Basic Concepts, IPS feature, Signature rules | McAfee 6.1 manual

2Basic Concepts

McAfee® Host Intrusion Prevention is a host-based intrusion protection system. It protects against known and unknown attacks, including worms, Trojan horses, buffer overflow, critical system file modification, and privilege escalation. Host Intrusion Prevention management is delivered through the ePolicy Orchestrator console and provides the ability to set and apply host intrusion prevention, firewall, application blocking, and general policies. Host Intrusion Prevention clients are deployed to servers and desktops and function as independent protective units. They report their activity to ePolicy Orchestrator and retrieve updates for new attack definitions.

This section describes the four features of Host Intrusion Prevention and how it works with ePolicy Orchestrator, and includes the following topics:

IPS feature

Firewall feature

Application Blocking feature

General feature

Policy management

Deployment and management

IPS feature

The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that might result in malicious activity. Host Intrusion Prevention determines which process is using a call, the security context in which the process runs, and the resource being accessed. A kernel-level driver, which receives redirected entries in the user-mode system call table, monitors the system call chain. When calls are made, the driver compares the call request against a database of combined signatures and behavioral rules to determine whether to allow, block, or log an action.

Signature rules

Signature rules are patterns of characters than can be matched against a traffic stream. For example, a signature rule might look for a specific string in an HTTP request. If the string matches one in a known attack, action is taken. These rules provide protection against known attacks.

15

Image 15

McAfee 6.1 manual Basic Concepts, IPS feature, Signature rules

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion New features What’s new in this releaseChanges from the previous release Audience Using this guide Example ConventionsThis guide uses the following conventions Bold Condensed Standard documentation Getting product information Customer Service Professional ServicesContact information IPS feature Basic ConceptsSignature rules Exception rules Behavioral rulesEvents Reactions Firewall feature Firewall rulesClient firewall rules Application Blocking feature General featureClient application blocking rules Policy management Policy enforcementPolicies and policy categories Policy inheritance and assignment Policy ownershipPolicy assignment locking Preset protection Adaptive and Learn modeDeployment and management Reports Tuning „ Deploy Host Intrusion Prevention clients Using ePolicy Orchestrator EPolicy Orchestrator console EPolicy Orchestrator console Assign Policies Policy management Generating notifications Installing the Host Intrusion Prevention serverHost Intrusion Prevention operations Assigning owners to policies Viewing and working with client data Deploying Host Intrusion Prevention clients Placing clients in Adaptive or Learn mode Policy viewing alerts Configuring policies Active X control security warning Fine-tuning Help navigation procedures Using Help IPS Signature Rules Help in the user interfaceIPS Events/Signatures IPS Exception Rules Overview IPS Policies Benefits of Host IPS Host and network IPS signature rules Preset IPS policies Behavioral rulesBenefits of Network IPS Configuring the IPS Options policy Quick accessTo configure the IPS Options policy Select the needed options Click ApplyTo create a new IPS Options policy IPS Options dialog box appears Configuring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policy Select the type of reaction for each severity level IPS Protection dialog box appears Configuring the IPS Rules policy To assign IPS Rules policiesTo create a new IPS Rules policy IPS Rules policy details To create an exception Creating exception rules Editing exception rules You can view and edit details of an existing exceptionTo edit an exception rule Moving exception rules to another policy To disable/enable an exceptionEnabling and disabling exception rules Deleting exception rules Custom host signatures SignaturesTypes of signatures Host signatures IPS Rules-Signatures tab Viewing signatures To modify the view of signatures To modify default signaturesModifying host and network signatures Creating custom signatures To create signatures using the wizard Using the wizard to create signatures To create a signature with the standard mode Using the standard mode to create signatures New Custom Signature-General tab To edit a custom signature Editing custom signaturesDeleting custom signatures To use Standard Method To use Expert Method 11 Application Protection Rules analysis Application Protection Rules 12 IPS Rules-Application Protection Rules To create an application protection rule 13 New Trusted Application dialog box-General tab Deleting Application Protection Rules IPS EventsEditing Application Protection Rules Enabling and disabling Application Protection Rules To view IPS events Viewing events Configuring the event view Filtering eventsTo change the event view To hide an event Marking eventsTo mark an event as read To mark an event as unread Hidden Marking similar eventsTo mark similar events „ Agent „ Signatures „ User „ Process „ Severity Level Viewing event details Creating event-based exceptions and trusted applicationsTo view event details To create an event-based trusted application To create an event-based exception IPS Client Rules Searching for related exceptionsTo search for a related exception To migrate client rules to an IPS Rules policy Regular View Aggregated View To aggregate client rulesClick the Aggregate View tab on the IPS Client Rules tab To search for exceptions and manage the list of exceptions Search IPS Exception Rules 22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rules State table Stateful packet filteringStateful packet inspection Ordering the firewall rule list How firewall rules work Stateful filtering process How stateful filtering works How stateful packet inspection works Stateful protocol trackingProtocol Description of handling TCP Firewall rule groups and connection-aware groups Overview Stateful filtering Firewall Learn and Adaptive modes Quarantine policies and rules Preset Firewall policies Migrating custom 6.0 firewall rules to 6.1 rulesTo migrate rules Learn Configuring the Firewall Options policyTo configure the Firewall Options policy Select For these settings Off McAfee Default „ Select New Policy Create New Policy dialog box appears Configuring the Firewall Rules policy Creating new Firewall Rules policiesTo create a Firewall Rules policy Include Local Subnet Automatically selected Server High Select this For this protection Policy Server Medium Add Policy or Duplicate Policy Viewing and editing firewall rulesDo any of the following To view and edit a firewall rule Select the appropriate settings Click OK Creating a new firewall rule or firewall groupTo create a firewall rule Type a name for this group in the Name field To create a new rule groupFirewall Rule Group dialog box appears To create a connection-aware group Deleting a firewall rule or group To add predefined rulesTo delete a firewall rule or group Viewing firewall client rules To view all firewall client rulesTo modify the view, do any of the following To view details of an aggregated firewall rule To view aggregated firewall client rules Configuring the Quarantine Options policy To configure the Quarantine Options policySelect New Policy To create a Quarantine Rules policy Configuring the Quarantine Rules policyQuarantine Rules policy provides access for Creating new Quarantine Rules policies Viewing and editing quarantine rules To view and edit a quarantine ruleClick Properties To delete a quarantine rule or group Creating a new quarantine rule or groupDeleting a quarantine rule or group To create a quarantine rule Application creation Application Blocking Policies Preset Application Blocking policies Application Blocking feature contains two policy categoriesApplication hooking Configuring the Application Blocking Options policy Select this policy For these settings Off McAfee DefaultTo apply an Application Blocking Options policy Application Blocking Options Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policiesTo create an Application Blocking Rules policy To view and edit an application blocking rule Viewing and editing Application Blocking Rules 100 Creating new Application Blocking RulesTo create a new application blocking rule Application Rule dialog box appears To view all client application rules Deleting an application blocking ruleViewing application client rules To delete an application blocking rule To view details of an aggregated client application rule To view aggregated client application rules General Policies General feature contains four policy categories Preset General policies Regular User Configuring Enforce PoliciesConfiguring the Client UI policy To change the policy setting Disconnected User Administrator UserTo configure a Client UI policy Creating and applying a Client UI policy 107 Setting passwords To create an administrator password Click the Advanced Options tab in the Client UI policy108 To create a time-based password Tray icon controlTo provide tray icon control of Windows UI Configuring the Trusted Networks policy To configure trusted network options110 Include Local Subnet Select To do this AddEdit Remove Trusted Application tab appears Configuring the Trusted Applications policyCreating and applying Trusted Applications policies To create a new policy To create a trusted application Creating trusted applications Deleting trusted applications To disable/enable a trusted applicationEditing trusted applications Enabling and disabling trusted applications 115 MaintenanceFine-tuning a deployment Analyzing IPS events For details on working with client rules, see Creating exception rules and trusted application rulesWorking with client exception rules Creating and applying new policies Policy inheritance and assignment Policy maintenance and tasksTo view and reset broken inheritance below a specific node Policies tab Click Copy policy assignments To copy and paste policy assignments of a node To view all policies that have been created To view nodes where a policy is assignedPolicy Catalog Viewing policy information To view the settings and owner of a policy To view assignments where policy enforcement is disabledEditing policy information To edit a policy Property Translator Running server tasksDirectory Gateway Event Archiver Setting up notifications for events How notifications workCreating rules 124 Host Intrusion Prevention notifications Running reports Pre-defined reportsReport repository IPS Events Summary by Signature Report content controlHost Intrusion Prevention reports Summary information and details IPS Event Summary by Target Network Intrusion Summary by Source IPSignature Filters on platform and signature type Top 10 Attacked Nodes for IPSTop 10 Triggered Signatures Blocked Application Summary Failed Quarantine Updates Top 10 Blocked ApplicationsInitial View Drill Down Host Name From the Task type list, select Repository Pull Checking in the update packageTo add update packages automatically Updating Updating clients To add update packages manuallyTo run an update task To have a client request an update Windows client Host Intrusion Prevention Client System tray icon Client console133 To customize client options Setting optionsUnlocking the client interface To unlock the Host Intrusion Prevention interface Select For this Error ReportingTroubleshooting Show tray icon Error Reporting To set IPS logging options To set Firewall logging optionsSecurity Violations Alerts Intrusion alerts137 Has the Treat rule match as an intrusion option selected To respond to a firewall Learn Mode alertFirewall alerts 138 Application Blocking alerts Quarantine alerts Spoof Detected alerts„ The IP address that the traffic pretends to come from 140 IP Spoof Detected Alert dialog box 141 142 IPS Policy tabIPS Policy options To customize IPS Policy options 143 IPS Policy exception rulesException rules list To edit the exception rules 144 Firewall Policy tabFirewall Policy options To customize Firewall Policy options Firewall Policy Rules Firewall rules list145 146 Application Policy tabApplication Policy options To customize Application Policy options Application Policy rules Application rules list147 Column What it shows Blocked Hosts tabBlocked Hosts list 148 To edit the Blocked Hosts list 149Until removed 150 Application Protection tabApplication Protection list This list shows all monitored processes on the client 151 Activity Log tabActivity Log options To customize Activity Log options McAfee Host Intrusion Prevention Options Activity Log list152 Select Create Sniffer Capture... Policy enforcement with the Solaris client TroubleshootingClient installation issues Solaris client File/Directory Name Description Client operations issuesRun this command To do this 154 To stop a Solaris client To restart a Solaris client155 Policy enforcement with the Linux client Linux client File Name Description Verifying the client is running 158 Troubleshooting tool 159 Run the command hipts agent offTo stop a Linux client To restart a Linux client 160 Frequently Asked QuestionsWhat is a policy? What is the McAfee Default policy? 161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients? How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy? 164 Writing Custom SignaturesRule Structure Basic structure of a rule is the following Mandatory common sections 165Section Name Value Description Name/domain user name Use of Include and Exclude Optional common sections Section value variablesUse of the dependencies section Windows IIS Web Server Use of wildcardsUse of environment variables Use of predefined variables MS SQL Database Server Solaris Apache and iPlanet169 170 This topic describes how to write Windows custom signaturesWindows Custom Signatures Class Files 171 GUI name Explanation Advanced Details Class Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class Services GUI Name Explanation Possible Values Windows Custom Signatures 181 This topic describes how to write Solaris custom signaturesSolaris Custom Signatures Class UNIXfile Directive File Source File permission New permission Relevant X directives per section Advanced Details Class UNIXapache183 Solaris Custom Signatures 185 Linux Custom Signatures 186 Summary of parameters and directivesList of parameters according to type List of directives according to type 187 Glossary Blocked host 188 Console tree 189 EPolicy Orchestrator database server 190 See also minimal properties 191 Inactive agent 192 Policy enforcement interval 193 Severity level 194 SYN flood 195 Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com