I've been playing with this for a while and can't seem to get it right. Anyone have a proven method for receiving an email notification as soon as a port scan is detected by a HIPS 8 workstation? This is bascially to counter the argument from the auditors who say they can plugin and run port scans unnoticed in the environment. We are blocking them but they say we don't know they are there until after they've handed us their results. Just looking to be proactive. Would be nice to walk in on them and tell them to stop scanning the ports on our machines with an alert or email in hand.
I'm finding the Network IPS 3700 (TCP) or 3701 (UDP) events to be sorted and lumped into a generic ID in the ePO event IDs as they are both listed as 18001. This appears to be just a catch all ID for NIPS detections. Need something a bit more specific. Any advice would be most appreciated.
Okay...I believe I may have figured this out.
Perhaps someone else will also test and verify, or perhaps improve. Thanks in advance.
Setup a new AutoResponse in ePO.
Configre according to your preferences.
I actually created two Autoresponses so I'd have one for TCP and another for UDP.
If you try filtering on the Event ID of 18001 you'll get every Network IPS detection from HIPS so I'd recommend sticking with Threat Name.
Of course this is just a recommendation...please test prior to implementing in production.
Hope this helps,
Yep, this looks like it would work. The key here being the Threat Name for Signature 3700 and 3701, since those are specific to the TCP/UDP port scan signatures. As you noticed, all HIPS events fall under just a few ePO Event IDs 18000-18003, 18999. 18001 is Network IPS signatures.
KB65559 - List of the McAfee Host Intrusion Prevention 7.0 / 8.0 events supported by ePO 4.x
I'm also finding out that we need to exclude Rogue Sensors as they apparently are performing TCP Port Scans.
Going to have to discuss this with the PM as the senors should either be automatically excluded from this rule or configurable to not perform a port scan.
Why do they run a Port Scan anyway? If they are checking for the McAfee Agent then they are already configured to look at a specific port...right?
Rogue Sensors perform OS Fingerprinting (to detect the operating system), which is enabled by default. Disable this feature, and RSD sensors will no longer port scan devices.
There's no way to automatically exclude them since HIPS does not know what is doing the port scanning. It just knows that a remote IP address is sending packets in a sequence that triggers the port scan signatures. Same with Foundstone scanners and any other third party legitmate port scanning solutions.
For HIPS 8.0, create a Network IPS exception for legitimate port scanning devices.
KB77236 - How to create Network IPS exceptions for HostIntrusion Prevention
Sean Slattery wrote:
I usually configure the IP addresses of the Rogue Sensors and similar e.g. MVM in the Trusted Networks policy as Trust for IPS.
This was the solution for HIPS 7.0, and it still applies to HIPS 8.0, but is no longer necessary since you can write IPS exceptions for Network IPS signatures in HIPS 8.0. Using this new method is actually more secure, since you can specify which specific Network IPS signatures to except, rather than all of them.
I don't disagree but there is usually a compromise (security vs effort) for the ePO admin if they are also managing many other products and "disabling" protection for an internal host is deemed an acceptable risk.