McAfee® Host Intrusion Prevention 6.1 Product Guide | IPS Policies |
| IPS Rules policy details |
4
IPS Rules policy details
The IPS Rules policy allows you to create and apply one or more policies that define IPS settings. Policies should be based on common usage, location, or access rights and privileges. For example, you might assign an IIS Server a Global Policy, a Server Client Policy, and an IIS Policy.
Each policy details:
Exception Rules
Signatures
Application Protection Rules
All available IPS policies are in the Policies list in the IPS Rules Policy Settings dialog box. Policies applied to the selected node appear in bold. Click Effective Policy to view a union of all exception rules, signatures, and include/exclude rules that apply to the selected node.
The IPS Rules Policy Settings dialog box also provides access to the following IPS
IPS Events
IPS Client Rules
Search IPS Exception Rules
Exception Rules
Sometimes behavior that would be interpreted as an attack can actually be a normal part of a user’s work routine. This is called a false positive alert. To prevent false positives, create an exception for that behavior.
The exceptions feature enables you to weed out false positive alerts, minimizes needless data flowing to the console, and ensures that the alerts are legitimate security threats.
For example, during the process of testing clients, a client recognizes the Outlook Envelope - Suspicious Executable Mod. signature. This signature signals that the Outlook
You can view a list of exceptions, and create and modify them on the Exceptions tab in the IPS Rules dialog box.
42
