Filter
Top Products
46
McAfee
®
Host Intrusion Prevention 6.1 Product Guide IPS Policies
IPS Rules policy details
4
Signatures
Signatures describe security threats, attack methodologies, and network intrusions.
Each signature has a default severity level, which describes the potential danger of an
attack:
High (red) — Signatures that protect against clearly identifiable security threats or
malicious actions. Most of these signatures are specific to well-identified exploits
and are mostly non-behavioral in nature. They should be prevented on every host.
Medium (orange) — Signatures that are behavioral in nature and deal with preventing
applications from operating outside of their environment (relevant for clients
protecting web servers and Microsoft SQL Server 2000). On critical servers, you
may want to prevent those signatures after fine-tuning.
Low (yellow) — Signatures that are behavioral in nature and shield applications.
Shielding means locking down application and system resources so that they
cannot be changed. Preventing yellow signatures increases the security of the
underlying system, but requires additional fine-tuning.
Information (blue) — Indicates a modification to the system configuration that might
create a benign security risk or an attempt to access sensitive system information.
Events at this level occur during normal system activity and generally are not
evidence of an attack.
Types of signatures
The IPS Rules policy can contain three type of signatures:
Host signatures — Default Host Intrusions Prevention Signatures (HIPS).
Custom host signatures — Custom HIPS that you create.
Network signatures — Default Network Intrusion Prevention Signatures (NIPS).
Host signatures
Host-based intrusion prevention signatures (HIPS) detect and prevent system
operations activity attacks, and includes File, Registry, Service, and HTTP type rules.
They are developed by the Host Intrusion Prevention security experts and are delivered
with the product.
Each signature has a description and a default severity level. With appropriate privilege
levels, an administrator can modify the severity level of a signature or disable a
signature for client groups.
When triggered, host-based signatures generate an IPS event that appears in the
IPS
Events
tab.
Custom host signatures
Custom signatures are host-based signatures that you can create for additional
protection to suit your needs. For example, when you create a new directory with
important files, you can create a custom signature to protect it.
Network signatures
Network-based intrusion prevention signatures (NIPS) detect and prevent known
network-based attacks that arrive on the host system.