Table of Contents
Advertisement
Configuring IPS Policies
Monitor IPS events
Reacting to events
Under certain circumstances, behavior that is interpreted as an attack can be a normal part of
a user's work routine. When this occurs, you can create an exception rule or a trusted application
rule for that behavior.
Creating exceptions and trusted applications allows you to diminish false positive alerts, and
ensures that the notifications you receive are meaningful.
For example, when testing clients, you might find clients recognizing the signature email access.
Typically, an event triggered by this signature is cause for alarm. Hackers can install Trojan
applications that use TCP/IP Port 25 typically reserved for email applications, and this action
would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal
email traffic might also match this signature. When you see this signature, investigate the
process that initiated the event. If the process is one that is not normally associated with email,
like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process
initiating the event is normally responsible for sending email (for example, Outlook), create an
exception to that event.
You might also find, for example, that a number of clients are triggering the signature startup
programs, which indicates the modification or creation of a value under the registry keys:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
As the values stored under these keys indicate programs that are started when the computer
starts up, recognition of this signature might indicate that someone is attempting to tamper
with the system. Or it might indicate something as benign as one of your employees installing
WinZip on their computer. The installation of WinZip adds a value to the Run registry key.
To eliminate the triggering of events every time someone installs authorized software, you
create exceptions for these events.
Filtering and aggregating events
Applying filters generates a list of events that satisfies all of the variables defined in the filter
criteria. The result is a list of events that includes all of the criteria. Aggregating events generates
a list of events grouped by the value associated with each of the variables selected in the "Select
columns to aggregate" dialog box. The result is a list of events displayed in groups and sorted
by the value associated with the selected variables.
Managing IPS events
Viewing IPS events coming from clients and creating exceptions or trusted applications from
them helps tune and tighten security.
NOTE:
IPS events also appear on the Event Log tab under Reporting combined with all other
events for all systems. Access to the events tabs under Reporting requires additional permission
sets, including view permissions for Event Log, Systems, and System Tree access.
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Host IPS 8.0, then click Events.
2
Select the group in the System Tree for which you want to display IPS events. All events
associated with the group appear. By default, not all events are displayed. Only events
over the last 30 days appear.
48
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Advertisement
Table of Contents
Troubleshooting
