McAfee® Host Intrusion Prevention 6.1 Product Guide | IPS Policies |
| IPS Rules policy details |
4
Signatures
Signatures describe security threats, attack methodologies, and network intrusions. Each signature has a default severity level, which describes the potential danger of an attack:
High (red) — Signatures that protect against clearly identifiable security threats or malicious actions. Most of these signatures are specific to
Medium (orange) — Signatures that are behavioral in nature and deal with preventing applications from operating outside of their environment (relevant for clients protecting web servers and Microsoft SQL Server 2000). On critical servers, you may want to prevent those signatures after
Low (yellow) — Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they cannot be changed. Preventing yellow signatures increases the security of the underlying system, but requires additional
Information (blue) — Indicates a modification to the system configuration that might create a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack.
Types of signatures
The IPS Rules policy can contain three type of signatures:
Host signatures — Default Host Intrusions Prevention Signatures (HIPS).
Custom host signatures — Custom HIPS that you create.
Network signatures — Default Network Intrusion Prevention Signatures (NIPS).
Host signatures
Each signature has a description and a default severity level. With appropriate privilege levels, an administrator can modify the severity level of a signature or disable a signature for client groups.
When triggered,
Custom host signatures
Custom signatures are
Network signatures
46
