McAfee M-1250 Network Protection - Page 25
How blocking works for exploit traffic, Verify dropped exploit attacks using the Threat Analyzer
![]() |
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 25 highlights
McAfee® Network Security Platform 6.0 Block attacks offending packets, are the key method in discovering an exploit. An attack can have multiple signatures; thus, enabling more than one chance at attack detection. Using the Policy Editor, you can select a specific attack(s) to block by selecting Drop Packets from the / My Company / IPS Settings > Policies > IPS Policies section. For more information on this procedure, see IPS Configuration Guide. How blocking works for exploit traffic • The Sensor applies the configured inbound or outbound policy depending on the traffic direction, which is determined via the Sensor cabling and port configuration. • The Sensor analyzes the traffic and, based on the policy, determines whether the traffic is "good" (does not match an attack configured in the policy) or "bad" (matches an attack configured in the policy). If the traffic is bad, the Sensor then applies the configured "drop packets" action. When Network Security Platform identifies a malicious flow, it blocks only the flow; not all the traffic from the source IP (Sensor behavior is unlike that of a firewall). • For UDP and ICMP traffic, only the attack packet is blocked. With TCP traffic, the entire attack flow is blocked; we recommend that you also configure a TCP Reset action in the policy to reset the flow. Note: When inline, the TCP resets always go out the inline ports. Response ports are used when the device is configured for tap or span mode. Verify dropped exploit attacks using the Threat Analyzer The Alert Result Status graph within the Threat Analyzer's Consolidated View displays the results of detected attacks as determined by target response (i.e., Successful, Failed) or Network Security Platform action (i.e., Blocked). "Blocked" specifically refers to the attacks that have been dropped due to policy response settings. Within a Threat Analyzer query, you can see the number of attacks that have been blocked during the query's time period. • The result status "blocked" will increment for each blocked attack. • If you drill down by "Status" in a particular alert, the result status will show as "Blocked." Block DoS traffic Denial-of-Service (DoS) attacks interrupt network services by flooding a system or host with spurious traffic, which can overflow your system buffers and force you to take the system offline for repairs. Sensors support both Learning- and Threshold-based capabilities for combating DoS attacks. The Sensor uses complex algorithms to differentiate the bad DoS packets from good packets, and drop the bad packets when running in inline mode. Note: The Sensor must be in detection mode to detect and block attacks. 17
![](/manual_guide/products/mcafee-m1250-network-protection-260e040/25.png)