Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
843 Views 8 Replies Latest reply: Jan 10, 2014 8:24 PM by smalldog RSS
fabiano.carmo Newcomer 4 posts since
Dec 3, 2013
Currently Being Moderated

Dec 3, 2013 6:54 AM

RFSB list

How can I get an updated list with all RFSB signatures?

  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Dec 3, 2013 12:23 PM (in response to fabiano.carmo)
    Re: RFSB list

    We have stopped maintaining this information in the KB as the the best way to get this information is from the manager.

     

    There are two ways of getting the data.  One is from the policy viewer, the other is by creating a specific policy that you can use to run a report that can be exported into an HTML report, CSV  file or PDF.

     

    1) Using policy editor:

    Under the policies select the All-Inclusive With Audit policy.

    Once the policy editor is open clear any filters that may have previously been entered by clicking "All (Clear Drilldown)" on the left side.

    Create a new filter under the "Filter Management" drop down at the top right corner.

     

    Give the filter a name and select "Recommended for SmartBlocking(RFSB)" from the Filter Criteria.

    It shoudl default to Equals and Yes.  Save and Apply the filter.

     

    You should now see the RFSB list displayed.  The filter can be re-applied later from the "Apply Filter" selection under Filter Management.

     

     

    2) Using the reporting process.

    Under Advanced Policies navigate to Rule Sets and create a new ruleset.

    Give the Rule Set a name.

    Click on the Rules tab.

    Insert a new rule and leave the option to "Include".

    Click Configure.

    In the Configure the rule page select the "SmartBlocking" tab and click the "only Include McAfee Recommended for SmartBlocking (RFSB) attacks in this rule".

    Click OK.

    Click OK again.

    Ensure you have only one rule in the Ruleset rules.

     

    Navigate to the IPS Policies and create a new policy.

    Give the policy a name, leave the Granularity as "Use a single set of definitions for the entire policy (simpler)".

    Specify your RFSB ruleset created above.

    Click "Calculate Attack Definitions".

    Save and Finish creating the policy.

     

    Navigate to the reports.

    Select Traditional Reports and Chose the IPS Policy Details report.

    Select the RFSB policy from the list and select critieria and output format.

    Generate the report.

  • smalldog Champion 616 posts since
    Nov 12, 2009
    Currently Being Moderated
    3. Jan 2, 2014 12:52 AM (in response to fabiano.carmo)
    Re: RFSB list

    Hi gfergus1, after i filter with RFSB list i should bulk edit all those with Enable Smartblocking? Thanks!


    - - - - - - - - - - - - - - -
    McAfee Customer
    Smalldog
  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    4. Jan 2, 2014 10:44 AM (in response to smalldog)
    Re: RFSB list

    This is to see which signatures have smartblocking enabled.  If you want to use smart blocking, ensure the ruleset you are using has it enabled.

  • smalldog Champion 616 posts since
    Nov 12, 2009
    Currently Being Moderated
    5. Jan 2, 2014 10:52 PM (in response to gfergus1)
    Re: RFSB list

    Hi Gfergus, when i edit some attacks that not enabled by default (i think that must enabled by default for RFSB?). So i must enable manually?

     

    Message was edited by: smalldog on 1/2/14 10:52:47 PM CST

    - - - - - - - - - - - - - - -
    McAfee Customer
    Smalldog
  • smalldog Champion 616 posts since
    Nov 12, 2009
    Currently Being Moderated
    6. Jan 10, 2014 1:36 AM (in response to smalldog)
    Re: RFSB list

    Hi Gfergus, i have one question about policy in NSP: Default Inline IPS Policy when apply is block something? or just enable attacks Min Attack Severity 2 Low and BTP 4 Medium? If i want to block some attack that so i must blocking manual? I'm confuse . Just want to clear about difference policies. Thanks!


    - - - - - - - - - - - - - - -
    McAfee Customer
    Smalldog
  • gfergus1 McAfee SME 125 posts since
    Nov 4, 2009
    Currently Being Moderated
    7. Jan 10, 2014 10:43 AM (in response to smalldog)
    Re: RFSB list

    The Default Inline IPS ruleset does have smartblocking enabled.  You can see this under the Policy -> Advanced ->Rule sets page. 

    If the signature is defined as a high confidence and low benign trigger probability smartblocking signature then it will block by default.

  • smalldog Champion 616 posts since
    Nov 12, 2009
    Currently Being Moderated
    8. Jan 10, 2014 8:24 PM (in response to gfergus1)
    Re: RFSB list

    Thanks Gfergus, i read guides and learning course that just say:

    "The sensor begins blocking attacks right out of the box (if the sensor is deployed in Inline mode)" and "

    All provided policies, except for the two All-Inclusive policies, enable attacks with a minimum Severity

    Level of 2 (Low) and a maximum Benign Trigger Probability of 4 (Medium). The Severity Level and

    Benign Trigger Probability settings exclude known noisy signatures in an effort to limit spurious alerts"

     

    I also check default Inline IPS with RFSB (high confidence and low BTP) that just enable attacks but not smartblocking option enabled.

    Because i have talk McAfee Professional Service that tell me must set and filter some exploit with BTP Low and enable smartblocking for those. So i think default inline IPS will not block some thing except that McAfee say "The sensor begins blocking attacks right out of the box (if the sensor is deployed in Inline mode)" i dont understand what is right out of the box??


    - - - - - - - - - - - - - - -
    McAfee Customer
    Smalldog

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points