Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Top 10 Attacked Nodes for IPS, Top 10 Triggered Signatures

Models: 6.1

1 201

Download 201 pages 13.13 Kb

Page 128

McAfee® Host Intrusion Prevention 6.1 Product Guide	Maintenance
	Running reports

Top 10 Attacked Nodes for IPS

Use this report to view a bar chart of the top 10 hosts where IPS events are triggered.

Details include:

Initial View		Level 1 Drill Down		Level 2 Drill Down

	Host Name >		Host Name		OS User
	Event Count		Signature >		Reaction
			Count		Process
					Source IP
					Incident Time
					Recording Time
					Severity Level
					Event description
					Advanced details

8

Filters on platform and signature type.

Top 10 Triggered Signatures

Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include:

Initial View		Level 1 Drill Down		Level 2 Drill Down

	Signature Name >		Signature Name		OS User
	Event Count		Process >		Reaction
			Count		Node name
					Source IP
					Incident Time
					Recording Time
					Severity Level
					Event description
					Advanced details

Filters on platform and signature type.

Blocked Application Summary

Use this report to view a summary of blocked application events per application. Details include:

Initial View		Drill Down

	Application		Host Name
	Description >		Host IP
			Host IP
	Event Count		Event time
			Event time
			Process name
			Application path
			Application version
			Application hash

Filters on application description and event time.

128

Image 128

McAfee 6.1 manual Top 10 Attacked Nodes for IPS, Top 10 Triggered Signatures, Blocked Application Summary

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Using this guide AudienceConventions This guide uses the following conventionsBold Condensed ExampleGetting product information Standard documentationContact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Behavioral rules EventsReactions Exception rulesClient firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Tuning ReportsUsing ePolicy Orchestrator „ Deploy Host Intrusion Prevention clientsEPolicy Orchestrator console EPolicy Orchestrator consolePolicy management Assign PoliciesInstalling the Host Intrusion Prevention server Host Intrusion Prevention operationsAssigning owners to policies Generating notificationsDeploying Host Intrusion Prevention clients Viewing and working with client dataPlacing clients in Adaptive or Learn mode Configuring policies Policy viewing alertsFine-tuning Active X control security warningUsing Help Help navigation proceduresHelp in the user interface IPS Events/SignaturesIPS Exception Rules IPS Signature RulesIPS Policies OverviewHost and network IPS signature rules Benefits of Host IPSBenefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access Click Apply To create a new IPS Options policyIPS Options dialog box appears Select the needed optionsConfiguring the IPS Protection policy To configure the IPS Protection policy To create a new IPS Protection policyIPS Protection dialog box appears Select the type of reaction for each severity levelTo create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details Creating exception rules To create an exceptionTo edit an exception rule Editing exception rulesYou can view and edit details of an existing exception To disable/enable an exception Enabling and disabling exception rulesDeleting exception rules Moving exception rules to another policySignatures Types of signaturesHost signatures Custom host signaturesViewing signatures IPS Rules-Signatures tabTo modify default signatures Modifying host and network signaturesCreating custom signatures To modify the view of signaturesUsing the wizard to create signatures To create signatures using the wizardUsing the standard mode to create signatures To create a signature with the standard modeNew Custom Signature-General tab Editing custom signatures Deleting custom signaturesTo use Standard Method To use Expert Method To edit a custom signatureApplication Protection Rules 11 Application Protection Rules analysisTo create an application protection rule 12 IPS Rules-Application Protection Rules13 New Trusted Application dialog box-General tab IPS Events Editing Application Protection RulesEnabling and disabling Application Protection Rules Deleting Application Protection RulesViewing events To view IPS eventsTo change the event view Configuring the event viewFiltering events Marking events To mark an event as readTo mark an event as unread To hide an eventMarking similar events To mark similar events„ Agent „ Signatures „ User „ Process „ Severity Level HiddenTo view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based exception To create an event-based trusted applicationTo search for a related exception IPS Client RulesSearching for related exceptions Regular View To migrate client rules to an IPS Rules policyClick the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules Search IPS Exception Rules To search for exceptions and manage the list of exceptions22 Search IPS Exception Rules tab Firewall Policies HIP 6.0 rules HIP 6.1 rulesStateful packet inspection State tableStateful packet filtering How firewall rules work Ordering the firewall rule listHow stateful filtering works Stateful filtering processProtocol Description of handling How stateful packet inspection worksStateful protocol tracking Firewall rule groups and connection-aware groups TCPOverview Firewall Learn and Adaptive modes Stateful filteringQuarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules Configuring the Firewall Options policy To configure the Firewall Options policySelect For these settings Off McAfee Default LearnCreate New Policy dialog box appears „ Select New PolicyTo create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Select this For this protection Policy Server Medium Server HighViewing and editing firewall rules Do any of the followingTo view and edit a firewall rule Add Policy or Duplicate PolicyTo create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group To create a new rule group Firewall Rule Group dialog box appearsTo create a connection-aware group Type a name for this group in the Name fieldTo delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view aggregated firewall client rules To view details of an aggregated firewall ruleSelect New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy Configuring the Quarantine Rules policy Quarantine Rules policy provides access forCreating new Quarantine Rules policies To create a Quarantine Rules policyClick Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule Creating a new quarantine rule or group Deleting a quarantine rule or groupTo create a quarantine rule To delete a quarantine rule or groupApplication Blocking Policies Application creationApplication hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies Viewing and editing Application Blocking Rules To view and edit an application blocking ruleCreating new Application Blocking Rules To create a new application blocking ruleApplication Rule dialog box appears 100Deleting an application blocking rule Viewing application client rulesTo delete an application blocking rule To view all client application rulesTo view aggregated client application rules To view details of an aggregated client application ruleGeneral Policies Preset General policies General feature contains four policy categoriesConfiguring Enforce Policies Configuring the Client UI policyTo change the policy setting Regular UserAdministrator User To configure a Client UI policyCreating and applying a Client UI policy Disconnected UserSetting passwords 107108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Select To do this Add EditRemove Include Local SubnetConfiguring the Trusted Applications policy Creating and applying Trusted Applications policiesTo create a new policy Trusted Application tab appearsCreating trusted applications To create a trusted applicationTo disable/enable a trusted application Editing trusted applicationsEnabling and disabling trusted applications Deleting trusted applicationsMaintenance Fine-tuning a deploymentAnalyzing IPS events 115Creating exception rules and trusted application rules Working with client exception rulesCreating and applying new policies For details on working with client rules, seePolicy maintenance and tasks To view and reset broken inheritance below a specific nodePolicies tab Policy inheritance and assignmentTo copy and paste policy assignments of a node Click Copy policy assignmentsTo view nodes where a policy is assigned Policy CatalogViewing policy information To view all policies that have been createdEditing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Running server tasks Directory GatewayEvent Archiver Property TranslatorCreating rules Setting up notifications for eventsHow notifications work Host Intrusion Prevention notifications 124Report repository Running reportsPre-defined reports Report content control Host Intrusion Prevention reportsSummary information and details IPS Events Summary by SignatureSignature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Top 10 Attacked Nodes for IPS Top 10 Triggered SignaturesBlocked Application Summary Filters on platform and signature typeInitial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications Checking in the update package To add update packages automaticallyUpdating From the Task type list, select Repository PullTo add update packages manually To run an update taskTo have a client request an update Updating clientsHost Intrusion Prevention Client Windows client133 System tray iconClient console Setting options Unlocking the client interfaceTo unlock the Host Intrusion Prevention interface To customize client optionsError Reporting TroubleshootingShow tray icon Error Reporting Select For thisSecurity Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts To respond to a firewall Learn Mode alert Firewall alerts138 Has the Treat rule match as an intrusion option selectedApplication Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts 141 IP Spoof Detected Alert dialog boxIPS Policy tab IPS Policy optionsTo customize IPS Policy options 142IPS Policy exception rules Exception rules listTo edit the exception rules 143Firewall Policy tab Firewall Policy optionsTo customize Firewall Policy options 144145 Firewall Policy RulesFirewall rules list Application Policy tab Application Policy optionsTo customize Application Policy options 146147 Application Policy rulesApplication rules list Blocked Hosts tab Blocked Hosts list148 Column What it showsUntil removed To edit the Blocked Hosts list149 Application Protection tab Application Protection listThis list shows all monitored processes on the client 150Activity Log tab Activity Log optionsTo customize Activity Log options 151Activity Log list 152Select Create Sniffer Capture... McAfee Host Intrusion Prevention OptionsTroubleshooting Client installation issuesSolaris client Policy enforcement with the Solaris clientClient operations issues Run this command To do this154 File/Directory Name Description155 To stop a Solaris clientTo restart a Solaris client Linux client Policy enforcement with the Linux clientVerifying the client is running File Name DescriptionTroubleshooting tool 158Run the command hipts agent off To stop a Linux clientTo restart a Linux client 159Frequently Asked Questions What is a policy?What is the McAfee Default policy? 160161 How do I view IPS events triggered by clients? How do I create an exception based on an IPS Event?How do I create custom signatures for an IPS Policy? How do I find existing policies that match a given profile?Writing Custom Signatures Rule StructureBasic structure of a rule is the following 164Section Name Value Description Mandatory common sections165 Use of Include and Exclude Name/domain user nameUse of the dependencies section Optional common sectionsSection value variables Use of wildcards Use of environment variablesUse of predefined variables Windows IIS Web Server169 MS SQL Database ServerSolaris Apache and iPlanet This topic describes how to write Windows custom signatures Windows Custom SignaturesClass Files 170171 Advanced Details GUI name ExplanationClass Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Class Services Section Values Meaning/remarksGUI Name Explanation Possible Values Windows Custom Signatures This topic describes how to write Solaris custom signatures Solaris Custom SignaturesClass UNIXfile 181Relevant X directives per section Directive File Source File permission New permission183 Advanced DetailsClass UNIXapache Solaris Custom Signatures Linux Custom Signatures 185Summary of parameters and directives List of parameters according to typeList of directives according to type 186Glossary 187188 Blocked host189 Console tree190 EPolicy Orchestrator database server191 See also minimal properties192 Inactive agent193 Policy enforcement interval194 Severity level195 SYN floodIndex Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com