8 Replies Latest reply: Jan 10, 2014 8:24 PM by smalldog RSS

    RFSB list

    fabiano.carmo

      How can I get an updated list with all RFSB signatures?

        • 1. Re: RFSB list
          gfergus1

          We have stopped maintaining this information in the KB as the the best way to get this information is from the manager.

           

          There are two ways of getting the data.  One is from the policy viewer, the other is by creating a specific policy that you can use to run a report that can be exported into an HTML report, CSV  file or PDF.

           

          1) Using policy editor:

          Under the policies select the All-Inclusive With Audit policy.

          Once the policy editor is open clear any filters that may have previously been entered by clicking "All (Clear Drilldown)" on the left side.

          Create a new filter under the "Filter Management" drop down at the top right corner.

           

          Give the filter a name and select "Recommended for SmartBlocking(RFSB)" from the Filter Criteria.

          It shoudl default to Equals and Yes.  Save and Apply the filter.

           

          You should now see the RFSB list displayed.  The filter can be re-applied later from the "Apply Filter" selection under Filter Management.

           

           

          2) Using the reporting process.

          Under Advanced Policies navigate to Rule Sets and create a new ruleset.

          Give the Rule Set a name.

          Click on the Rules tab.

          Insert a new rule and leave the option to "Include".

          Click Configure.

          In the Configure the rule page select the "SmartBlocking" tab and click the "only Include McAfee Recommended for SmartBlocking (RFSB) attacks in this rule".

          Click OK.

          Click OK again.

          Ensure you have only one rule in the Ruleset rules.

           

          Navigate to the IPS Policies and create a new policy.

          Give the policy a name, leave the Granularity as "Use a single set of definitions for the entire policy (simpler)".

          Specify your RFSB ruleset created above.

          Click "Calculate Attack Definitions".

          Save and Finish creating the policy.

           

          Navigate to the reports.

          Select Traditional Reports and Chose the IPS Policy Details report.

          Select the RFSB policy from the list and select critieria and output format.

          Generate the report.

          • 2. Re: RFSB list
            fabiano.carmo

            Hello gfergus1

             

            Thank you for your helpfull information.

            • 3. Re: RFSB list
              smalldog

              Hi gfergus1, after i filter with RFSB list i should bulk edit all those with Enable Smartblocking? Thanks!

              • 4. Re: RFSB list
                gfergus1

                This is to see which signatures have smartblocking enabled.  If you want to use smart blocking, ensure the ruleset you are using has it enabled.

                • 5. Re: RFSB list
                  smalldog

                  Hi Gfergus, when i edit some attacks that not enabled by default (i think that must enabled by default for RFSB?). So i must enable manually?

                   

                  Message was edited by: smalldog on 1/2/14 10:52:47 PM CST
                  • 6. Re: RFSB list
                    smalldog

                    Hi Gfergus, i have one question about policy in NSP: Default Inline IPS Policy when apply is block something? or just enable attacks Min Attack Severity 2 Low and BTP 4 Medium? If i want to block some attack that so i must blocking manual? I'm confuse . Just want to clear about difference policies. Thanks!

                    • 7. Re: RFSB list
                      gfergus1

                      The Default Inline IPS ruleset does have smartblocking enabled.  You can see this under the Policy -> Advanced ->Rule sets page. 

                      If the signature is defined as a high confidence and low benign trigger probability smartblocking signature then it will block by default.

                      • 8. Re: RFSB list
                        smalldog

                        Thanks Gfergus, i read guides and learning course that just say:

                        "The sensor begins blocking attacks right out of the box (if the sensor is deployed in Inline mode)" and "

                        All provided policies, except for the two All-Inclusive policies, enable attacks with a minimum Severity

                        Level of 2 (Low) and a maximum Benign Trigger Probability of 4 (Medium). The Severity Level and

                        Benign Trigger Probability settings exclude known noisy signatures in an effort to limit spurious alerts"

                         

                        I also check default Inline IPS with RFSB (high confidence and low BTP) that just enable attacks but not smartblocking option enabled.

                        Because i have talk McAfee Professional Service that tell me must set and filter some exploit with BTP Low and enable smartblocking for those. So i think default inline IPS will not block some thing except that McAfee say "The sensor begins blocking attacks right out of the box (if the sensor is deployed in Inline mode)" i dont understand what is right out of the box??