Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1168 Views 7 Replies Latest reply: Jul 19, 2013 10:32 AM by Sean Slattery RSS
londonsec Newcomer 18 posts since
Sep 20, 2011
Currently Being Moderated

Jul 3, 2013 11:20 AM

Need to Get Alerts upon Port Scan detection

I've been playing with this for a while and can't seem to get it right.  Anyone have a proven method for receiving an email notification as soon as a port scan is detected by a HIPS 8 workstation?  This is bascially to counter the argument from the auditors who say they can plugin and run port scans unnoticed in the environment.  We are blocking them but they say we don't know they are there until after they've handed us their results.  Just looking to be proactive.  Would be nice to walk in on them and tell them to stop scanning the ports on our machines with an alert or email in hand.

 

I'm finding the Network IPS 3700 (TCP) or 3701 (UDP) events to be sorted and lumped into a generic ID in the ePO event IDs as they are both listed as 18001.  This appears to be just a catch all ID for NIPS detections.  Need something a bit more specific.  Any advice would be most appreciated.

 

Thanks


Security is a process...NOT a product.
Learn and understand how to properly use the tools to fit within your processes.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Jul 3, 2013 3:45 PM (in response to londonsec)
    Re: Need to Get Alerts upon Port Scan detection

    Yep, this looks like it would work.  The key here being the Threat Name for Signature 3700 and 3701, since those are specific to the TCP/UDP port scan signatures.  As you noticed, all HIPS events fall under just a few ePO Event IDs 18000-18003, 18999.  18001 is Network IPS signatures.

     

    KB65559 - List of the McAfee Host Intrusion Prevention 7.0 / 8.0 events supported by ePO 4.x

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    4. Jul 3, 2013 4:51 PM (in response to londonsec)
    Re: Need to Get Alerts upon Port Scan detection

    Rogue Sensors perform OS Fingerprinting (to detect the operating system), which is enabled by default.  Disable this feature, and RSD sensors will no longer port scan devices.

     

    There's no way to automatically exclude them since HIPS does not know what is doing the port scanning.  It just knows that a remote IP address is sending packets in a sequence that triggers the port scan signatures.  Same with Foundstone scanners and any other third party legitmate port scanning solutions.

     

    For HIPS 8.0, create a Network IPS exception for legitimate port scanning devices.

     

    KB77236 - How to create Network IPS exceptions for HostIntrusion Prevention

    https://kc.mcafee.com/corporate/index?page=content&id=KB77236

  • Sean Slattery Apprentice 53 posts since
    Oct 3, 2010
    Currently Being Moderated
    5. Jul 3, 2013 5:18 PM (in response to londonsec)
    Re: Need to Get Alerts upon Port Scan detection

    I usually configure the IP addresses of the Rogue Sensors and similar e.g. MVM in the Trusted Networks policy as Trust for IPS.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    6. Jul 3, 2013 5:29 PM (in response to Sean Slattery)
    Re: Need to Get Alerts upon Port Scan detection

     

    Sean Slattery wrote:

     

    I usually configure the IP addresses of the Rogue Sensors and similar e.g. MVM in the Trusted Networks policy as Trust for IPS.

    This was the solution for HIPS 7.0, and it still applies to HIPS 8.0, but is no longer necessary since you can write IPS exceptions for Network IPS signatures in HIPS 8.0.  Using this new method is actually more secure, since you can specify which specific Network IPS signatures to except, rather than all of them.

  • Sean Slattery Apprentice 53 posts since
    Oct 3, 2010
    Currently Being Moderated
    7. Jul 19, 2013 10:32 AM (in response to Kary Tankink)
    Re: Need to Get Alerts upon Port Scan detection

    I don't disagree but there is usually a compromise (security vs effort) for the ePO admin if they are also managing many other products and "disabling" protection for an internal host is deemed an acceptable risk.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points