Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
321 Views 1 Reply Latest reply: Oct 9, 2013 10:09 AM by Kary Tankink RSS
keith2045 Newcomer 29 posts since
May 17, 2012
Currently Being Moderated

Oct 9, 2013 7:26 AM

HIPS Activity Log

I'm creating some HIPS rules based on the activity log, but the log is confusing to me. For example here is an entry

 

Blocked Incoming TCP - Source 10.0.1.10: (3269) Destination: 10.0.12.3 (53065)

 

The machine that this entry came from is 10.0.1.10 (the source). The way i'm reading that entry:

 

HIPS blocked an Incoming TCP packing froming from 10.0.1.10 (the machine i'm on) and going to 10.0.12.3. the only other thing that i can think of is the request initiated from 10.0.12.3 so HIPS blocked the packet from going out, but why wouldnt it say "blocked outgoing tcp.."

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Oct 9, 2013 10:09 AM (in response to keith2045)
    Re: HIPS Activity Log

    You are reading the log correctly (for Incoming traffic, the Source IP is usually the Remote IP address; Destintation is usually the local IP address or broadcast/multicast address).

     

    In this case, it appears the Source 10.0.1.10 is trying to initate a new connection into 10.0.12.3.  It's also possible that if the 10.0.12.3 client did send this as an outgoing packet initially (which was allowed), the connection (in the state table) was closed by the time the response came back, hence HIPS will see it as a new (blocked) Inbound connection.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points