Managing Attack Responses Using Gare; User-Defined Signatures Action - McAfee M-1250 - Network Security Platform Configuration Manual

McAfee® Network Security Platform 5.1
Default Inline IPS policy
By default, Network Security Platform uses the
Security Platform is initialized. This policy automatically blocks the highest impact attacks
that can be detected with high confidence as determined by McAfee. To address widely
deployed attacks, McAfee also considers the popularity of certain attacks when deciding if
they should be included in the Default Inline IPS policy.
For a brand-new Manager installation, this policy is automatically applied by default for all
interfaces on a Network Security Sensor. For customers upgrading to the latest version of
Manager, this policy is available for use but is not applied by default.

Managing attack responses using GARE

The Global Attack Response Editor (GARE) is an attack editor that works in concert with
the policy and bulk editors. GARE enables you to edit an attack definition's response once
and have that modification apply across all policies that contain that attack definition,
rather than having to find all policies that use a particular attack, and then modify the
response on each of those policies one at a time. All attack response attributes can be
customized (for example, Sensor response actions, logging, alert filters, notifications).
Using the Global Attack Response Attack Editor (GARE) is essentially identical to using
the Policy Editor to edit attack responses. The exception to this is that response
customizations made affect all instances of the selected attack instead of simply a single
instance of an attack.
To edit attack responses at the global level:
1
2
3
4

User-Defined Signatures action

The
create attack instances with signatures for implementation in your Network Security
Platform policy enforcement process. For more information on creating UDS, see Creating
UDS,
IPS Settings > Advanced Policies > Global Attack Response Editor
Select
Select an attack to edit from the DoS or Reconnaissance tabs.
For Exploit, first select an exploit and then select the attack that you want to edit.
Version Control
Click to create/view revisions of a policy.
Policy Version List for Global Policy: <Policy Name>
The
page to perform actions on both IPS GARE policies and reconnaissance GARE
policies at the same time.
Version Control
For more details on
and Creating versions of a reconnaissance policy.
Refer the following actions for more information on the available response options:
Customizing exploit attack enforcement (on page 11)
Customizing responses for an exploit attack (on page 19)
Bulk editing multiple attacks at once (on page 34)
User-Defined Signatures
action, also known as UDS, enables expert security personnel to
User-Defined Signatures Developer's Guide
Default Inline IPS
dialog is displayed. You can use this
, see Creating versions of an IPS policy (on page 37)
.
65
Managing IPS settings
policy when Network
.