How Blocking Works For Exploit Traffic; Verify Dropped Exploit Attacks Using The Threat Analyzer; Block Dos Traffic - McAfee M-1250 - Network Security Platform Manual

McAfee® Network Security Platform 6.0
offending packets, are the key method in discovering an exploit. An attack can have
multiple signatures; thus, enabling more than one chance at attack detection.
Using the Policy Editor, you can select a specific attack(s) to block by selecting Drop
Packets from the
information on this procedure, see

How blocking works for exploit traffic

•
•
•
Note:
are used when the device is configured for tap or span mode.

Verify dropped exploit attacks using the Threat Analyzer

The Alert Result Status graph within the Threat Analyzer's Consolidated View displays the
results of detected attacks as determined by target response (i.e., Successful, Failed) or
Network Security Platform action (i.e., Blocked). "Blocked" specifically refers to the attacks
that have been dropped due to policy response settings. Within a Threat Analyzer query,
you can see the number of attacks that have been blocked during the query's time period.
•
•

Block DoS traffic

Denial-of-Service (DoS) attacks interrupt network services by flooding a system or host
with spurious traffic, which can overflow your system buffers and force you to take the
system offline for repairs. Sensors support both Learning- and Threshold-based
capabilities for combating DoS attacks. The Sensor uses complex algorithms to
differentiate the bad DoS packets from good packets, and drop the bad packets when
running in inline mode.
Note:
/ My Company / IPS Settings > Policies > IPS Policies
The Sensor applies the configured inbound or outbound policy depending on the
traffic direction, which is determined via the Sensor cabling and port configuration.
The Sensor analyzes the traffic and, based on the policy, determines whether the
traffic is "good" (does not match an attack configured in the policy) or "bad" (matches
an attack configured in the policy). If the traffic is bad, the Sensor then applies the
configured "drop packets" action. When Network Security Platform identifies a
malicious flow, it blocks only the flow; not all the traffic from the source IP (Sensor
behavior is unlike that of a firewall).
For UDP and ICMP traffic, only the attack packet is blocked. With TCP traffic, the
entire attack flow is blocked; we recommend that you also configure a TCP Reset
action in the policy to reset the flow.
When inline, the TCP resets always go out the inline ports. Response ports
The result status "blocked" will increment for each blocked attack.
If you drill down by "Status" in a particular alert, the result status will show as
"Blocked."
The Sensor must be in detection mode to detect and block attacks.
IPS Configuration Guide
.
17
Block attacks
section. For more