McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

IPS Rules policy details

4

Network-based signatures appear in the console in the same list of signatures as the host-based signatures. They have their own icon in the Type column and are designated as Network IPS in the Signature Properties General dialog box.

Each signature has a description and a default severity level. With appropriate privilege levels, an administrator can modify the severity level of a signature or disable a signature.

Every network-based signature has an option to turn logging off, even if the signature is associated with a log or prevent reaction due to the effective policy. However, in case of a prevent reaction, the operation is prevented, even if no event is logged.

You can create exceptions for network-based signatures; however, you cannot specify any additional parameter attributes such as operating system user and process name. Advanced details contains network specific parameters, for example IP addresses, which you can specify.

Events generated by network-based signatures are displayed along with the host-based events in the IPS Events tab and exhibit the same behavior as host-based events.

Network-based custom signatures are not supported.

Viewing signatures

Host Intrusion Prevention provides three views of signatures on the Signatures tab. The default listing includes only active signatures. You can also view only disabled signatures, or a combination of active and disabled signatures.

Figure 4-6 IPS Rules—Signatures tab

47

Page 47
Image 47
McAfee 6.1 manual Viewing signatures, IPS Rules-Signatures tab