7 Replies Latest reply on May 5, 2014 10:19 PM by rukmalf

    Keeping Track of Signature Updates

    rukmalf

      Hi,

       

      We have multiple IPS deployements managed by different people. And the major issue we come across is to enable blocking on attack definitions when a new signature update comes.

      Can anyone tell me if there is a way of keep track of new updates? For instance if you talk about Checkpoint IPS they would flag the newly added signatures so that the administrators can review them and enable them based on the requirements.

       

      Thanx in advance,

       

      Regards,

       

      Rukmal Fernando

        • 1. Re: Keeping Track of Signature Updates
          rukmalf

          Hi,

           

           

          The closest answer I have come across is to check the below link to keep track of new signatures. And once a new signature set comes we will have to go through the newly added signatures and decided whether to block them or not.

           

          Knowledge Center - REGISTERED - Network Security Signature Set Updates

           

          So it looks like a teadious process. Does anyone have a better answer?

           

          Regards,

           

          Rukmal Fernando

          • 2. Re: Keeping Track of Signature Updates
            tjaynes

            We go through the manual process here too. You can always create rule sets with specific "if signature meets X requirements, include it".

            1 of 1 people found this helpful
            • 3. Re: Keeping Track of Signature Updates
              rukmalf

              Hi,

               

              Thank you for the reply. can you explain more on how to do what you have mentioned in your reply?

               

              Thank you,

               

              Regards,

               

              Rukmal

              • 4. Re: Keeping Track of Signature Updates
                tjaynes

                And I was just about to include this information with my reply. Ha. Check out the IPS admin guides and ctrl+f for "rule sets". When creating a policy you set a rule set to the interface(s). IPS Settings -> IPS & Recon -> Rules Sets. From here, either modify a current rule set or create your own. When you're creating a new one/editing, a window will pop up. Set your name and desc for the set and then see the 'Rules' tab. Decide whether or not you want to Include or Exclude something and click 'Insert'. From here you should be able to see that you can include signatures in a rule set based on the signatures category, Protocol, OS, Application, Severity, BTP, and SmartBlocking attributes. Let me know how this works for you.

                • 5. Re: Keeping Track of Signature Updates
                  rukmalf

                  Hi,

                   

                  Thank you for the reply. I think this can be achieved only by manually attending to it. If you go to the following link you will find the details about the newly added signatures

                   

                  https://kc.mcafee.com/agent/index?page=content&id=KB55446&actp=null&viewlocale=e n_US&showDraft=false&platinum_status=false&locale=en_US

                   

                  Once you have that information you will have to manually find each signature (most probably the High severity ones) and then enable blocking depending on the requirement.

                   

                  The solution you gave only allows to create a rule set that includes different severity levels but still we will have to manually find each and every newly added signature and then enable blocking for them unless they are in the RFSB list.

                   

                  Regards,

                   

                  Rukmal

                  • 6. Re: Keeping Track of Signature Updates
                    tjaynes

                    Rukmal,

                     

                    You can create the rule sets based on multiple attributes of a signature and not just 'severity'. I didn't know you were asking how to automate review of every new signature created/released and turn on blocking. RFSB would be a good start, but from the sounds of it, what you and your team want to do, requires manual review of each signature. Unless you have certain criteria for signatures to meet your teams "turn on blocking" decision that matches a rule set offers for criteria, you'll have to deal with the manual process and/or submit a PER (Product Enhancement Request) to get this ability into the product.

                     

                    V/r,

                    tjaynes

                    • 7. Re: Keeping Track of Signature Updates
                      rukmalf

                      Hi,

                       

                      Well we are system integrators so we usually set something up, tune it and then hand it over to the customers and hope they manage the rest unless some issue comes where we have to troubleshoot.

                       

                      but unlike firewalls IPSs needs more care. The signature database updates regularly so need to keep adding and removing stuff on a regular basis. And since customers tend to like solutions that has minimal interaction I have found out that they prefer just to leave it hence only the initially blocked stuff are enforecd and all the new signatures are just in alert mode. hope you see the issue .

                       

                      So what I was looking for is some type of mechanism where McAfee would highlight the newly added signatures so that it would be very easy for the administrators just to go and block them. For instance checkpoint has a facility like that. where they would flag the newly added signature or I think they even give  you the option of enabling blocking for high severity high confidence level attacks automatically as they are added.

                       

                      Regards,

                       

                      Rukmal