2 Replies Latest reply: Jan 27, 2014 7:42 AM by epository RSS

    HIPS 8.0 DNS Blocking Feature

    epository

      Are DNS Blocking events logged anywhere?  How can I make a specific query in order to get a report of these events?

       

      How can I test this to see if its working?

       

      There is also a signature in HIPS - 6042 - that also refers to a DNS Rule violation, but I am not sure exactly what it is checking.

       

      Any way to test if Sig 6042 is working?

       

      It would be a nice added layer of protection, but I need to see if the "DNS Blocking" events are logged, and what signature 6042 is specifically looking for.

        • 1. Re: HIPS 8.0 DNS Blocking Feature
          Kary Tankink

          DNS Blocking events are logged locally on HIPS clients only; no ePO events are sent to the ePO server (like other Firewall events, except for TrustedSource and Intrusion events, which are Network IPS events).

           

          I'm not aware of how to test Signature 6042 specifically.

          • 2. Re: HIPS 8.0 DNS Blocking Feature
            epository

            Can I get a more detailed description as to what signature 6042 is checking for?  There is no cve article associated with it.  Is it just dns requests being sent to a computer not hosting something on port 53?

             

            We have some events here and I cant answer them and on why this signature was tripped...