McAfee IntruShield IPS

Applies To: McAfee IntruShield Security Manager Version 4.1 and later.

Overview

EventTracker supports McAfee IntruShield IPS and it can be configured to send syslog to Event Tracker Enterprise.

McAfee IntruShield IPS Logging

Event Tracker Knowledge Pack for McAfee IntruShield IPS allows you to monitor following:-

• Monitoring multiple attacks and policy violation.
• Monitoring Signature detection and prevention.
• Monitoring Denial of Service(DoS) detection and prevention
• Monitoring IPS and internal firewall.

Previous Next

Once logs are received in to EventTracker, Alerts and reports can be configured into EventTracker.

Some of the Knowledge Packs available in EventTracker are listed below. For more information please refer Integration Guide.

Report:-

• McAfee Intrushield-IPS attack detail report - This report provides information related to intrusion attacks which includes attack name,attack source,attack destination,attack category,attack severity and attack status fields.

Alerts:-

• McAfee IntruShield IPS: Brute-force - This alert is generated when brute force attack occurs.
• McAfee IntruShield IPS: BACKDOOR attack - This alert is generated when BACKDOOR attack occurs.
• McAfee IntruShield IPS: Back Orifice trojan - This alert is generated when back orifice trojan is detected.
• McAfee IntruShield IPS: Exploit - This alert is generated when exploitation attack occurs.
• McAfee IntruShield IPS: Fingerprinting - This alert is generated when fingerprinting attack occurs.
• McAfee IntruShield IPS: FTP login alert - This alert is generated when FTP login occurs.
• McAfee IntruShield IPS: Host sweep - This alert is generated when host sweep event occurs.
• McAfee IntruShield IPS: MSSQL user login failed - This alert is generated when MSSQL user login failure occurs.
• McAfee IntruShield IPS: NBTSTAT scan - This alert is generated when NBTSTAT scan occurs.
• McAfee IntruShield IPS: Port-scan - This alert is generated when port-scan activity occurs.
• McAfee IntruShield IPS: RADIUS attack - This alert is generated when RADIUS attack occurs.
• McAfee IntruShield IPS: SITE EXEC exploit - This alert is generated when SITE EXEC exploit occurs.
• McAfee IntruShield IPS: SMTP worm spread via attachment - This alert is generated when SMTP worm spreads by attachment.
• McAfee IntruShield IPS: SQL system alert - This alert is generated when SQL system activity occurs.
• McAfee IntruShield IPS: Telnet login Brute force - This alert is when generated telnet login occurs by brute force.
• McAfee IntruShield IPS: Virus/worm file share spread - This alert is generated when virus/worm is spread by shared file.

Scope

The configuration details are consistent with EventTracker Enterprise version 7.X and later, and McAfee IntruShield IPS,IntruShield Security Manager Version 4.1 and later.

Documentation:

For more information please refer to the Integration guide.