Okay...I believe I may have figured this out.
Perhaps someone else will also test and verify, or perhaps improve. Thanks in advance.
Setup a new AutoResponse in ePO.
- Event Group - ePO Notification Event
- Event Type - Threat
- Defined at - My Organization (or wherever you would like)
- Threat Name: Equals 3700 (for TCP or use 3701 for UDP)
- Trigger this response for every event
- Send Email
Configre according to your preferences.
I actually created two Autoresponses so I'd have one for TCP and another for UDP.
If you try filtering on the Event ID of 18001 you'll get every Network IPS detection from HIPS so I'd recommend sticking with Threat Name.
Of course this is just a recommendation...please test prior to implementing in production.
Hope this helps,
Yep, this looks like it would work. The key here being the Threat Name for Signature 3700 and 3701, since those are specific to the TCP/UDP port scan signatures. As you noticed, all HIPS events fall under just a few ePO Event IDs 18000-18003, 18999. 18001 is Network IPS signatures.
KB65559 - List of the McAfee Host Intrusion Prevention 7.0 / 8.0 events supported by ePO 4.x
I'm also finding out that we need to exclude Rogue Sensors as they apparently are performing TCP Port Scans.
Going to have to discuss this with the PM as the senors should either be automatically excluded from this rule or configurable to not perform a port scan.
Why do they run a Port Scan anyway? If they are checking for the McAfee Agent then they are already configured to look at a specific port...right?
Rogue Sensors perform OS Fingerprinting (to detect the operating system), which is enabled by default. Disable this feature, and RSD sensors will no longer port scan devices.
There's no way to automatically exclude them since HIPS does not know what is doing the port scanning. It just knows that a remote IP address is sending packets in a sequence that triggers the port scan signatures. Same with Foundstone scanners and any other third party legitmate port scanning solutions.
For HIPS 8.0, create a Network IPS exception for legitimate port scanning devices.
KB77236 - How to create Network IPS exceptions for HostIntrusion Prevention
Sean Slattery wrote:
I usually configure the IP addresses of the Rogue Sensors and similar e.g. MVM in the Trusted Networks policy as Trust for IPS.
This was the solution for HIPS 7.0, and it still applies to HIPS 8.0, but is no longer necessary since you can write IPS exceptions for Network IPS signatures in HIPS 8.0. Using this new method is actually more secure, since you can specify which specific Network IPS signatures to except, rather than all of them.