Manuals
/
McAfee
/
Marine Equipment
/
Marine Radio
McAfee
6.1
manual
McAfee Host Intrusion Prevention
Models:
6.1
1
3
201
201
Download
201 pages
13.13 Kb
1
2
3
4
5
6
7
8
Troubleshooting
Install
FAQ
To modify default signatures
Administrator User
Maintenance
Configuring policies
Client operations issues
Preset protection
Quick access
Page 3
Image 3
Product Guide
McAfee
®
Host Intrusion Prevention
version 6.1
McAfee
®
System Protection
Industry-leading
intrusion prevention solutions
Page 2
Page 4
Page 3
Image 3
Page 2
Page 4
Contents
McAfee Host Intrusion Prevention
Page
McAfee Host Intrusion Prevention
Copyright
Contents
IPS Policies
General Policies 103
Frequently Asked Questions 160 Writing Custom Signatures 164
IntroducingPrevention Host Intrusion
New features
What’s new in this release
Changes from the previous release
Audience
Using this guide
Example
Conventions
This guide uses the following conventions
Bold Condensed
Standard documentation
Getting product information
Customer Service
Professional Services
Contact information
IPS feature
Basic Concepts
Signature rules
Exception rules
Behavioral rules
Events
Reactions
Firewall feature
Firewall rules
Client firewall rules
Application Blocking feature
General feature
Client application blocking rules
Policy management
Policy enforcement
Policies and policy categories
Policy inheritance and assignment
Policy ownership
Policy assignment locking
Preset protection
Adaptive and Learn mode
Deployment and management
Reports
Tuning
Deploy Host Intrusion Prevention clients
Using ePolicy Orchestrator
EPolicy Orchestrator console
EPolicy Orchestrator console
Assign Policies
Policy management
Generating notifications
Installing the Host Intrusion Prevention server
Host Intrusion Prevention operations
Assigning owners to policies
Viewing and working with client data
Deploying Host Intrusion Prevention clients
Placing clients in Adaptive or Learn mode
Policy viewing alerts
Configuring policies
Active X control security warning
Fine-tuning
Help navigation procedures
Using Help
IPS Signature Rules
Help in the user interface
IPS Events/Signatures
IPS Exception Rules
Overview
IPS Policies
Benefits of Host IPS
Host and network IPS signature rules
Preset IPS policies
Behavioral rules
Benefits of Network IPS
Configuring the IPS Options policy
Quick access
To configure the IPS Options policy
Select the needed options
Click Apply
To create a new IPS Options policy
IPS Options dialog box appears
Configuring the IPS Protection policy
To create a new IPS Protection policy
To configure the IPS Protection policy
Select the type of reaction for each severity level
IPS Protection dialog box appears
Configuring the IPS Rules policy
To assign IPS Rules policies
To create a new IPS Rules policy
IPS Rules policy details
To create an exception
Creating exception rules
Editing exception rules
You can view and edit details of an existing exception
To edit an exception rule
Moving exception rules to another policy
To disable/enable an exception
Enabling and disabling exception rules
Deleting exception rules
Custom host signatures
Signatures
Types of signatures
Host signatures
IPS Rules-Signatures tab
Viewing signatures
To modify the view of signatures
To modify default signatures
Modifying host and network signatures
Creating custom signatures
To create signatures using the wizard
Using the wizard to create signatures
To create a signature with the standard mode
Using the standard mode to create signatures
New Custom Signature-General tab
To edit a custom signature
Editing custom signatures
Deleting custom signatures
To use Standard Method To use Expert Method
11 Application Protection Rules analysis
Application Protection Rules
12 IPS Rules-Application Protection Rules
To create an application protection rule
13 New Trusted Application dialog box-General tab
Deleting Application Protection Rules
IPS Events
Editing Application Protection Rules
Enabling and disabling Application Protection Rules
To view IPS events
Viewing events
Configuring the event view
Filtering events
To change the event view
To hide an event
Marking events
To mark an event as read
To mark an event as unread
Hidden
Marking similar events
To mark similar events
Agent Signatures User Process Severity Level
Viewing event details
Creating event-based exceptions and trusted applications
To view event details
To create an event-based trusted application
To create an event-based exception
IPS Client Rules
Searching for related exceptions
To search for a related exception
To migrate client rules to an IPS Rules policy
Regular View
Aggregated View
To aggregate client rules
Click the Aggregate View tab on the IPS Client Rules tab
To search for exceptions and manage the list of exceptions
Search IPS Exception Rules
22 Search IPS Exception Rules tab
Firewall Policies
HIP 6.1 rules
HIP 6.0 rules
State table
Stateful packet filtering
Stateful packet inspection
Ordering the firewall rule list
How firewall rules work
Stateful filtering process
How stateful filtering works
How stateful packet inspection works
Stateful protocol tracking
Protocol Description of handling
TCP
Firewall rule groups and connection-aware groups
Overview
Stateful filtering
Firewall Learn and Adaptive modes
Quarantine policies and rules
Preset Firewall policies
Migrating custom 6.0 firewall rules to 6.1 rules
To migrate rules
Learn
Configuring the Firewall Options policy
To configure the Firewall Options policy
Select For these settings Off McAfee Default
Select New Policy
Create New Policy dialog box appears
Configuring the Firewall Rules policy
Creating new Firewall Rules policies
To create a Firewall Rules policy
Include Local Subnet Automatically selected
Server High
Select this For this protection Policy Server Medium
Add Policy or Duplicate Policy
Viewing and editing firewall rules
Do any of the following
To view and edit a firewall rule
Select the appropriate settings Click OK
Creating a new firewall rule or firewall group
To create a firewall rule
Type a name for this group in the Name field
To create a new rule group
Firewall Rule Group dialog box appears
To create a connection-aware group
Deleting a firewall rule or group
To add predefined rules
To delete a firewall rule or group
Viewing firewall client rules
To view all firewall client rules
To modify the view, do any of the following
To view details of an aggregated firewall rule
To view aggregated firewall client rules
Configuring the Quarantine Options policy
To configure the Quarantine Options policy
Select New Policy
To create a Quarantine Rules policy
Configuring the Quarantine Rules policy
Quarantine Rules policy provides access for
Creating new Quarantine Rules policies
Viewing and editing quarantine rules
To view and edit a quarantine rule
Click Properties
To delete a quarantine rule or group
Creating a new quarantine rule or group
Deleting a quarantine rule or group
To create a quarantine rule
Application creation
Application Blocking Policies
Preset Application Blocking policies
Application Blocking feature contains two policy categories
Application hooking
Configuring the Application Blocking Options policy
Select this policy For these settings Off McAfee Default
To apply an Application Blocking Options policy
Application Blocking Options
Configuring the Application Blocking Rules policy
Creating new Application Blocking Rules policies
To create an Application Blocking Rules policy
To view and edit an application blocking rule
Viewing and editing Application Blocking Rules
100
Creating new Application Blocking Rules
To create a new application blocking rule
Application Rule dialog box appears
To view all client application rules
Deleting an application blocking rule
Viewing application client rules
To delete an application blocking rule
To view details of an aggregated client application rule
To view aggregated client application rules
General Policies
General feature contains four policy categories
Preset General policies
Regular User
Configuring Enforce Policies
Configuring the Client UI policy
To change the policy setting
Disconnected User
Administrator User
To configure a Client UI policy
Creating and applying a Client UI policy
107
Setting passwords
To create an administrator password
Click the Advanced Options tab in the Client UI policy
108
To create a time-based password
Tray icon control
To provide tray icon control of Windows UI
Configuring the Trusted Networks policy
To configure trusted network options
110
Include Local Subnet
Select To do this Add
Edit
Remove
Trusted Application tab appears
Configuring the Trusted Applications policy
Creating and applying Trusted Applications policies
To create a new policy
To create a trusted application
Creating trusted applications
Deleting trusted applications
To disable/enable a trusted application
Editing trusted applications
Enabling and disabling trusted applications
115
Maintenance
Fine-tuning a deployment
Analyzing IPS events
For details on working with client rules, see
Creating exception rules and trusted application rules
Working with client exception rules
Creating and applying new policies
Policy inheritance and assignment
Policy maintenance and tasks
To view and reset broken inheritance below a specific node
Policies tab
Click Copy policy assignments
To copy and paste policy assignments of a node
To view all policies that have been created
To view nodes where a policy is assigned
Policy Catalog
Viewing policy information
To view the settings and owner of a policy
To view assignments where policy enforcement is disabled
Editing policy information
To edit a policy
Property Translator
Running server tasks
Directory Gateway
Event Archiver
Setting up notifications for events
How notifications work
Creating rules
124
Host Intrusion Prevention notifications
Running reports
Pre-defined reports
Report repository
IPS Events Summary by Signature
Report content control
Host Intrusion Prevention reports
Summary information and details
IPS Event Summary by Target
Network Intrusion Summary by Source IP
Signature
Filters on platform and signature type
Top 10 Attacked Nodes for IPS
Top 10 Triggered Signatures
Blocked Application Summary
Failed Quarantine Updates
Top 10 Blocked Applications
Initial View Drill Down Host Name
From the Task type list, select Repository Pull
Checking in the update package
To add update packages automatically
Updating
Updating clients
To add update packages manually
To run an update task
To have a client request an update
Windows client
Host Intrusion Prevention Client
System tray icon
Client console
133
To customize client options
Setting options
Unlocking the client interface
To unlock the Host Intrusion Prevention interface
Select For this
Error Reporting
Troubleshooting
Show tray icon Error Reporting
To set IPS logging options
To set Firewall logging options
Security Violations
Alerts
Intrusion alerts
137
Has the Treat rule match as an intrusion option selected
To respond to a firewall Learn Mode alert
Firewall alerts
138
Application Blocking alerts
Quarantine alerts
Spoof Detected alerts
The IP address that the traffic pretends to come from 140
IP Spoof Detected Alert dialog box
141
142
IPS Policy tab
IPS Policy options
To customize IPS Policy options
143
IPS Policy exception rules
Exception rules list
To edit the exception rules
144
Firewall Policy tab
Firewall Policy options
To customize Firewall Policy options
Firewall Policy Rules
Firewall rules list
145
146
Application Policy tab
Application Policy options
To customize Application Policy options
Application Policy rules
Application rules list
147
Column What it shows
Blocked Hosts tab
Blocked Hosts list
148
To edit the Blocked Hosts list
149
Until removed
150
Application Protection tab
Application Protection list
This list shows all monitored processes on the client
151
Activity Log tab
Activity Log options
To customize Activity Log options
McAfee Host Intrusion Prevention Options
Activity Log list
152
Select Create Sniffer Capture...
Policy enforcement with the Solaris client
Troubleshooting
Client installation issues
Solaris client
File/Directory Name Description
Client operations issues
Run this command To do this
154
To stop a Solaris client
To restart a Solaris client
155
Policy enforcement with the Linux client
Linux client
File Name Description
Verifying the client is running
158
Troubleshooting tool
159
Run the command hipts agent off
To stop a Linux client
To restart a Linux client
160
Frequently Asked Questions
What is a policy?
What is the McAfee Default policy?
161
How do I create an exception based on an IPS Event?
How do I view IPS events triggered by clients?
How do I find existing policies that match a given profile?
How do I create custom signatures for an IPS Policy?
164
Writing Custom Signatures
Rule Structure
Basic structure of a rule is the following
Mandatory common sections
165
Section Name Value Description
Name/domain user name
Use of Include and Exclude
Optional common sections
Section value variables
Use of the dependencies section
Windows IIS Web Server
Use of wildcards
Use of environment variables
Use of predefined variables
MS SQL Database Server
Solaris Apache and iPlanet
169
170
This topic describes how to write Windows custom signatures
Windows Custom Signatures
Class Files
171
GUI name Explanation
Advanced Details
Class Isapi
Machine where the client is installed in the manner host
Windows Custom Signatures
Class Registry
177
Section Values Meaning/remarks
Class Services
GUI Name Explanation Possible Values
Windows Custom Signatures
181
This topic describes how to write Solaris custom signatures
Solaris Custom Signatures
Class UNIXfile
Directive File Source File permission New permission
Relevant X directives per section
Advanced Details
Class UNIXapache
183
Solaris Custom Signatures
185
Linux Custom Signatures
186
Summary of parameters and directives
List of parameters according to type
List of directives according to type
187
Glossary
Blocked host
188
Console tree
189
EPolicy Orchestrator database server
190
See also minimal properties
191
Inactive agent
192
Policy enforcement interval
193
Severity level
194
SYN flood
195
Index
Working with clients
Signatures, 46 creating, 48 creating custom
Firewall policy tab rules List IPS Policy tab
Page
Mcafee.com
Top
Page
Image
Contents