Manuals
/
McAfee
/
Marine Equipment
/
Marine Radio
McAfee
6.1
manual
McAfee Host Intrusion Prevention
Models:
6.1
1
1
201
201
Download
201 pages
13.13 Kb
1
2
3
4
5
6
7
8
Troubleshooting
Install
FAQ
To modify default signatures
Administrator User
Maintenance
Configuring policies
Client operations issues
Preset protection
Quick access
Page 1
Image 1
Product Guide
McAfee
®
Host Intrusion Prevention
version 6.1
McAfee
®
System Protection
Industry-leading
intrusion prevention solutions
Page 1
Page 2
Page 1
Image 1
Page 1
Page 2
Contents
McAfee Host Intrusion Prevention
Page
McAfee Host Intrusion Prevention
Copyright
Contents
IPS Policies
General Policies 103
Frequently Asked Questions 160 Writing Custom Signatures 164
IntroducingPrevention Host Intrusion
What’s new in this release
New features
Changes from the previous release
Audience
Using this guide
This guide uses the following conventions
Conventions
Bold Condensed
Example
Standard documentation
Getting product information
Professional Services
Customer Service
Contact information
Basic Concepts
IPS feature
Signature rules
Events
Behavioral rules
Reactions
Exception rules
Firewall rules
Firewall feature
Client firewall rules
General feature
Application Blocking feature
Client application blocking rules
Policy enforcement
Policy management
Policies and policy categories
Policy ownership
Policy inheritance and assignment
Policy assignment locking
Adaptive and Learn mode
Preset protection
Deployment and management
Reports
Tuning
Deploy Host Intrusion Prevention clients
Using ePolicy Orchestrator
EPolicy Orchestrator console
EPolicy Orchestrator console
Assign Policies
Policy management
Host Intrusion Prevention operations
Installing the Host Intrusion Prevention server
Assigning owners to policies
Generating notifications
Viewing and working with client data
Deploying Host Intrusion Prevention clients
Placing clients in Adaptive or Learn mode
Policy viewing alerts
Configuring policies
Active X control security warning
Fine-tuning
Help navigation procedures
Using Help
IPS Events/Signatures
Help in the user interface
IPS Exception Rules
IPS Signature Rules
Overview
IPS Policies
Benefits of Host IPS
Host and network IPS signature rules
Behavioral rules
Preset IPS policies
Benefits of Network IPS
Quick access
Configuring the IPS Options policy
To configure the IPS Options policy
To create a new IPS Options policy
Click Apply
IPS Options dialog box appears
Select the needed options
Configuring the IPS Protection policy
To create a new IPS Protection policy
To configure the IPS Protection policy
Select the type of reaction for each severity level
IPS Protection dialog box appears
To assign IPS Rules policies
Configuring the IPS Rules policy
To create a new IPS Rules policy
IPS Rules policy details
To create an exception
Creating exception rules
You can view and edit details of an existing exception
Editing exception rules
To edit an exception rule
Enabling and disabling exception rules
To disable/enable an exception
Deleting exception rules
Moving exception rules to another policy
Types of signatures
Signatures
Host signatures
Custom host signatures
IPS Rules-Signatures tab
Viewing signatures
Modifying host and network signatures
To modify default signatures
Creating custom signatures
To modify the view of signatures
To create signatures using the wizard
Using the wizard to create signatures
To create a signature with the standard mode
Using the standard mode to create signatures
New Custom Signature-General tab
Deleting custom signatures
Editing custom signatures
To use Standard Method To use Expert Method
To edit a custom signature
11 Application Protection Rules analysis
Application Protection Rules
12 IPS Rules-Application Protection Rules
To create an application protection rule
13 New Trusted Application dialog box-General tab
Editing Application Protection Rules
IPS Events
Enabling and disabling Application Protection Rules
Deleting Application Protection Rules
To view IPS events
Viewing events
Filtering events
Configuring the event view
To change the event view
To mark an event as read
Marking events
To mark an event as unread
To hide an event
To mark similar events
Marking similar events
Agent Signatures User Process Severity Level
Hidden
Creating event-based exceptions and trusted applications
Viewing event details
To view event details
To create an event-based trusted application
To create an event-based exception
Searching for related exceptions
IPS Client Rules
To search for a related exception
To migrate client rules to an IPS Rules policy
Regular View
To aggregate client rules
Aggregated View
Click the Aggregate View tab on the IPS Client Rules tab
To search for exceptions and manage the list of exceptions
Search IPS Exception Rules
22 Search IPS Exception Rules tab
Firewall Policies
HIP 6.1 rules
HIP 6.0 rules
Stateful packet filtering
State table
Stateful packet inspection
Ordering the firewall rule list
How firewall rules work
Stateful filtering process
How stateful filtering works
Stateful protocol tracking
How stateful packet inspection works
Protocol Description of handling
TCP
Firewall rule groups and connection-aware groups
Overview
Stateful filtering
Firewall Learn and Adaptive modes
Quarantine policies and rules
Migrating custom 6.0 firewall rules to 6.1 rules
Preset Firewall policies
To migrate rules
To configure the Firewall Options policy
Configuring the Firewall Options policy
Select For these settings Off McAfee Default
Learn
Select New Policy
Create New Policy dialog box appears
Creating new Firewall Rules policies
Configuring the Firewall Rules policy
To create a Firewall Rules policy
Include Local Subnet Automatically selected
Server High
Select this For this protection Policy Server Medium
Do any of the following
Viewing and editing firewall rules
To view and edit a firewall rule
Add Policy or Duplicate Policy
Creating a new firewall rule or firewall group
Select the appropriate settings Click OK
To create a firewall rule
Firewall Rule Group dialog box appears
To create a new rule group
To create a connection-aware group
Type a name for this group in the Name field
To add predefined rules
Deleting a firewall rule or group
To delete a firewall rule or group
To view all firewall client rules
Viewing firewall client rules
To modify the view, do any of the following
To view details of an aggregated firewall rule
To view aggregated firewall client rules
To configure the Quarantine Options policy
Configuring the Quarantine Options policy
Select New Policy
Quarantine Rules policy provides access for
Configuring the Quarantine Rules policy
Creating new Quarantine Rules policies
To create a Quarantine Rules policy
To view and edit a quarantine rule
Viewing and editing quarantine rules
Click Properties
Deleting a quarantine rule or group
Creating a new quarantine rule or group
To create a quarantine rule
To delete a quarantine rule or group
Application creation
Application Blocking Policies
Application Blocking feature contains two policy categories
Preset Application Blocking policies
Application hooking
Select this policy For these settings Off McAfee Default
Configuring the Application Blocking Options policy
To apply an Application Blocking Options policy
Application Blocking Options
Creating new Application Blocking Rules policies
Configuring the Application Blocking Rules policy
To create an Application Blocking Rules policy
To view and edit an application blocking rule
Viewing and editing Application Blocking Rules
To create a new application blocking rule
Creating new Application Blocking Rules
Application Rule dialog box appears
100
Viewing application client rules
Deleting an application blocking rule
To delete an application blocking rule
To view all client application rules
To view details of an aggregated client application rule
To view aggregated client application rules
General Policies
General feature contains four policy categories
Preset General policies
Configuring the Client UI policy
Configuring Enforce Policies
To change the policy setting
Regular User
To configure a Client UI policy
Administrator User
Creating and applying a Client UI policy
Disconnected User
107
Setting passwords
Click the Advanced Options tab in the Client UI policy
To create an administrator password
108
Tray icon control
To create a time-based password
To provide tray icon control of Windows UI
To configure trusted network options
Configuring the Trusted Networks policy
110
Edit
Select To do this Add
Remove
Include Local Subnet
Creating and applying Trusted Applications policies
Configuring the Trusted Applications policy
To create a new policy
Trusted Application tab appears
To create a trusted application
Creating trusted applications
Editing trusted applications
To disable/enable a trusted application
Enabling and disabling trusted applications
Deleting trusted applications
Fine-tuning a deployment
Maintenance
Analyzing IPS events
115
Working with client exception rules
Creating exception rules and trusted application rules
Creating and applying new policies
For details on working with client rules, see
To view and reset broken inheritance below a specific node
Policy maintenance and tasks
Policies tab
Policy inheritance and assignment
Click Copy policy assignments
To copy and paste policy assignments of a node
Policy Catalog
To view nodes where a policy is assigned
Viewing policy information
To view all policies that have been created
To view assignments where policy enforcement is disabled
To view the settings and owner of a policy
Editing policy information
To edit a policy
Directory Gateway
Running server tasks
Event Archiver
Property Translator
How notifications work
Setting up notifications for events
Creating rules
124
Host Intrusion Prevention notifications
Pre-defined reports
Running reports
Report repository
Host Intrusion Prevention reports
Report content control
Summary information and details
IPS Events Summary by Signature
Network Intrusion Summary by Source IP
IPS Event Summary by Target
Signature
Top 10 Triggered Signatures
Top 10 Attacked Nodes for IPS
Blocked Application Summary
Filters on platform and signature type
Top 10 Blocked Applications
Failed Quarantine Updates
Initial View Drill Down Host Name
To add update packages automatically
Checking in the update package
Updating
From the Task type list, select Repository Pull
To run an update task
To add update packages manually
To have a client request an update
Updating clients
Windows client
Host Intrusion Prevention Client
Client console
System tray icon
133
Unlocking the client interface
Setting options
To unlock the Host Intrusion Prevention interface
To customize client options
Troubleshooting
Error Reporting
Show tray icon Error Reporting
Select For this
To set Firewall logging options
To set IPS logging options
Security Violations
Intrusion alerts
Alerts
137
Firewall alerts
To respond to a firewall Learn Mode alert
138
Has the Treat rule match as an intrusion option selected
Application Blocking alerts
Spoof Detected alerts
Quarantine alerts
The IP address that the traffic pretends to come from 140
IP Spoof Detected Alert dialog box
141
IPS Policy options
IPS Policy tab
To customize IPS Policy options
142
Exception rules list
IPS Policy exception rules
To edit the exception rules
143
Firewall Policy options
Firewall Policy tab
To customize Firewall Policy options
144
Firewall rules list
Firewall Policy Rules
145
Application Policy options
Application Policy tab
To customize Application Policy options
146
Application rules list
Application Policy rules
147
Blocked Hosts list
Blocked Hosts tab
148
Column What it shows
149
To edit the Blocked Hosts list
Until removed
Application Protection list
Application Protection tab
This list shows all monitored processes on the client
150
Activity Log options
Activity Log tab
To customize Activity Log options
151
152
Activity Log list
Select Create Sniffer Capture...
McAfee Host Intrusion Prevention Options
Client installation issues
Troubleshooting
Solaris client
Policy enforcement with the Solaris client
Run this command To do this
Client operations issues
154
File/Directory Name Description
To restart a Solaris client
To stop a Solaris client
155
Policy enforcement with the Linux client
Linux client
File Name Description
Verifying the client is running
158
Troubleshooting tool
To stop a Linux client
Run the command hipts agent off
To restart a Linux client
159
What is a policy?
Frequently Asked Questions
What is the McAfee Default policy?
160
161
How do I create an exception based on an IPS Event?
How do I view IPS events triggered by clients?
How do I find existing policies that match a given profile?
How do I create custom signatures for an IPS Policy?
Rule Structure
Writing Custom Signatures
Basic structure of a rule is the following
164
165
Mandatory common sections
Section Name Value Description
Name/domain user name
Use of Include and Exclude
Section value variables
Optional common sections
Use of the dependencies section
Use of environment variables
Use of wildcards
Use of predefined variables
Windows IIS Web Server
Solaris Apache and iPlanet
MS SQL Database Server
169
Windows Custom Signatures
This topic describes how to write Windows custom signatures
Class Files
170
171
GUI name Explanation
Advanced Details
Class Isapi
Machine where the client is installed in the manner host
Windows Custom Signatures
Class Registry
177
Section Values Meaning/remarks
Class Services
GUI Name Explanation Possible Values
Windows Custom Signatures
Solaris Custom Signatures
This topic describes how to write Solaris custom signatures
Class UNIXfile
181
Directive File Source File permission New permission
Relevant X directives per section
Class UNIXapache
Advanced Details
183
Solaris Custom Signatures
185
Linux Custom Signatures
List of parameters according to type
Summary of parameters and directives
List of directives according to type
186
187
Glossary
Blocked host
188
Console tree
189
EPolicy Orchestrator database server
190
See also minimal properties
191
Inactive agent
192
Policy enforcement interval
193
Severity level
194
SYN flood
195
Index
Working with clients
Signatures, 46 creating, 48 creating custom
Firewall policy tab rules List IPS Policy tab
Page
Mcafee.com
Top
Page
Image
Contents