McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 40

Configuring IPS Policies
Define IPS protection
Network IPS signatures
Network-based intrusion prevention signatures detect and prevent known network-based attacks
that arrive on the host system. They appear in the same list of signatures as the host-based
signatures.
Each signature has a description and a default severity level. With appropriate privilege levels,
an administrator can modify the severity level of a signature.
You can create exceptions for network-based signatures; however, you cannot specify any
additional parameter attributes such as operating system user or process name. Advanced
details contain network-specific parameters, for example IP addresses, which you can specify.
Events generated by network-based signatures are displayed along with the host-based events
in the Events tab and exhibit the same behavior as host-based events.
To work with signatures, click the Signatures tab in the IPS Rules policy.
Configuring IPS signatures
Edit default signatures, add custom signatures, and move signatures to another policy from the
Signatures tab of the IPS Rules policy.
Task
For option definitions, click ? in the interface.
1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in
the Product list and IPS Rules in the Category list. The list of policies appears.
2 Under Actions, click Edit to make changes on the IPS Rules page, then click the
Signatures tab.
3 Do any of the following:
To...
Find a signature in the list
Edit a signature
40 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Do this...
Use the filters at the top of the signatures list. You can
filter on signature severity, type, platform, log status,
whether client rules are allowed, or specific text that
includes signature name, notes, or content version.
Click Clear to remove filter settings.
Under Actions, click Edit.
• If the signature is a default signature, you can
modify the Severity Level, Client Rules, or Log
Status settings, and enter notes in the Note box
to document the change. Click OK to save any
modifications. Edited default signatures can be
reverted to their default settings by clicking Revert
under Actions.
NOTE: When you edit a signature and save the
change, the signature is resorted in the list. As a
result, you might need to search the list to find the
edited signature.
• If the signature is a custom signature, modify the
Severity Level, Client Rules, Log Status or
Description settings, and enter notes in the Note
box to document the change. Click OK to save any
modifications.
NOTE: You can make changes to several signatures at
once, by selecting the signatures and clicking Edit