4 Replies Latest reply on Oct 27, 2016 4:29 AM by peter.mason

    How to block attacks using attack set profiles

    mvidic

      Hi,

      is there a way to block attacks that are not RfSB by using attack set profiles?

      For exaple I would like to block all attack with severity High. I would crate an attack set profile which would include attacks with desired severity, but there is only option to block attacks that are RfSB.

      At the moment I solve this by manually enabling blocking on individual attacks inside the "IPS policy" in policy editor. Is there a way to automate this using Attack sets?

       

      Another question: If I want to enable blocking on an individual attack inside an "IPS policy" what is a difference between "Enable blocking" and "Enable Smart Blocking" options?

       

      Thanks,

      BR

        • 1. Re: How to block attacks using attack set profiles
          peter.mason

          Hi Mvidic,

           

          Are you sure you want to block all attacks with a high severity? Are you sure none of them are false positive?

           

          You need to be 100% certain you are not going to block valid traffic and cause applications etc to stop working.

           

          Have you looked at the Simulated Blocking setting? This will allow you to review what traffic you will be blocking to validate if it is legitimate before you block it completely.

           

          Once you create a new Attack Set Profile for High Severity alerts you will need to create a new IPS Policy using this profile. You can then select all the signatures and set them to block.

           

          Details of the difference between the "Enable blocking" and "Enable Smart Blocking" options are in the IPS Admin Guide, link below.

           

          Network Security Platform documentation reference guide

          https://kc.mcafee.com/agent/index?page=content&id=KB76064

          • 2. Re: How to block attacks using attack set profiles
            mvidic

            Hi peter.manson,

            thank you for your reply. Maybe we are not sure about blocking all the attacks with high severity, that was only example, but we are pretty sure that we would like to block all the attacks with high severity and low benign triger probability.

            In my opinion if we do not have such a rule in place we are one step behind the attacker all the time: the attack has to happen first so we can see it in logs and only then we enable blocking when damage could already be done.

            My aproach might not be the best, if so could you please describe how do you fine tune your IPS policy.

            Thanks

            • 3. Re: How to block attacks using attack set profiles
              dotax

              Hi Mvidic,

               

              Go to Policy > IPS Policies , then select your own policy.

              You can hover at the column , filter as below:

              Severity = 7,8,9

              BTP  = 1,2

              RFSB = No

               

              Then shift select all attack and set response to block.

              My preference is to block all "Malware" type catagory first, then only look at Exploits and Policy Violations to fine tune.

              Understanding the system protected behind IPS is crucial to fine tune it (such as what OS, does it running Oracle? Adobe?)

               

              Just my 2 cents

              • 4. Re: How to block attacks using attack set profiles
                peter.mason

                Hi mvidic,

                 

                Tuning is normally specific to your company & infrastructure, where you have the sensor deployed, what other security infrastructure you're using and how you have configured NSP etc.

                 

                It also depends on your available resources as it can be very time consuming.

                 

                If you want to lower the volume of alerts you're seeing you should review them to see if you think they are false positives and submit them to McAfee to correct the signatures, or create Firewall rules / ignore rules for traffic that you allow.

                 

                If you are seeing alerts for attacks that are not relevant to your infrastructue, DB technology you don't use etc, you could chose to block them or just disable the signatures.

                 

                As Dotax points out above, it is important to understand your network and what you're protecting.

                 

                For example, If your sensor is deployed in front of a firewall, and the firewall is configured to block the traffic for one of the high severity attacks, you could disable the attack signature on the sensor as you know it will be blocked on the firewall. You could also choose to block the traffic on the sensor and prevent it from ever getting to your firewall to reduce the load there.

                 

                If the sensor is behind the firewall you might want to enable all of the alerts so that you see anything getting past the firewall or coming out of your network.

                 

                Tuning your policies is the most time consuming part of working with NSP, but once you get the initial work done it is easy to maintain.