1 Reply Latest reply on Feb 25, 2009 2:08 PM by nuditarian

    Can HIPS 7.03 detect MS08-067 activity?

      I'm implementing HIPS703, with EPO4 and VSE 8.5i and 8.7i. Can anyone explain how to get HIPS to flag attempts at exploiting a particular vulnerability, in this case MS08-067?
        • 1. Solution
          Just in case anyone else is trying to get this going

          Event Category: Belongs to: Host Intrusion
          and
          Threat Name: Equals: 3961

          Searching for the rule in your IPS Rules in EPO doesn't help much, because the name doesn't include the MS KB#(KB958644), Bulletin Number(MS08-067), nor the generic CVE#(CVE-2008-4250). The description contains the CVE#, but there is no way to search on this, AFIAK.

          The name of the threat is "Vulnerability in Server Service Could Allow Remote Code Execution", ID is 3961. If you create a query with the above filters(Event Category and Threat Name), you will see any attempts to exploit MS08-067.