Manuals
/
McAfee
/
Marine Equipment
/
Marine Radio
McAfee
6.1
manual
Mcafee.com
Models:
6.1
1
201
201
Download
201 pages
13.13 Kb
194
195
196
197
198
199
200
201
Troubleshooting
Install
FAQ
To modify default signatures
Administrator User
Maintenance
Configuring policies
Client operations issues
Preset protection
Quick access
Page 201
Image 201
700-1499-00
Copyright © 2006 McAfee, Inc. All Rights Reserved.
mcafee.com
Page 200
Page 201
Page 201
Image 201
Page 200
Page 201
Contents
McAfee Host Intrusion Prevention
Page
McAfee Host Intrusion Prevention
Copyright
Contents
IPS Policies
General Policies 103
Frequently Asked Questions 160 Writing Custom Signatures 164
IntroducingPrevention Host Intrusion
New features
What’s new in this release
Changes from the previous release
Audience
Using this guide
This guide uses the following conventions
Conventions
Bold Condensed
Example
Standard documentation
Getting product information
Customer Service
Professional Services
Contact information
IPS feature
Basic Concepts
Signature rules
Events
Behavioral rules
Reactions
Exception rules
Firewall feature
Firewall rules
Client firewall rules
Application Blocking feature
General feature
Client application blocking rules
Policy management
Policy enforcement
Policies and policy categories
Policy inheritance and assignment
Policy ownership
Policy assignment locking
Preset protection
Adaptive and Learn mode
Deployment and management
Reports
Tuning
Deploy Host Intrusion Prevention clients
Using ePolicy Orchestrator
EPolicy Orchestrator console
EPolicy Orchestrator console
Assign Policies
Policy management
Host Intrusion Prevention operations
Installing the Host Intrusion Prevention server
Assigning owners to policies
Generating notifications
Viewing and working with client data
Deploying Host Intrusion Prevention clients
Placing clients in Adaptive or Learn mode
Policy viewing alerts
Configuring policies
Active X control security warning
Fine-tuning
Help navigation procedures
Using Help
IPS Events/Signatures
Help in the user interface
IPS Exception Rules
IPS Signature Rules
Overview
IPS Policies
Benefits of Host IPS
Host and network IPS signature rules
Preset IPS policies
Behavioral rules
Benefits of Network IPS
Configuring the IPS Options policy
Quick access
To configure the IPS Options policy
To create a new IPS Options policy
Click Apply
IPS Options dialog box appears
Select the needed options
Configuring the IPS Protection policy
To create a new IPS Protection policy
To configure the IPS Protection policy
Select the type of reaction for each severity level
IPS Protection dialog box appears
Configuring the IPS Rules policy
To assign IPS Rules policies
To create a new IPS Rules policy
IPS Rules policy details
To create an exception
Creating exception rules
Editing exception rules
You can view and edit details of an existing exception
To edit an exception rule
Enabling and disabling exception rules
To disable/enable an exception
Deleting exception rules
Moving exception rules to another policy
Types of signatures
Signatures
Host signatures
Custom host signatures
IPS Rules-Signatures tab
Viewing signatures
Modifying host and network signatures
To modify default signatures
Creating custom signatures
To modify the view of signatures
To create signatures using the wizard
Using the wizard to create signatures
To create a signature with the standard mode
Using the standard mode to create signatures
New Custom Signature-General tab
Deleting custom signatures
Editing custom signatures
To use Standard Method To use Expert Method
To edit a custom signature
11 Application Protection Rules analysis
Application Protection Rules
12 IPS Rules-Application Protection Rules
To create an application protection rule
13 New Trusted Application dialog box-General tab
Editing Application Protection Rules
IPS Events
Enabling and disabling Application Protection Rules
Deleting Application Protection Rules
To view IPS events
Viewing events
Configuring the event view
Filtering events
To change the event view
To mark an event as read
Marking events
To mark an event as unread
To hide an event
To mark similar events
Marking similar events
Agent Signatures User Process Severity Level
Hidden
Viewing event details
Creating event-based exceptions and trusted applications
To view event details
To create an event-based trusted application
To create an event-based exception
IPS Client Rules
Searching for related exceptions
To search for a related exception
To migrate client rules to an IPS Rules policy
Regular View
Aggregated View
To aggregate client rules
Click the Aggregate View tab on the IPS Client Rules tab
To search for exceptions and manage the list of exceptions
Search IPS Exception Rules
22 Search IPS Exception Rules tab
Firewall Policies
HIP 6.1 rules
HIP 6.0 rules
State table
Stateful packet filtering
Stateful packet inspection
Ordering the firewall rule list
How firewall rules work
Stateful filtering process
How stateful filtering works
How stateful packet inspection works
Stateful protocol tracking
Protocol Description of handling
TCP
Firewall rule groups and connection-aware groups
Overview
Stateful filtering
Firewall Learn and Adaptive modes
Quarantine policies and rules
Preset Firewall policies
Migrating custom 6.0 firewall rules to 6.1 rules
To migrate rules
To configure the Firewall Options policy
Configuring the Firewall Options policy
Select For these settings Off McAfee Default
Learn
Select New Policy
Create New Policy dialog box appears
Configuring the Firewall Rules policy
Creating new Firewall Rules policies
To create a Firewall Rules policy
Include Local Subnet Automatically selected
Server High
Select this For this protection Policy Server Medium
Do any of the following
Viewing and editing firewall rules
To view and edit a firewall rule
Add Policy or Duplicate Policy
Select the appropriate settings Click OK
Creating a new firewall rule or firewall group
To create a firewall rule
Firewall Rule Group dialog box appears
To create a new rule group
To create a connection-aware group
Type a name for this group in the Name field
Deleting a firewall rule or group
To add predefined rules
To delete a firewall rule or group
Viewing firewall client rules
To view all firewall client rules
To modify the view, do any of the following
To view details of an aggregated firewall rule
To view aggregated firewall client rules
Configuring the Quarantine Options policy
To configure the Quarantine Options policy
Select New Policy
Quarantine Rules policy provides access for
Configuring the Quarantine Rules policy
Creating new Quarantine Rules policies
To create a Quarantine Rules policy
Viewing and editing quarantine rules
To view and edit a quarantine rule
Click Properties
Deleting a quarantine rule or group
Creating a new quarantine rule or group
To create a quarantine rule
To delete a quarantine rule or group
Application creation
Application Blocking Policies
Preset Application Blocking policies
Application Blocking feature contains two policy categories
Application hooking
Configuring the Application Blocking Options policy
Select this policy For these settings Off McAfee Default
To apply an Application Blocking Options policy
Application Blocking Options
Configuring the Application Blocking Rules policy
Creating new Application Blocking Rules policies
To create an Application Blocking Rules policy
To view and edit an application blocking rule
Viewing and editing Application Blocking Rules
To create a new application blocking rule
Creating new Application Blocking Rules
Application Rule dialog box appears
100
Viewing application client rules
Deleting an application blocking rule
To delete an application blocking rule
To view all client application rules
To view details of an aggregated client application rule
To view aggregated client application rules
General Policies
General feature contains four policy categories
Preset General policies
Configuring the Client UI policy
Configuring Enforce Policies
To change the policy setting
Regular User
To configure a Client UI policy
Administrator User
Creating and applying a Client UI policy
Disconnected User
107
Setting passwords
To create an administrator password
Click the Advanced Options tab in the Client UI policy
108
To create a time-based password
Tray icon control
To provide tray icon control of Windows UI
Configuring the Trusted Networks policy
To configure trusted network options
110
Edit
Select To do this Add
Remove
Include Local Subnet
Creating and applying Trusted Applications policies
Configuring the Trusted Applications policy
To create a new policy
Trusted Application tab appears
To create a trusted application
Creating trusted applications
Editing trusted applications
To disable/enable a trusted application
Enabling and disabling trusted applications
Deleting trusted applications
Fine-tuning a deployment
Maintenance
Analyzing IPS events
115
Working with client exception rules
Creating exception rules and trusted application rules
Creating and applying new policies
For details on working with client rules, see
To view and reset broken inheritance below a specific node
Policy maintenance and tasks
Policies tab
Policy inheritance and assignment
Click Copy policy assignments
To copy and paste policy assignments of a node
Policy Catalog
To view nodes where a policy is assigned
Viewing policy information
To view all policies that have been created
To view the settings and owner of a policy
To view assignments where policy enforcement is disabled
Editing policy information
To edit a policy
Directory Gateway
Running server tasks
Event Archiver
Property Translator
Setting up notifications for events
How notifications work
Creating rules
124
Host Intrusion Prevention notifications
Running reports
Pre-defined reports
Report repository
Host Intrusion Prevention reports
Report content control
Summary information and details
IPS Events Summary by Signature
IPS Event Summary by Target
Network Intrusion Summary by Source IP
Signature
Top 10 Triggered Signatures
Top 10 Attacked Nodes for IPS
Blocked Application Summary
Filters on platform and signature type
Failed Quarantine Updates
Top 10 Blocked Applications
Initial View Drill Down Host Name
To add update packages automatically
Checking in the update package
Updating
From the Task type list, select Repository Pull
To run an update task
To add update packages manually
To have a client request an update
Updating clients
Windows client
Host Intrusion Prevention Client
System tray icon
Client console
133
Unlocking the client interface
Setting options
To unlock the Host Intrusion Prevention interface
To customize client options
Troubleshooting
Error Reporting
Show tray icon Error Reporting
Select For this
To set IPS logging options
To set Firewall logging options
Security Violations
Alerts
Intrusion alerts
137
Firewall alerts
To respond to a firewall Learn Mode alert
138
Has the Treat rule match as an intrusion option selected
Application Blocking alerts
Quarantine alerts
Spoof Detected alerts
The IP address that the traffic pretends to come from 140
IP Spoof Detected Alert dialog box
141
IPS Policy options
IPS Policy tab
To customize IPS Policy options
142
Exception rules list
IPS Policy exception rules
To edit the exception rules
143
Firewall Policy options
Firewall Policy tab
To customize Firewall Policy options
144
Firewall Policy Rules
Firewall rules list
145
Application Policy options
Application Policy tab
To customize Application Policy options
146
Application Policy rules
Application rules list
147
Blocked Hosts list
Blocked Hosts tab
148
Column What it shows
To edit the Blocked Hosts list
149
Until removed
Application Protection list
Application Protection tab
This list shows all monitored processes on the client
150
Activity Log options
Activity Log tab
To customize Activity Log options
151
152
Activity Log list
Select Create Sniffer Capture...
McAfee Host Intrusion Prevention Options
Client installation issues
Troubleshooting
Solaris client
Policy enforcement with the Solaris client
Run this command To do this
Client operations issues
154
File/Directory Name Description
To stop a Solaris client
To restart a Solaris client
155
Policy enforcement with the Linux client
Linux client
File Name Description
Verifying the client is running
158
Troubleshooting tool
To stop a Linux client
Run the command hipts agent off
To restart a Linux client
159
What is a policy?
Frequently Asked Questions
What is the McAfee Default policy?
160
161
How do I create an exception based on an IPS Event?
How do I view IPS events triggered by clients?
How do I find existing policies that match a given profile?
How do I create custom signatures for an IPS Policy?
Rule Structure
Writing Custom Signatures
Basic structure of a rule is the following
164
Mandatory common sections
165
Section Name Value Description
Name/domain user name
Use of Include and Exclude
Optional common sections
Section value variables
Use of the dependencies section
Use of environment variables
Use of wildcards
Use of predefined variables
Windows IIS Web Server
MS SQL Database Server
Solaris Apache and iPlanet
169
Windows Custom Signatures
This topic describes how to write Windows custom signatures
Class Files
170
171
GUI name Explanation
Advanced Details
Class Isapi
Machine where the client is installed in the manner host
Windows Custom Signatures
Class Registry
177
Section Values Meaning/remarks
Class Services
GUI Name Explanation Possible Values
Windows Custom Signatures
Solaris Custom Signatures
This topic describes how to write Solaris custom signatures
Class UNIXfile
181
Directive File Source File permission New permission
Relevant X directives per section
Advanced Details
Class UNIXapache
183
Solaris Custom Signatures
185
Linux Custom Signatures
List of parameters according to type
Summary of parameters and directives
List of directives according to type
186
187
Glossary
Blocked host
188
Console tree
189
EPolicy Orchestrator database server
190
See also minimal properties
191
Inactive agent
192
Policy enforcement interval
193
Severity level
194
SYN flood
195
Index
Working with clients
Signatures, 46 creating, 48 creating custom
Firewall policy tab rules List IPS Policy tab
Page
Mcafee.com
Top
Page
Image
Contents