McAfee HISCDE-AB-IA Product Guide - Page 47
Creating exception rules, Monitor IPS events
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 47 highlights
Configuring IPS Policies Monitor IPS events To... Edit an exception rule Add an exception rule Delete an exception rule Copy an exception rule to another policy Do this... Under Actions, click Edit. Click New. Under Actions, click Delete. Select a rule and click Copy To to copy it to another policy. Indicate the policy to which to copy the rule and click OK. NOTE: You can copy several rules at one time by selecting all the rules before clicking Copy To. 4 Click Save to save changes. Creating exception rules To allow behavior prevented by a signature, create an exception for that signature. This can entail defining exception parameters and values. See Writing Custom Signatures and Exceptions for details on this aspect. Task For option definitions, click ? in the interface. 1 On the IPS Rule policy Exception Rules tab, click New. 2 Name the exception, be sure it is enabled, then include the signatures to which the exception applies. 3 Set executables, parameters, or Domain groups that play a role as a behavioral exception to the signature. 4 Click Save. Monitor IPS events An IPS event is triggered when a security violation, as defined by a signature, is detected and reported to the ePO server. The IPS event appears on the Events tab of the Host IPS tab (or the Event Log tab along with all the other events for all the other products that ePolicy Orchestrator is managing) under Reporting with one of four severity level criteria: High, Medium, Low, and Information. NOTE: When two events are triggered by the same operation, the highest signature reaction is taken. From the list of events generated, you can determine which events are allowable and which indicate suspicious behavior. To allow events, configure the system with the following: • Exceptions - Rules that override a signature rule. • Trusted Applications - Applications that are labeled trusted whose operations might otherwise be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 47