in terms of interpreting what I'm seeing. I'm working with both version 7 & 8 although they seem to work indentically in this respect.

 

Can anyone please help clear up my confusion?

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Nov 12, 2012 3:54 PM (in response to gstam)
    Re: How to enable NIPS rule? HIPS 7 & 8
    If I further filter on Client Rules: enabled, this rule is not shown, indicating it's not enabled.

    The Client Rules option states that this signature will automatically create IPS exceptions when Host/Network IPS is put in Adaptive mode.  Signature 3700 (TCP Port Scan) does not automatically create client rules in Adaptive mode....by default.  This should be ignored though, as it's not relevant to what you are trying to accomplish.

     

    Can anyone please help clear up my confusion?

    To block TCP Port Scan events, you'll want to ensure the following on a system:

    1. This client has an IPS Options policy that enables Network IPS.
    2. This client has an IPS Protection policy that enables HIGH Severity to BLOCK.
    3. This client has an IPS Rules policy that has Signature 3700 set to HIGH Severity (it is by default).
    4. This client has an IPS Rules policy that has no IPS exceptions for Signature 3700 (there are none by default).

     

    To test this on a client, you can use port scanner software (i.e. NMAP; I use the default scan task) to scan this system and Signature 3700 will trigger (does not matter if the HIPS Firewall is on or off).

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Nov 14, 2012 10:49 AM (in response to gstam)
    Re: How to enable NIPS rule? HIPS 7 & 8

    The filter you are using shows the signatures that have LOG STATUS and CLIENT RULES set to Enabled or Disabled.

     

    1.jpg

     

     

    2.jpg

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points