Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
739 Views 5 Replies Latest reply: Dec 10, 2013 2:54 PM by kenobe RSS
kenobe Apprentice 90 posts since
Mar 15, 2012
Currently Being Moderated

Nov 12, 2013 3:43 PM

HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?

Hi all,

 

We're toying with enabling signatures 6010 and 6011 in our HIPS 8 IPS rules.  Their severity in the signature list is set to Disabled by default.  We changed them to Medium.  Then, we went into Exception Rules, imported those signatures into a new exception rule, and they show up as DISABLED.

 

Does this mean they're still disabled or is that severity setting not accurate, and things will work as intended?

 

Thanks for any help.

 

Ken

  • c14us Newcomer 10 posts since
    Aug 22, 2013
    Currently Being Moderated
    1. Nov 14, 2013 4:12 PM (in response to kenobe)
    Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?

    Hi Ken

     

    Think you are using an unortodoks practice.

    Do this instead.

     

    Make a new policy rule where 6010 and 6011 are enabled

    In the assignmen create a new Policy Instance and add your new rule.

    Verify the rules are enabled by using the View effective police function at the assignment

    And finaly test, test and test

     

    Regards

    Claus

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    2. Nov 14, 2013 5:33 PM (in response to kenobe)
    Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?

    kenobe wrote:

    Does this mean they're still disabled or is that severity setting not accurate, and things will work as intended?

    It's only a UI issue.  It's just showing the default state of the siganture; not the actual modified state.  Make sure you're on the latest extension (HIPS 8.0.3.762), as this was fixed in one of the more recent versions.

     

     

     

    PD23958 - Host Intrusion Prevention 8.0.0.563 Extension Release Notes

     

    Issue: When an IPS signature is edited to alter the severity, the default severity is retained. (Reference: 722290)

    Resolution: The severity level is now correctly modified and displayed.

  • c14us Newcomer 10 posts since
    Aug 22, 2013
    Currently Being Moderated
    4. Dec 10, 2013 2:22 PM (in response to kenobe)
    Re: HIPS 8 IPS - Enabling 6010 & 6011 - Severity Change?

    Sorry Kenobe

     

    I misunderstood your question. Did not know that flaw.

    But I would very much like to know, how valueble you find the new information you gained by enabling 6010 & 6011. Would you mind writing a bit of your findings?

     

    Regards

    Claus

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points