McAfee M-1250 IPS Configuration Guide - Page 71
Pre-con d rule sets and policies, Attack Categories
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 71 highlights
McAfee® Network Security Platform 5.1 Managing IPS settings • Rule Set / Policy Name: the name given to the rule set or policy. Several rule sets and policies are provided with names that represent the network area best protected by the rule set and policy. • Owner: admin domain in which rule set/policy was created. • Inbound / Outbound Rule Set (Policy Editor only): the name given to the rule set which has been configured to protect different operating systems, protocols, applications, and so forth. Several rule sets are provided which are designed for use with the provided policies, but may be used with your custom-created policies. • Editable: a check mark in this field indicates the rule set/policy can be edited. Pre-configured rule sets and policies McAfee provides many pre-configured rule sets and policies for immediate application in a number of different network areas. Each pre-configured policy is matched with an identically named rule set designed to address the common attacks targeting specific network environments. To provide the most efficient attack detection options, these policies take into account distinct factors such as protocols (HTTP, SMTP, DNS), applications (email, FTP, web), and operating systems (Windows, Solaris, Linux). Note: You cannot edit or delete pre-configured policies or rule sets. However, you may clone a pre-configured rule set or policy, then rename and customize it. Attack Categories Attacks are classified into four general categories: • Denial of Service (DoS), including DDoS: all of the conditions indicative of activities that lead to service disruption, including the slowing down or crashing of applications, servers, or networks. Distributed Denial of Service (DDoS) are also included. • Exploit: all malicious activities, other than DoS and Reconnaissance, carried out through specific traffic content. This includes buffer overflows, viruses, and worms. • Policy Violation: all activities for which the underlying traffic content may not be malicious by itself, but are explicitly forbidden by the usage policies of the administrative domain. This includes application protocol behaviors that violate common usage practices. • Reconnaissance: all activities for the purpose of intelligence gathering to prepare for further attacks; for example, a port scan or probe conducted to enumerate or identify services and possible vulnerabilities. Note: All provided policies, except for the two All-Inclusive policies, enable attacks with a minimum Severity of 2 (Low) and a maximum Benign Trigger Probability of 4 (Medium). The Severity and Benign Trigger Probability settings exclude known noisy signatures in an effort to limit spurious alerts. Rule Sets Default IDS Default Inline IPS Outside Firewall Designed to Protect Against: All attacks. All attacks and McAfee-recommended blocking of selected attacks All attacks except for Reconnaissance category. 63