1 2 Previous Next 13 Replies Latest reply: Mar 6, 2014 3:56 AM by rukmalf RSS

    Blocking Botnets on NSP 7.5.x

    rukmalf

      Hi,

       

      I have a NSP setup running in bridge mode. And I have applied the default inline IPS policy on the interfaces. Since I see a lot of botnet communications i would like to block them.

      But when I go to default inline IPS policy signatures and try to block them it says 'Sensor Actions and logging tabs are not applicable for Malware Attacks'.

      6.PNG

      So my question is how am I going to block these? I have added some screen caps of my alerts below. so that you can get a clear Idea on what is going on.

       

      1.JPG2.JPG3.JPG4.JPG

      5.JPG

       

      Regards,

       

      Rukmal Fernando

        • 1. Re: Blocking Botnets on NSP 7.5.x
          rukmalf

          Looks like that this issue is only with the manager version 7.5.3.11. when I upgraded the manager version to 7.5.5.6 i can see the blocking option again.

          Does anyone have an idea on why this wasn't allowed in the previous version?

           

          Regards,

          Rukmal Fernando

          • 2. Re: Blocking Botnets on NSP 7.5.x
            cedricr

            Hello Rukmal,

             

            thank you for the update. I have the same issue and will try to fix it by upgrading the manager.

             

            Best Regards

            Cedric

            • 3. Re: Blocking Botnets on NSP 7.5.x
              rukmalf

              Hi Cedricr,

               

              This is what I get with version 7.5.3.11

              https://community.mcafee.com/servlet/JiveServlet/showImage/2-321020-57272/6.PNG

              And this is what i gues when i upgrade it to 7.5.5.6

               

              7.PNG

              Not sure if the blocking works though. it would be good if you can check it and confirm it.

               

              Regards,

              Rukmal  Fernando

              • 4. Re: Blocking Botnets on NSP 7.5.x
                msitko

                I'd have to look into why it's not available in 7.5.3.11, but I can confirm it's available in 7.5.5.6 and above.  Try upgrading to 7.5.5.7 and let us know what happens.

                • 5. Re: Blocking Botnets on NSP 7.5.x
                  cedricr

                  Hi,

                   

                  today I upgraded the manager to version 7.5.5.7 and the response now is unlocked. Unfortunately most adjustments I made to the IPS policy were lost. I will check with the support.

                   

                  Best Regards,

                  Cedric

                  • 6. Re: Blocking Botnets on NSP 7.5.x
                    rukmalf

                    Hi Cedrcr,

                     

                    That is too bad. What would have happened if you took a config backup from the 7.5.3.11 setup and restored it on top of the upgraded NSM (overwriting what ever is on it.)?

                     

                    I never tried this on a setup with any configuration. All i was intrested was seen wether the blocking option appeared. So I did the upgrades on fresh installations.

                     

                    Regards,

                     

                    Rukmal

                    • 7. Re: Blocking Botnets on NSP 7.5.x
                      rukmalf

                      Hi Cedrcr,

                       

                      I upgraded 7.5.3.11 to 7.5.5.7  on a test setup and I didn't seem to lose any configuration.

                      In here when I say configuration I mean the following,

                       

                           1. Cloned the default IDS policy and applied it to an interface

                           2. Changed a few signature attributes in the above mentioned cloned policy

                           3. Added and exception to the above mentioned policy.

                       

                      All the above configuration changes still exists even after the upgrade. Wonder what went wrong with yours.

                       

                      Regards,

                       

                      Rukmal

                      • 8. Re: Blocking Botnets on NSP 7.5.x
                        cedricr

                        Hi Rukmal,

                         

                        thank you for your update and sorry for the delay on my side. We had an issue on version 7.5.3.11 with IPS policy changes partly reverted. Therfore a case with support was opened and the upgrade to 7.5.5.7 was approved by support.

                         

                        The Upgrade to 7.5.5.7 reverted most of the changes which were active for a while before.

                         

                        Best Regards

                        Cedric

                        • 9. Re: Blocking Botnets on NSP 7.5.x
                          rukmalf

                          Hi Cedric,

                           

                          Thank you for the update. so in otherwords after the support recomended upgrade you lost most of the policy configuration? What did the support have to say about this? would it have worked if you restored a backup on the newly upgraded server?

                           

                          Regards,

                           

                          Rukmal

                          1 2 Previous Next