Académique Documents
Professionnel Documents
Culture Documents
IPS Feature Guide
Release 7.6
FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other
countries. All other trademarks are the property of their respective owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves the right to
change, modify, transfer, or otherwise revise this publication without notice.
Release 7.6
Revision 1
Website: www.fireeye.com
Support Email: support@fireeye.com
Phone:
United Kingdom: 44.203.106.4828
Other: 408.321.6300
Contents
IPS Features 8
Enabling IPS Capabilities 19
Dashboard > What's Happening 55
Dashboard > IPS Trend 57
Alerts > Hosts Page 69
Alerts > Alerts Page 74
Alerts > Callback Activity Page 78
IPS POLICIES 117
Displaying Details About IPS Policies Applied to Monitoring Interfaces (CLI) 130
ips apply 229
ips auto-update enable 231
ips brute-force threshold 234
ips detail-filter 235
ips policy 237
policymgr signature 248
IPS Features 8
IPS Features
FireEye Integrated Intrusion Prevention System (IPS) features can be added to an NX Series appliance to optimize
network security and enable compliance. The combination of signature-based and signatureless technologies
protects against known and unknown threats, reduces false alerts, and highlights attacks hidden within the noise.
When you activate IPS features, the NX Series appliance capabilities expand to detect Web-borne threats that use
a variety of protocols and can attack clients, servers, or both. Configurable, policy-based selection of the security
content rules in the appliance's IPS rules database, combined with automatic correlation of detected threats and
verified attacks, ensure that IPS alerts point to actionable activity.
The NX Series subsystem builds its database of security content rules in several ways:
l Locally generated and custom rules—Based on the Web traffic that the NX Series appliance monitors in your
network, the appliance's rules engines continuously expand the appliance's database of organically generated
content rules. Each rule specifies a malware fingerprint, criteria for matching the rule to monitored data
packets, and the actions that the appliance is to take on a matched packet. You can also upload custom rules
so that your appliance detects and generates alerts for specific traffic patterns that you identify.
l Enterprise-wide rules—If you use FireEye's CM Series appliance to centrally manage multiple NX Series
appliances, EX Series appliances, and security content updates, NX Series content rules are shared among
your integrated appliances.
l Dynamically generated rules—Using malware intelligence information shared by customers that connect to
FireEye's Dynamic Threat Intelligence (DTI) cloud, FireEye analyzes code for malicious intent and creates a
fingerprint of all confirmed malware. If you enable a network connection from your NX Series appliance to the
DTI cloud, FireEye automatically pushes dynamically generated content rules to your appliance in real time.
NOTE: All FireEye appliances can download security content, software updates, and software patches from the
FireEye DTI cloud. You can also choose to send anonymized threat intelligence information from the
NX Series appliance to the global subscriber base via the DTI cloud.
The patented Multi-Vector Virtual Execution (MVX) engine, the core of all FireEye platforms, accurately confirms
zero-day and targeted advanced persistent threat (APT) attacks. The threat verification performed by the
MVX engine enables the standard NX Series appliance to protect your client systems against known malware as
well as zero-day malware attacks, while triggering near-zero false positive alerts.
NX Series Platform With IPS: Client and Host Protection Across Multiple Protocols
The addition of IPS features extends the NX Series appliance's scope of protection beyond client-centric HTTP-
based malware. IPS features use signature-based content rules to detect client-centric and server-centric attacks
over multiple protocols. To activate IPS processing, you add a FireEye IPS license to the appliance and then apply
a set of IPS security content rules to the network traffic that passes through the monitoring interfaces. The
characteristics of the security content rules applied at an interface are determined by the IPS policy you select for
that traffic flow.
IPS features include a set of default IPS policies that specify basic IPS rule-selection criteria. The default policies
support initial baseline profiling and all basic deployment scenarios. As an option—based on the profile of
IPS alerts triggered, the content of your Web traffic, and your corporate Web use policies—you can create custom
IPS policies to fine-tune the selection of IP rules applied to your network traffic.
The default IPS policies select IPS rules using the following criteria :
l Attack target (client, server, or both) to which the IPS rule applies
l Attack severity level range (1 - 10 or smaller) to which the IPS rule applies
A custom IPS policy enables you to specify more fine-grained selection criteria for selecting IPS rules:
l Additional match criteria (attack protocol, attack category, or attack category and subcategory)
Just as you can with standard NX Series content rules, you can share dynamically created IPS rules across
centrally managed NX Series appliances in the enterprise. Similarly, you can automatically download dynamically
created IPS rules to the appliance database. You can also enable a global option that automatically re-evaluates
active IPS policies against new IPS rules and then adds matched new rules at the active monitoring interfaces.
The platform inspects the other IPS events in the MVX engine, using the same vulnerability execution environment
as the original session that contained the matched traffic. If the result of MVX verification shows the IPS event to be
non-malicious, the platform categorizes the even as non-attack.
The IPS-enabled rules engine uses IPS brute-force rules to detect repeated failed login attempts. The engine also
detects common password-stealing and password-guessing mechanisms, such as dictionary attack. When a brute-
force attack is found, the platform triggers a brute-force event.
An IPS-enabled platform can detect reconnaissance activity in progress early in the threat life cycle before intruders
gain a full understanding of your network. The platform detects ping sweeps and port scans that target ports, hosts,
or networks. When suspicious activity reaches a threshold, the platform triggers a ping sweep event or a port scan
event.
When deployed inline, an IPS-enabled platform prevents exploits and attacks that have been disguised by AETs.
Before the platform applies policy-selected signature rules to your monitored traffic, its IPS-enabled rules engine
preprocesses the traffic, detecting instances of AETs and modifying the content to normalize the disguised threats.
An inline-deployed IPS-enabled platform with monitoring interfaces configured for inline blocking prevents network
attacks disguised by the following advanced evasion techniques that attempt to bypass signature rules:
l Malware Events
l Malware Alerts
l IPS Events
l IPS Alerts
Malware Events
A standard NX Series appliance (or an IPS-enabled appliance without IPS rules activated against a monitoring
interface) automatically monitors the network traffic that passes through all monitoring interfaces, checking for
client-targeting malware delivered via HTTP and detecting suspicious callbacks over multiple protocols. By default
and without entailing any configuration settings, the NX Series appliance automatically performs malware detection
based on standard NX Series security content rules.
When operating in standard mode without IPS features activated, the NX Series appliance uses all the malware
detection security content rules—FireEye-provided, locally generated, and dynamically generated signature-based
rules—in the appliance rules database. If you have incorporated custom security content rules for malware
detection, the NX Series appliance also applies those rules to all monitoring interfaces.
Malware Alerts
Malware events detected by the standard NX Series signature-based rules engine identify various incidents as they
correlate to specific phases of the malware infection life cycle. The platform sends the suspected exploits to the
Multi-Vector Virtual Execution (MVX) engine for detonation and second stage analysis. The MVX engine provides
dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted
advanced persistent threat (APT) attacks by detonating suspicious files and Web objects within virtual machine
environments. Because the MVX engine operates in an isolated and virtualized network, this traffic remains internal
to the appliance.
Signature-less verification within the purpose-built MVX engine means that the standard NX Series rules for
malware detection raise near-zero false positive events. The standard NX Series platform automatically applies its
entire database of standard NX Series rules to network traffic at all appliance monitoring ports with no filtering or
other tuning required.
To investigate MVX-verified malware events, you can filter or sort the list of alerts in the Web UI Alerts page and
drill down for more details about specific alerts. For more information, see the NX Series Threat Management
Guide.
IPS Events
If you apply an IPS policy to monitoring interfaces on an IPS-enabled platform, the system uses IPS rules—in
addition to the FireEye-provided and locally generated standard NX Series signature rules—to analyze the traffic
passing through those ports. The system uses the IPS rules to detect traffic patterns that indicate the delivery of
potential client-targeting and server-targeting threats to your environment over multiple protocols.
You can configure NX Series notification settings to automatically distribute IPS events by email using SMTP email,
posting to Web servers, logging messages to remote syslog servers, or sending traps to SNMP servers.
To investigate suspicious traffic flows detected by IPS rules, you can filter or sort the list of events in the IPS Events
page and drill down for more details about specific events. For more information, see IPS Events Page and
IPS Events Page Drill-Down View.
The Web UI lists IPS alerts (IPS events that correlate with MVX-verified malware alerts) in both the Alerts page and
the IPS Events page.
For more information, see IPS Events Page, Alerts > Hosts Page, and Alerts > Alerts Page.
NOTE: If an IPS event is detected on a monitoring interface configured for inline deployment mode, and if the event
was triggered by an IPS rule match on traffic that was blocked, the platform is unable to correlate the IPS event with
MVX-verified malware alerts. The blocking action causes all subsequent packets in that session to be dropped, and
consequently the signature-based rules engine cannot send objects from the suspicious traffic flow to the MVX
engine for confirmation of the client-targeting attack. Without this MVX verification component, the IPS-enabled
rules engine cannot determine whether the IPS event qualifies as an IPS alert.
In the IPS Events page, IPS alerts are identified by the following badge:
IPS events verified as In the IPS Events page, IPS events that have been verified to be non-malicious are
non-malicious identified by the following badge:
IPS Feature NX Series CLI Support — IPS-Enabled Platforms Only
Inline packet inspection The following command enables or disables email notification of state changes
(stopping and starting) of the inline packet inspection process:
l email notify event inline-engine-down (Option for IPS)
l email notify event inline-engine-down (Option for IPS)
IPS event notification The following commands manage notifications for IPS events:
l fenotify alert ips-event (Option for IPS)
l fenotify preferences ips-delivery-mode
l show fenotify alerts (Output for IPS)
l show fenotify preferences
IPS policy configuration The following commands manage custom IPS policies:
l ips policy
l ips policy clone
l ips policy match
l ips policy rules
l show ips policies
IPS policy application The following commands display the associations of IPS policies to interfaces:
l ips apply
l show ips interfaces
l show policymgr signatures
Inline blocking mode The following commands disable, allow, or force blocking actions for all IPS rules:
l ips blockmode disabled
l no ips blockmode
l ips blockmode all
Auto-addition of new IPS The following command enables or disables automatic addition of new IPS rules to
rules to active interfaces active IPS policies:
l ips auto-update enable
IPS detection of The following commands enable and configure IPS detection of reconnaissance
reconnaissance activity and activity and brute-force attacks:
brute-force attacks l ips brute-force threshold
l ips detail-filter
l ips reconnaissance enable
l ips reconnaissance threshold
l show ips reconnaissance
Enabling IPS Capabilities 19
Procedure
To access the FireEye Appliance login page for your NX Series appliance, open a supported Web browser
and enter https://appliance in the address box, where appliance is the IP address or hostname of your
appliance.
2. Verify that your NX Series model supports IPS features. IPS features are supported on NX 900, NX 1400,
NX 2400, NX 4400/4420, NX 7400/7420, and NX 10000 appliances running Release 7.2.0 software or newer.
o The appliance model information appears in the About > Health Check page, within the
System Information section. See the Model field.
o The installed version of the appliance image appears in the About > Update page, in the
Appliance Image row. See the Installed Version field.
3. Verify that the appliance can connect to FireEye's DTI cloud, as described in the NX Series System
Administration Guide.
The following list summarizes security content update requirements for a standalone NX Series appliance.
o The appliance communicates with the DTI cloud through its ether1 Ethernet management interface, and
the ether1 port requires a static IP address or reserved DHCP address and IP subnet mask.
o Your network configuration must allow the appliance to establish outbound connections from the
management over UDP port 53 and TCP port 443 to the Internet and exchange data encrypted via 256-bit
SSL (Secure Sockets Layer).
NOTE: These communications port requirements are in addition to the basic requirements that network
configuration must allow the appliance management port to be accessed via TCP port 22 (for the SSH
command-line interface) and TCP port 443 (for the HTTPS Web user interface).
o Your network configuration must allow the appliance to connect to cloud.fireeye.com. If your network
configuration includes domain-based proxy ACL rules, ensure that the rules allow access to the
*.fireeye.com domain.
o Receiving security content updates from the DTI cloud requires login credentials. If you do not have DTI
cloud login credentials, contact support@fireeye.com or visit the FireEye Customer Support Portal (login
required): http://www.fireeye.com/support/.
Open the Settings > Appliance Licenses page to display information about licenses on the appliance.
Security content updates are enabled if the Appliance License Settings table displays a license for the
"CONTENT_UPDATES" feature, and the license is both "valid" and "active".
If you do not have a license for security content updates, contact support@fireeye.com or visit the FireEye
Customer Support Portal (login required): http://www.fireeye.com/support/.
5. (Recommended) Schedule automatic updating of security content. The following steps summarize the more
detailed information provided in the NX Series System Administration Guide.
a. Open the Settings > DTI Network page to display settings for the FireEye services installed on the
appliance.
b. In the Service Type column, click the Security Contents link to display the scheduling settings in the
Settings column.
c. Use the Update Frequency field to specify how often the appliance receives automatic updates of
security content.
d. If you want to enable or disable notifications of security content uploads, select or clear the option in the
Notify field.
Go to Enabling IPS Capabilities.
Procedure
You can access the CLI from your computer through a direct connection (from a null modem cable to the
appliance's DB-9 serial console port) or remotely (through a secure shell [SSH] connection over port 22 to the
appliance's ether1 management port).
2. Verify that your NX Series model supports IPS features. IPS features are supported on NX 900, NX 1400,
NX 2400, NX 4400/4420, NX 7400/7420, and NX 10000 appliances running Release 7.2.0 software or newer.
To verify the appliance model and software version, check the Product model and Product release fields in
the output of the show version command.
3. Verify that the appliance can connect to FireEye's DTI cloud, as described in the NX Series System
Administration Guide.
The following list summarizes the requirements for security content updates for a standalone NX Series
appliance.
o The appliance communicates with the DTI cloud through its ether1 Ethernet management interface, and
the ether1 port requires a static IP address or reserved DHCP address and IP subnet mask.
o Your network configuration must allow the appliance to establish outbound connections from the
management over UDP port 53 and TCP port 443 to the Internet and exchange data encrypted via 256-bit
SSL (Secure Sockets Layer).
NOTE: These communications port requirements are in addition to the basic requirements that network
configuration must allow the appliance management port to be accessed via TCP port 22 (for the SSH
command-line interface) and TCP port 443 (for the HTTPS Web user interface).
o Your network configuration must allow the appliance to connect to cloud.fireeye.com. If your network
configuration includes domain-based proxy ACL rules, ensure that the rules allow access to the
*.fireeye.com domain.
o Receiving security content updates from the DTI cloud requires login credentials. If you do not have DTI
cloud login credentials, contact support@fireeye.com or visit the FireEye Customer Support Portal (login
required): http://www.fireeye.com/support/.
4. Verify that your appliance is licensed for security content updates. The security content updates service license
is in place if the show licenses CLI command output displays a license for the "CONTENT_UPDATES"
feature, and the license is both "valid" and "active".
If you do not have a license for security content updates, contact support@fireeye.com or visit the FireEye
Customer Support Portal (login required): http://www.fireeye.com/support/.
Go to Enabling IPS Capabilities.
Enabling IPS Capabilities
This section covers the following information:
NOTE: After you enable IPS capabilities on an appliance, you must explicitly activate IPS features on the appliance
by applying IPS policies to monitoring interfaces. This task is described in Activating IPS Processing.
If you remove the IPS license, the platform is no longer IPS-enabled. If you re-apply the IPS license, the platform is
IPS-enabled again, and the platform re-applies any IPS policies that were active at the time you removed the IPS
license.
If an IPS-licensed appliance does not have the requisite IPS rules installed, you cannot apply IPS policies to
appliance monitoring interfaces. Similarly, if an IPS-licensed appliance does not have the requisite version of guest
images installed, the appliance cannot perform MVX verification.
NOTE: If you upgrade the software version on an NX Series appliance from Release 7.0.2 or 7.1.0 software to
Release 7.2.0 software, the upgrade process automatically downloads security content to the appliance database.
Therefore, as a prerequisite to upgrading to Release 7.2.0 software, the appliance must have a valid and active
license for the Content Updates service.
In a single-appliance deployment, the NX Series appliance can download security content updates (as well as
software updates and software patches) from FireEye via a network connection to the FireEye Dynamic Threat
Intelligence (DTI) cloud. For an NX Series appliance in a central management system (CMS) domain, the
CM Series appliance obtains update files from the DTI cloud and distributes them to the connected appliances.
You can enable or disable IPS capabilities by using either the Web UI or the CLI to add or remove the IPS license
key.
NOTE: After you enable IPS capabilities, the Web UI prompts you to apply IPS policies to monitoring interfaces on
the appliance. The steps in this procedure recommend that you exit from this prompt. You can apply IPS policies
later by using the Settings > IPS page or by using CLI commands.
Prerequisites
Procedure
2. Enter your IPS license key in the License Key text box, and then click Add License.
If no monitoring interface is associated with an IPS policy, a dialog box informs you that the IPS license is
successfully added.
3. If this dialog box appears, click No, I will do it later. Within the sequence of tasks in Setting Up IPS Features,
you will configure other IPS settings (such as IPS event notifications) before you apply IPS policies to
monitoring interfaces on the appliance.
Prerequisites
Procedure
In the following example, the show licenses command output shows that three licenses are installed on the
appliance, but no IPS license is installed.
License 2: LK2-FIREEYE_SUPPORT-2222-2222-2222-2222-2222-2222
Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
Active: yes
License 3: LK2-CONTENT_UPDATES-3333-3333-3333-3333-3333-3333-3333-3333
Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Sharing: all (ok)
Active: yes
3. Add the IPS license key to your appliance, as shown in the following example.
The following example shows that an IPS license is the last license added to the appliance.
License 3: LK2-CONTENT_UPDATES-3333-3333-3333-3333-3333-3333-3333-3333
...
License 4: LK2-IPS-4444-4444-4444-4444-4444-4444-4444-4444
Feature: IPS
Description: IPS feature
Valid: yes
Tied to product: MPS (ok)
Active: yes
l IPS event notifications sent by rsyslog include all severity levels (1 through 10).
l IPS event notifications sent by email, HTTP, or SNMP are limited to IPS critical events (severity levels 7 through
10) and IPS alerts (MVX-correlated IPS events).
You can configure when IPS event notifications are sent by using either the Web UI or the CLI.
Prerequisites
l Set the default time zone for event notifications, as described in the NX Series System Administration Guide.
l Enable and configure the notification services you will use for IPS event notifications:
Email
IPS critical event notifications are sent by email to one or more addresses using SMTP.
Configure email settings for administrative events, as described in "Configuring Administrative Email
Settings Using the Web UI" in the NX Series System Administration Guide.
To configure SMTP for event notifications, open the Settings > Notification page, click the email
column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring Email Notifications" in the NX Series
Threat Management Guide.
Web server
IPS critical event notifications are posted to one or more Web servers.
To configure Web servers for event notifications, open the Settings > Notification page, click the http
column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring HTTP Notifications" in the NX Series
Threat Management Guide.
SNMP
IPS critical event notification traps are sent to one or more SNMP servers.
To configure an SNMP server for event notifications, open the Settings > Notification page, click the
snmp column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring SNMP Notifications" in the
NX Series Threat Management Guide.
Procedure
In the following example, all FireEye event notification methods are enabled, and all events types except IPS
events are enabled for notification:
2. Enable notification methods for critical and major IPS events by selecting options in the IPS Critical row:
l To enable or disable all notification methods for IPS events, select or clear the option in the Global
column. If you select this option, you can enable or disable IPS event notification for any notification
method. If you clear this option, you cannot enable IPS event notifications for any notification method.
l To enable email notifications for IPS critical events, select the option in the email column.
l To enable Web server notifications for IPS critical events, select the option in the http column.
l To enable remote syslog server notifications for IPS critical, major, or minor events, select the option in the
rsyslog column.
l To enable SNMP traps for IPS critical events, select the option in the snmp column.
3. To configure a notification method, click the link in the column heading. Then configure the settings that appear
in the Settings column and also in a separate panel below the main table. For more detailed information, see
the NX Series System Administration Guide.
4. To enable or disable daily digest mode for email notifications, click Enable or Disable next to the "Daily Digest"
message below the table. To change the time the digest is sent, choose a new time and click Update.
Prerequisites
l Use the fenotify enable CLI command in configuration mode to enable FireEye notifications.
l Use the fenotify default timezone CLI command in configuration mode to set the default time zone for event
notifications. For more information, see the NX Series System Administration Guide and the
FireEye CLI Command Reference.
l Enable and configure the notification services you will use for IPS event notifications:
Email
IPS critical event notifications are sent by email to one or more addresses using SMTP.
Configure email settings for administrative events, as described in "Configuring Administrative Email
Settings Using the CLI" in the NX Series Threat Management Guide.
To configure SMTP for event notifications, use the fenotify email default, fenotify email enable, and
fenotify email service commands.
Web server
IPS critical event notifications are posted to one or more Web servers.
To configure Web servers for event notifications, use the fenotify http default, fenotify http enable, and
fenotify http service commands.
SNMP
IPS critical event notification traps are sent to one or more SNMP servers.
To configure an SNMP server for event notifications, use the fenotify snmp default, fenotify snmp
enable, and fenotify snmp service commands.
Procedure
l To enable IPS event notification for a notification protocol, enter the fenotify command, and specify a
notification protocol followed by the alert ips-event enable options.
l To disable IPS event notification for a notification protocol, use the no form of the command.
The following example commands enable sending notifications of IPS critical events by email, posting to Web
servers, logging messages to a remote syslog server, and by SNMP traps:
NOTE: Major-severity and minor-severity IPS events are supported for remote syslog servers only.
l instant—Send notification only when an IPS event is detected. This is the default value.
l confirmation—Send notification only when an attack has been confirmed (either positive or negative).
l dual—Send notifications both when an IPS event is detected and when an attack has been confirmed.
By default, the system is configured to use instant delivery mode, which is useful in an organization that archives
notifications and then filters and analyzes the information later. When you first activate IPS features, we recommend
that you use dual mode so that you see both detection and confirmation of IPS events. If your organization does not
archive the volume of notifications generated in this mode, you can decrease the volume of notifications by using
confirmation mode.
You can configure when IPS event notifications are sent by using either the Web UI or the CLI.
When you first activate IPS features, we recommend that you use dual delivery mode for IPS event notification
instead of the default instant delivery mode. The dual mode enables you see both detection and confirmation of
IPS events. For more information about all delivery modes, see IPS Event Notifications.
Prerequisites
l Configure FireEye notifications for IPS events. For more information, see Configuring How IPS Events
Notifications Are Sent.
Procedure
2. In the Event Type column, select the IPS event notification the delivery mode.
l instant—Send notification only when an IPS event is detected. This is the default value.
l confirmation—Send notification only when an attack has been confirmed (either positive or negative).
l dual—Send notifications both when an IPS event is detected and when an attack has been confirmed.
When you first activate IPS features, we recommend that you use dual mode.
Go to Configuring Notification of Inline Packet Processing State Change (CLI). You cannot configure this option
from the Web UI.
When you first activate IPS features, we recommend that you use dual delivery mode for IPS event notification
instead of the default instant delivery mode. The dual mode enables you see both detection and confirmation of
IPS events. For more information about all delivery modes, see IPS Event Notifications.
Prerequisites
l Configure FireEye notifications for IPS events. For more information, see Configuring How IPS Event
Notifications Are Sent.
Procedure
l instant—Send notification only when an IPS event is detected. This is the default value.
l confirmation—Send notification only when an attack has been confirmed (either positive or negative).
l dual—Send notifications both when an IPS event is detected and when an attack has been confirmed.
When you first activate IPS features, we recommend that you use dual mode.
Go to Configuring Notification of Inline Packet Processing State Change (CLI). You cannot configure this option
from the Web UI.
Prerequisites
Before you configure an IPS-enabled platform for email notification when the inline packet inspection process starts
or stops, perform the following prerequisite tasks:
l Use the fenotify default timezone CLI command in configuration mode to set the default time zone for FireEye
notifications. For more information, see the NX Series System Administration Guide and the
FireEye CLI Command Reference.
l Configure email settings for administrative events, as described in "Configuring Administrative Email Settings
Using the CLI" in the NX Series Threat Management Guide.
Procedure
To configure email notifications for inline packet inspection process state changes:
1. Enter CLI configuration mode.
2. Check the email settings for administrative events by entering the show email command.
In the following example, email notifications for administrative events are configured to be sent to the email
address my-first.my-last@my-domain.com.
Autosupport emails
Enabled: yes
Recipient: eng-autosupport@fireeye.com
Mail hub: owa.fireeye.com
Security mode: tls-none
Verify server cert: yes
Supplemental CA list: default-ca-list
SMTP authentication: disabled
3. Enable or disable notifications when the inline packet inspection process stops. Enter one of the following
forms of the email notify event command:
l To enable notifications when the inline packet inspection process stops, enter the email notify event
command, and specify the inline-engine-down parameter.
l To disable this notification option, you would use the no form of the command.
The following example command enables notifications when inline packet inspection processing stops.
4. Enable or disable notifications when the inline packet inspection process starts. Enter one of the following
forms of the email notify event command:
l To enable notifications when the inline packet inspection process starts, enter the email notify event
command, and specify the inline-engine-up parameter.
l To disable this notification option, you would use the no form of the command.
When an IPS rule matches a traffic flow, the action taken on the traffic flow is determined by the IPS blockmode
setting on the appliance and the blocking action specified by the matched IPS rule. By default, IPS-enabled
appliances operate with IPS blockmode enabled. When an IPS rule matches a traffic flow, the system blocks or
allows the traffic as specified by the block action of the rule. For a detailed description of IPS blockmode, see
Options to Disable or Force Blocking for All IPS Rules.
During the initial baselining phase for your IPS deployment, you will likely use one or both of the non-default
settings for IPS blockmode:
l Observing IPS rules on an established NX Series appliance—If you are activating IPS for the first time on an
existing deployment of an NX Series appliance, we recommend that initially you operate the platform in
monitoring-only mode. With IPS blockmode disabled, the system generates IPS events, IPS alerts, and IPS
notifications, but no traffic is blocked.
l Testing IPS rules against known traffic—If you are testing the accuracy of every rule in an IPS policy by
running the policy known test traffic, then all IPS rules must be blocking. For this type of testing, you would
configure the platform to force blocking for all IPS rules.
After you complete these types of initial testing, be sure to re-enable IPS blockmode. Otherwise, your system will
continue to pass all matched traffic or block all matched traffic,
Prerequisites
Procedure
2. Configure the appliance to disable or force IPS blocking, depending on your evaluation needs.
3. (Recommended) Customize appliance login messages to notify users that blocking actions are either disabled
or forced for all IPS rules active on the appliance. You can configure three types of login messages:
l Local banner—Text that appears after the username is entered in the CLI session.
l Remote banner—Text that appears in the Web UI and SSH login pages.
l Message of the Day—Text that appears after a user is authenticated and logged in to the CLI.
l Comprehensive—Detects client-directed and server-directed threats of all severity (levels 1 through 10).
For detailed information about default IPS policies, see IPS Policies. For detailed information about selecting the
IPS rules that analyze your network traffic, see Applying an IPS Policy to Monitoring Interfaces.
You can activate IPS processing by using either the Web UI or the CLI.
Prerequisites
Procedure
In the following example, IPS is enable but no IPS policies are applied to the appliance monitoring interfaces.
When no IPS policies are active, the appliance functions as a standard NX Series appliance.
2. In the row for the IPS policy you want to apply, click Apply Policy in the Actions column.
NOTE: When you first activate IPS features, we recommend that you use the FireEye_Default IPS policy.
3. Select the monitoring interfaces you want to associate with the policy.
The table row for the IPS policy reflects your configuration changes:
l The Active on Interface column displays the letter designator for the interface associated with the policy.
l The Rules Enabled column displays the number of IPS rules in the appliance database that match the
selection criteria specified by the policy. To see a list of the active rules, you can generate the IPS Policy
Configuration Summary report or the IPS Policy Configuration Details report.
l The Actions column displays the actions available for the policy.
After a few minutes, IPS event detection results are displayed in the Web UI and are available in reports.
Prerequisites
Before you begin activating IPS features with default IPS policies, perform the following prerequisite tasks:
Procedure
2. Display the appliance interfaces and the current application of IPS policies to appliance interfaces.
In the following example, the appliance has two monitoring interfaces and no IPS policies are active on the
interfaces.
NOTE: For IPS-enabled platforms deployed in environments with asymmetric routing, apply the same IPS
policy to both monitoring interfaces. If request and response packets traverse separate links to the two
monitoring interfaces, the platform applies the same IPS rules to the upstream and downstream traffic.
In the following example, the IPS policy named FireEye_Default is applied to interface A, and the IPS policy
named Comprehensive is applied to interface B.
4. After a few minutes, IPS event detection results are displayed in the Web UI and are available in reports.
When the IPS-enabled rules engine matches a traffic flow to an active IPS rule, the platform generates an IPS event.
For client-targeted IPS events that correlate with MVX-verified malware alerts, the platform triggers IPS alerts.
l IPS events and IPS alerts are listed in the IPS Events page.
l IPS alerts for client-targeted attacks are listed in the Alerts page, in both the Hosts page and the Alerts page.
l From the Reports page, you can generate IPS-specific reports that contain summaries and detailed
information about HTTP-based malware alerts, IPS alerts, and IPS events.
l If you configured FireEye event notifications for IPS events, notifications are sent using the notification methods
you configured.
You can use this information to determine how to customize your configuration of IPS packet processing.
Prerequisites
Before you begin analyzing initial IPS results, perform the following prerequisite tasks:
Procedure
The IPS Events page lists all IPS events detected by the platform within the time frame specified in the
Duration fields.
If an entry represents one or more MVX-correlated IPS events (IPS alerts), the following badge appears in the
Badges column:
If an entry represents one or more IPS events that have been verified to be non-malicious, the following badge
appears in the Badges column:
2. To display a list of all alerts triggered on the appliance, select the Alerts page. Different pages list malware
alerts (MVX-verified malware events), IPS alerts (MVX-correlated IPS events), and callback events.
Alerts > Hosts
This page lists all malware alerts and IPS alerts, grouped by victim IP address and attack rule name.
Multiple alerts associated with the same victim and signature rule are combined in a single entry. If an
entry represents one or more IPS alerts, the following badge appears in the IPS column:
Alerts > Alerts
This page lists all malware alerts and IPS alerts, grouped by attack rule name only. Multiple alerts
associated with the same signature rule are combined in a single entry. If an entry represents one or
more IPS alerts, the following badge appears in the IPS column:
Alerts > Callback Activity
This page lists all callback events associated with a malware alert. For more information, see
Alerts > Callback Activity Page.
3. For a high-level view of the IPS-specific threat intelligence gathered by the IPS-enabled platform, select the
Dashboard page and view the following dashboard panels:
What's Happening
For IPS-enabled platforms only, this panel includes the count of IPS alerts detected by the appliance,
provided that the value is not zero.
Click MVX Correlated IPS Events to open the IPS Events page filtered to display only IPS alerts.
IPS Trend
For IPS-enabled platforms only, this panel contains a two-series line graph that plots the number of
IPS alerts and IPS critical events detected by the appliance over the past month, week, or day of IPS
analysis.
4. To generate IPS-specific reports, select the Reports page. The following reports are available on IPS-enabled
platforms only:
IPS Executive Summary
Provides a high-level view of IPS statistics.
5. If you disabled IPS blockmode while evaluating the fit of IPS rules to your environment, be sure to re-enable
IPS blockmode after you finish customizing the configuration of IPS packet processing by your platform.
Prerequisites
l Apply IPS policies to the appliance monitoring interfaces, as described in Activating IPS Processing.
Procedure
In the following example, all FireEye event notification methods are enabled, and IPS events are enabled for
notification by email and rsyslog:
3. Click Test-Fire.
The system generates an IPS event of severity level 8, which should trigger event notifications for all
notification methods configured on the platform.
Look for the test-fire IPS event near the top of the list. By default, the list displays the most recent events at the
top. IPS test-fire events are listed with the rule name IPS-TEST-FIRE: Malicious PDF Downloaded.
NOTE: After you initiate an IPS test-fire event, the event appears in the IPS Events page for approximately
5 minutes before it disappears from the page display and from the events database.
5. Look for the test-fire IPS event in the other event notification targets you configured for IPS events.
If a configured notification method fails, correct the notification settings, and then repeat the test.
Prerequisites
l Apply IPS policies to the appliance monitoring interfaces, as described in Activating IPS Processing.
Procedure
The platform generates an IPS event of severity level 8, which should trigger event notifications for all
notification methods configured on the platform.
2. If a configured notification method fails, correct the configuration settings, and then repeat the test.
IMPORTANT! If you disabled IPS blockmode while evaluating the fit of IPS rules to your environment, be sure to
follow these steps to re-enable IPS blockmode after you finish configuring IPS.
Prerequisites
Procedure
2. Configure the appliance to re-enable blocking actions specified by matched IPS rules.
3. (Recommended) Customize appliance login messages to notify users that blocking actions are enabled for all
IPS rules active on the appliance. You can configure three types of login messages:
l Local banner—Text that appears after the username is entered in the CLI session.
l Remote banner—Text that appears in the Web UI and SSH login pages.
l Message of the Day—Text that appears after a user is authenticated and logged in to the CLI.
For more information, see Managing Auto-Addition of New IPS Rules to Active Interfaces.
Dashboard > What's Happening 55
Dashboard > IPS Trend 57
The following example is a partial view of the Dashboard page for an IPS-enabled platform:
Some panels of the dashboard do not appear if the information is not relevant to your configuration.
You can control the display of the dashboard or panels by clicking the following icons:
Panel Control Icon Description
In the main view of the Dashboard page, click this icon to select the print-
to-PDF processing time and initiate printing of the current Dashboard
contents.
In the main view of the Dashboard page, click this icon to maximize the
display of a panel.
In the maximized view of a dashboard panel, click this icon to restore the
main (full) view of the Dashboard.
In any dashboard panel, click this icon to reload the data displayed.
In any dashboard panel that displays these buttons, you can select the
period of time for which the panel displays information.
In the Top Malware By Host and Activity panel, you can filter the data
displayed:
You can interact with the display of an individual dashboard panel in the following ways:
l Within a list—Click an icon or text link to display the Alerts page, filtered for the selected information.
l Within a chart—Click a line, bar, or slice to display the Alerts page, filtered for the selected information.
l Within a chart legend—Click an icon to refresh the chart with the selected information excluded or included.
NX Series Dashboard Panel
Description
That Shows IPS Data
What's Happening Displays the number of IPS alerts detected by the appliance, provided that the
value is not zero. For more information, see Dashboard > What's Happening.
IPS Trend A line graph that shows the number of IPS alerts and IPS critical events
detected by the appliance. For more information, see Dashboard > IPS Trend.
The other dashboard panels do not include information about IPS events or IPS alerts. For more information about
these panels, see the NX Series Threat Management Guide.
NX Series Dashboard Panel
Description
That Does Not Show IPS Data
Threat Level An overall threat level based on the threats detected by your appliance and
FireEye's measurement of threat level in your industry or geographical
location.
Callback Events Callback data listed in order of the most infected subnets in your configuration.
The blue numbered boxes link to the relevant Alerts page.
Critical Malware Detection Malicious infections uniquely detected by FireEye.
Threat Attacks A pie chart of the threat attacks most detected in your configuration. Click a
circle in the legend to show information about a specific threat type.
Malware Detection Trend The malware trend detected by your FireEye appliance, over time, compared
to the malware detected within your industry or geographical location.
Top 25 Infected Subnets Overall infections in order of the number of malware events detected in your
(Cloud and Local) configuration, the amount of unique malware, and the number of infected
subnets. The blue numbered boxes link to the relevant Alerts page.
Cloud Detection Overall infections in order of the number of callback events detected in your
configuration. The blue numbered boxes link to the relevant Alerts page.
Local Detection Overall infections in order of the number of callback events detected in your
configuration.
Top Malware by Host and Activity Color-coded bar graphs of the number of recent infections of various types.
l Click a circle in the legend to show information about that threat type.
Dashboard > What's Happening
On a standard NX Series platform, the What's Happening panel of the Dashboard page displays the alert totals for
the top three attack categories. On an IPS-enabled platform, the panel also shows the number of IPS alerts. By
default, alert totals exclude acknowledged alerts and cover the past month of IPS-enabled analysis.
The following table describes the attack categories summarized by the What's Happening panel. For each alert
count listed in the panel, you can click a link to display the list of all alerts of that type within the same time frame.
Button Description
Control whether the number of MVX-correlated IPS events displayed
includes or excludes acknowledged alerts. You can acknowledge
individual or multiple MVX-correlated IPS event entries from the
IPS Events page. You can acknowledge single IPS event entries from the
Alerts > Hosts page.
Select the period of time for which the panel displays information. The
default selection is Month.
Use the following icons to control the display of the What's Happening panel:
Panel Control Icon Description
In the main view of the Dashboard, click this icon to maximize the display of the
What's Happening panel.
In the maximized view of the What's Happening panel, click this icon to restore the main (full)
view of the Dashboard.
Click to reload the alert counts displayed in the What's Happening panel.
NOTE: If none of the attack categories is represented in your IPS-enabled platform for the acknowledgment and
time frame specified, the panel is empty:
Dashboard > IPS Trend
For IPS-enabled platforms only, the IPS Trend panel of the Dashboard page plots the number of IPS alerts and IPS
critical events on a graph.
By default, the IPS Trend panel covers the past one month of IPS-enabled analysis. The following example shows
an IPS Trend panel that covers the past one week of analysis.
Use the following icons to control the display of the IPS Trend panel:
Panel Control Icon Description
In the main view of the Dashboard, click this icon to maximize the display of the
IPS Trend panel.
In the maximized view of the IPS Trend panel, click this icon to restore the main (full)
view of the Dashboard.
Click to reload the alert counts displayed in the IPS Trend panel.
Use these buttons to select period of time for which the panel displays information.
The default selection is Month.
Alerts > Hosts Page 69
Alerts > Alerts Page 74
Alerts > Callback Activity Page 78
IPS Alerts
First, the platform analyzes the data to determine whether the IPS event is an IPS alert. To make that determination,
the platform uses correlation logic that compares the suspicious traffic flow, the IPS rule that detected the suspicious
traffic flow, and similar MVX-verified malware attacks already seen on the appliance. In the case of a match, the IPS
event is said to be MVX-correlated.
You can identify MVX-correlated events by the presence of badges in the Alerts lists and in the list of IPS events:
l In the Alerts > Hosts and Alerts > Alerts pages, the IPS alert entry shows the following icon in the Badges
column:
l In the IPS Events page, the IPS alert entry shows the following icon in the Badges column:
l Depending on how you have configured IPS event notifications, IPS event notification messages might be
sent.
Non-Malicious Events
If an IPS event does not correlate with an MVX-verified malware attack, the IPS-enabled platform continues to
inspect the data in the session that matched the rule. The MVX engine inspects the data within the same IPS event
vulnerability execution environment as the original session that contained the matched traffic. If the result of MVX
verification shows the IPS event to be non-malicious, the platform categorizes the even as non-attack.
l In the IPS Events page, the IPS event entry shows the following icon in the Badges column:
l Depending on how you have configured IPS event notifications, IPS event notification messages might be
sent.
For information about configuring the platform to send FireEye notifications for IPS events, see IPS Event
Notifications.
The following example shows an IPS Events page that lists nine entries for MVX-correlated events and two entries
for verified non-malicious events.
Use the IPS Events page to monitor the types and rates of network threats that the platform detects through IPS
signature matching. Watch for rising or abnormal statistics, particularly with respect to IPS events for server-
targeting threats (for which the platform does not perform MVX correlation).
Field Name Description
# of rows Total number of rows in the table. Rows displayed is based on Duration and filtering settings.
# IPS Events Rows that represent IPS events not correlated with MVX-verified malware attacks.
# MVX Correlated Rows that represent one or more MVX-correlated IPS events.
Each entry in the IPS Events page displays the following information about an attack detected by an IPS rule.
Column Name Description
Select any entry in the list to open the IPS event acknowledgment options. You can also select all
entries in a page, or you can select all events in the list. See IPS Event Acknowledgment.
Click to expand the view of the IPS event (or IPS event grouping) to show additional details. See
IPS Events Page Drill-Down View.
Time Date and time of the most recent occurrence of the event.
Victim IP IP address of the attack target. If the entry represents multiple IPS events, this field links to the
Alerts > Hosts page, filtered on this IP address. See Shortcuts From the IPS Events Page.
This address corresponds to two host addresses in the drill-down view of this entry: the
Src IP Addr and Src MAC Addr fields.
Attacker IP IP address of the network host that sent the suspicious traffic.
This address corresponds to the Dst MAC Address field in the drill-down view:
CVE-ID If the IPS rule used to detect the event is associated with a security vulnerability description in the
Common Vulnerabilities and Exposures (CVE) database, this field displays the CVE identification
number. Otherwise, this field is empty.
# IPS Events Number of IPS events of this type (same victim, same attacker, and same signature ID).
Column Name Description
Rule Name of the IPS rule used to detect the event.
To display a detailed description of the security vulnerability (with the exception of custom IPS
rules), click the linked text.
Category Attack category.
Protocol Presentation-layer protocol used as the attack vector.
Badges Badges in this column indicate IPS analysis of the IPS events represented by the table entry.
The system has correlated one or more of these IPS events with a malware attack verified
by the MVX engine. The badge is a link that opens the Alerts > Hosts page, filtered to
display all alerts—malware alerts or IPS alerts—that target the victim IP address. See
Shortcuts From the IPS Events Page.
The entry represents one or more IPS events that have been verified to be non-malicious.
The badge is not hyperlinked. For more information, see About IPS Event Correlation and
Verification.
Times are displayed in UTC format by default. You can set the time zone in the Settings > Date and Time page.
CVE-ID
If the IPS rule used to detect the IPS event is associated with a security vulnerability description in the CVE
database, this field displays the CVE identification number.
Rule
To display a detailed description of the security vulnerability (with the exception of custom IPS rules), click
the linked text.
Victim IP
If an entry contains an IPS alert, click the IP address in this field to open the Alerts > Hosts page. The alerts
are filtered on the victim IP address.
Badges
If an entry contains an IPS alert, click the IPS alert badge in this field to open the Alerts > Alerts page. The
alerts are filtered on the victim IP address.
For example, suppose you are analyzing the IPS Events page, and you are focusing on an IPS alert (indicated by
the badge circled in red) for an attack on the host at IP address 192.168.185.186 (circled in blue):
l If you click the victim IP address, the Alerts > Hosts page displays the entry for the attack victim.
l If you click the MVX badge, the Alerts > Alerts page displays entries for the victim and IPS rule.
Page
To control the page displayed, use the Prev and Next links.
Default: page 1.
Duration
To set the time frame for which the page displays IPS events, select values in the From and Going Back
fields.
Default: The past 24 hours.
Sort order
To sort the data, click any linked column heading.
To reverse the sort order, click the column heading again.
Default: Sorted on the Time field in descending order.
Show/Hide Filters
Click the button to show or hide the filter fields for all columns.
To filter the IPS events displayed, typer a match value in a column filter field and press the Enter key.
Default: Disabled.
The following example shows the detailed event information and configuration options that might appear in the drill-
down view of an IPS event:
The following table describes the fields of the drill-down view of an entry in the IPS Events page.
Field Description
Malware Name of the IPS rule that matched the event.
Interface Monitoring interface that received the suspected malicious traffic.
mode Monitoring interface operational mode.
Blocking Action Action taken on the traffic that triggered this event:
• Blocked
• NOT blocked
Field Description
Set Sig Name Blocking Policy Blocking action that the IPS-enabled rules engine should take on traffic that
matches the IPS rule displayed to the right of this drop-down box. This setting
overrides the blocking action specified within the IPS rule itself
• None—No override.
• Block all—For both interfaces, block traffic that matches the IPS rule.
• Block A—For interface A, block traffic that matches the IPS rule.
• Block B—For interface B, block traffic that matches the IPS rule.
• Unblock all—For both interfaces, allow traffic that matches the IPS rule.
• Unblock A—For interface A, allow traffic that matches the IPS rule.
• Unblock B—For interface B, allow traffic that matches the IPS rule.
For information about the three Block options, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about the three
Unblock options, see Options to Suppress a Vulnerability or an IPS Rule.
Set Sig ID Blocking Policy Blocking action that the IPS-enabled rules engine should take on traffic that
matches the signature whose ID is displayed to the right of this drop-down box.
This setting overrides the blocking action specified within the IPS rule itself.
• None—No override.
• Block all—For both interfaces, block traffic that matches the signature.
• Block A—For interface A, block traffic that matches the signature.
• Block B—For interface B, block traffic that matches the signature.
• Unblock all—For both interfaces, allow traffic that matches the signature.
• Unblock A—For interface A, allow traffic that matches the signature.
• Unblock B—For interface B, allow traffic that matches the signature.
For information about the three Block options, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about the three
Unblock options, see Options to Suppress a Vulnerability or an IPS Rule.
Orig. Traffic Capture Links to two forms of the packet capture (pcap) that triggered the IPS event:
• Raw pcap
• ASCII text version of the pcap
IP Protocol IP protocol used to transport the threat.
Attacked Port Port number associated with the victim IP address.
Src IP Victim IP address. Same as the Victim IP field in the main view.
Src MAC Address MAC address of the victim machine.
Dst MAC Address MAC address of the attacking machine.
IPS Details
First Seen Time when the attack was first detected (within the specified period of time).
Last Seen Time when the attack was last detected (within the specified period of time).
Categories Attack category and (if applicable) attack subcategory.
References Vulnerability database entries referenced by the IPS rule.
Protocol Presentation-layer protocol used as the attack vector.
Network Communication
Raw Command Text dump of the packet payload.
Alerts > Hosts Page
This topic covers the following information:
The Alerts > Hosts page lists all malware alerts and IPS alerts, grouped by victim IP address and attack rule name.
Multiple alerts associated with the same victim and signature rule are combined in a single entry in the list. The
Total field displays the number of alerts represented by an entry.
The following table describes the fields in this view alerts grouped by victim.
Column Name Description
Click to expand the alert entry to include detailed information about this alert or alert grouping.
Host IP address of the infected host.
Severity The icon represents the event severity level. Event severity estimates the likelihood that the
targeted host was compromised by the event. The following types of icons are used:
Total Total number of malware alerts (infections and callbacks) and IPS alerts for this infected host. If
you want to go to a view of the Alerts > Alerts page that has been filtered to show list the
individual alerts for the infected host, click the linked text.
Infections Number of infections for this host.
Callbacks Number of malware callback infections for this host, including signature matches and
communications with the botnet server.
Blocked Number of events that were blocked by appliance inline blocking.
Last Malware Last type of malware or attack involved in this infected host. To display a detailed description of
this type of attack, click the linked text. Detailed descriptions are not available for attacks detected
by custom IPS rules.
Last seen at Date and time of the most recent attack on the host.
Host Name Last host name associated with the network host that sent the attack, if known.
Last ack at Date and time of the most recent acknowledgment of this alert.
Column Name Description
Badges On an IPS-enabled platform, this column displays badges that indicate analysis of alerts
represented by the entry:
The entry represents one or more IPS alerts. For more information, see tthe following
topics:
l IPS Events and IPS Alerts
l IPS Events Tab
l Event and Alert Management.
The entry represents one or more non-IPS alerts in which data theft occurred. If you want
to go to a view of the Alerts > Hosts page that has been filtered to show list the individual
alerts for the infected host, click the badge. For more information, see the NX Series
Threat Management Guide.
On any NX Series appliance enabled for Advanced Threat Analysis (ATI), Threat Info
badges can appear in this column. The color of the badge indicates the level of risk that
the threat poses to your network:
A red badge indicates an ATI alert for a threat that poses a high risk.
An orange badge indicates an ATI alert for a threat that poses a medium level of risk.
An amber badge indicates an ATI alert for a threat that poses a low risk to your network.
For managed NX Series appliances, ATI badges and ATI information are visible from the
CM Series Web UI only. For more information about ATI, see the NX Series Threat Management
Guide.
For an ATI alert, the threat level measures the level of risk posed by the attack against the
targeted organization. This score is based on the malware's behavioral capabilities and intent,
threat actor profiles, and other FireEye intelligence as available.
The ATI threat level determination for an ATI alert is different from the threat severity for an alert.
The severity estimates the likelihood that the targeted host has been compromised by an event.
For example, established command and control (CnC) channels result in highest severity, while
host connection to a compromised site is low severity because it does not indicate whether the
host was breached.
Times are displayed in UTC format by default. You can set the time zone in the Settings > Date and Time page.
You can filter the list on a single column. Click Show / Hide Filters to show or hide filter options for each column.
l To filter the list on one or more types of badges, open the Select Badge(s) list, select the types of badges you
want to include, then click Apply.
l For all other columns, type the text you want to match and then press Enter.
Field Description
Malware Detected
Malware Type of malware involved in the infection.
Severity Severity level of the event.
Total Total number of alerts involving the specified malware family. Click the link to display a
list of individual alerts on this host that are related to the same malware family.
Infections Number of infections that are confirmed on the MVX engine.
Callbacks Number of events that involved communication with a remote command and control
(CnC) server.
Blocked Number of events that were blocked by appliance inline blocking.
Botnets Number of events involving botnets.
Last CnC Server Remote CnC server.
Last Location CnC server location, if known.
First Seen First time that an infection event for this malware family was recorded for this host.
Last Seen Last time that an infection event for this malware family was recorded for this host.
Ports Used Ports used in the attack.
Protocols Protocols used in the attack.
Field Description
Filetype Type of file analyzed from the traffic stream. File types include the following:
Acknowledge the infections and callbacks above for the host at ip-address
Click to expose the notes text box and the Acknowledge button for this alert. For more
information about acknowledging an IPS alert, see the NX Series Threat Management
Guide.
Alerts > Alerts Page
This topic covers the following information:
The following table describes the fields in this view of alerts grouped by attack
Column Name Description
Click to expand the alert entry to include detailed information about the alert or alert grouping.
Type Attack detection type:
Time Date and time of the most recent occurrence of the attack.
Source IP IP address of the victim that received the attack.
This address corresponds to the Attacked Port and Src IP fields in the drill-down view.
Target IP IP address of the attacker.
URL/MD5sum URLor MD5 checksum that triggered the Malware Object or Web Infection alert.
Location Location in which the server is located, if known. This column is displayed only if geo-location
data is loaded.
Column Name Description
Badges On an IPS-enabled platform, this column displays badges that indicate analysis of alerts
represented by the entry:
The entry represents one or more IPS alerts. For more information, see tthe following
topics:
l IPS Events and IPS Alerts
l IPS Events Tab
l Event and Alert Management.
The entry represents one or more non-IPS alerts in which data theft occurred. In the
Alerts > Alerts page, Data Theft badges are not hyperlinked. For more information, see
the NX Series Threat Management Guide.
On any NX Series appliance enabled for Advanced Threat Analysis (ATI), Threat Info
badges can appear in this column. The color of the badge indicates the level of risk that
the threat poses to your network:
A red badge indicates an ATI alert for a threat that poses a high risk.
An orange badge indicates an ATI alert for a threat that poses a medium level of risk.
An amber badge indicates an ATI alert for a threat that poses a low risk to your network.
For managed NX Series appliances, ATI badges and ATI information are visible from the
CM Series Web UI only. For more information about ATI, see the NX Series Threat Management
Guide.
For an ATI alert, the threat level measures the level of risk posed by the attack against the
targeted organization. This score is based on the malware's behavioral capabilities and intent,
threat actor profiles, and other FireEye intelligence as available.
The ATI threat level determination for an ATI alert is different from the threat severity for an alert.
The severity estimates the likelihood that the targeted host has been compromised by an event.
For example, established command and control (CnC) channels result in highest severity, while
host connection to a compromised site is low severity because it does not indicate whether the
host was breached.
Times are displayed in UTC format by default. You can set the time zone in the Settings > Date and Time page.
You can filter the list on a single column. Click Show / Hide Filters to show or hide filter options for each column.
l To filter the list on one or more types of badges, open the Select Badge(s) list, select the types of badges you
want to include, then click Apply.
l For all other columns, type the text you want to match and then press Enter.
l Analysis Details
l Bot Communication Details
l Callback Communication Observed from the MVX Engine
l Malware Detected
l Malware Binaries
l OS Change Details
Alerts > Callback Activity Page
This topic covers the following information:
The following example shows the default display of an Alerts > Callback Activity page. The default display lists
entries in reverse chronological order, shows 20 results per page, covers the previous 24 hours of IPS processing,
and is not filtered on any data column.
Column Name Description
Click to expand the row to display additional results.
Column Name Description
C&C Server Host name or IP address of the botnet CnC server that directs the callback activity.
Location Geographical location of the botnet C&C server, if known. This information appears only if geo-
location data is loaded.
Events Number of callback events seen for this C&C server.
Hosts Number of hosts on the monitored network that have been verified as botnet zombies under the
control of the CnC server.
Last Seen at Date and time the most recent callback event. Times are displayed in UTC format by default. You
can set the time zone in the Settings > Date and Time page.
Field Description
Service Port(s) System port number used by the malware to connect to the C&C server.
IP Protocol(s) Types of IP traffic for which a FireEye C&C rule matched traffic: TCP, UDP, or HTTP.
First Seen Time when the callback activity was first detected (within the period of time displayed in the
Alerts page).
VM-verified Hosts Number of infected hosts that initiated MVX-verified outbound communications to a C&C
server associated with the callback event.
Callback Hosts Number of infected hosts that attempted to contact the C&C server.
ipAddress (count) IP addresses of infected hosts that attempted to contact the C&C server. The number of
callback attempts by the infected host is shown enclosed in parentheses.
l Click the IP address to open the Alerts > Hosts page, filtered for the victim IP address in
the Host column.
l Click the number to open the IPS Events page, filtered for the victim IP address in the
Source IP column.
To detect reconnaissance activity, a platform engine detects repeated connections and queries to or from the same
host. The platform engine tracks and analyzes the sources, destinations, and amount of each suspicious traffic flow.
Through analysis of the suspicious traffic and hosts, the engine can separate reconnaissance attacks from normal
network traffic. When a reconnaissance attack is detected, the system triggers an IPS ping sweep event or an IPS
port scan event
When IPS detection of reconnaissance activity is enabled, the platform detects reconnaissance activity that targets
ports, hosts, and networks.
Ping sweeps
When the IPS-enabled engine identifies certain ICMP echo requests and replies, it tracks the source IP
addresses (the attackers) and destination IP addresses (the victims). The platform triggers an IPS ping
sweep event when the number of ICMP messages in a session exceeds a configurable threshold within a
rolling 60-second window. Ping sweep detection is supported on IPv4 and IPv6 networks.
Port scans
When the IPS-enabled engine identifies certain TCP or UDP connection flows, it tracks the source IP
address (the attacker) and its last five destination IP addresses (victims). The engine triggers an IPS port
scan event when the number of TCP or UDP messages exceeds a configurable threshold within a rolling
60-second window. Port scan detection is supported on IPv4 and IPv6 networks.
The rules detect the following types of port scans:
l TCP SYN
l TCP SYN+ACK
l TCP Connect
l TCP NULL
l TCP FIN
l TCP XMAS
l UDP
Frequent connections to a service port on a single victim IP address do not trigger IPS reconnaissance
events. Attackers typically do not scan the same port on the same IP address many times. Automatic
suppression of events for this type of activity prevents false positive from triggering on valid network traffic,
such as DNS packets and NETBIOS Name Service packets.
NOTE: Reconnaissance detection consumes additional system resources. Depending on your traffic load and IPS
policies, operating the platform in reconnaissance detection mode can slow IPS processing. For that reason, IPS
detection of reconnaissance activity is disabled by default.
IPS reconnaissance events do not trigger FireEye event notifications and cannot be acknowledged.
Prerequisites
Procedure
2. Select the time frame you want to view by using the two Duration fields in the control bar.
3. Select Show Recon & Brute-Force Events on the right side of the control bar. The list expands to include IPS
reconnaissance events and brute-force events.
6. Press Enter.
TIP: You can filter the list further so that it displays only ping sweep events, only TCP reconnaissance events, or
only UDP reconnaissance events. Filter the Protocol field on icmp, tcp, or udp.
The following example shows the IPS Events page filtered to show IPS reconnaissance events only. For more
information, see Showing Reconnaissance Events (Web UI).
One-to-Many
If the entry represents a single attacker conducting the same reconnaissance on multiple victims, the
Victim IP field displays a green plus icon ( ) next to the IP address of the most recent victim. Click the
green plus icon (or the triangle in column 2) to expand the entry. The drill-down view displays the
IP addresses of the last five victims of the attack but the IP count and port range of the most recent victim
only.
Many-to-One
If the entry represents multiple attackers conducting the same reconnaissance on a single victim, the
Attacker IP field displays a green plus icon ( ) next to the IP address of the most recent attacker. Click the
green plus icon (or the usual triangle in column 2) to expand the entry. The drill-down view displays the IP
addresses of the last five attackers but the IP count and port range of the most recent attacker only.
One-to-One
If the entry represents one victim and one attacker, no green plus icon appears. The drill-down view does
not list additional victims or attackers, though the number of attacks may be quite high.
For example, suppose the IPS Events list includes an entry that represents one attacker and ten victims (a 1 : 10
entry) of TCP port scans. When the entry is collapsed, you can see the IP address of the most recent victim and the
total number of attacks (in the # IPS Events field). When you expand the entry, you can see the IP addresses of four
more recent victims. Other statistics in the drill-down view, such as Total Connection Count and Victim IP Count, are
aggregates of all ten victims. Elsewhere in the IPS Events list, you will also see ten one-to-one entries that you
might think are already accounted for in the 1 : 10 entry. However, these entries contain individual statistics for each
victim.
The following example shows the drill-down view of a one-to-many ping sweep event entry.
The following table describes the ping sweep-specific fields in the drill-down view of an IPS ping sweep event entry.
Field Description
IP Protocol ICMP
Victim IP IP address of the victim.
NOTE: For most IPS ping sweep events, certain statistics are estimated values rather than exact counts. The
following values are provided as reference information only:
l Victim IP Count
l Attacker IP Count
Analysis of ping sweep activity is a resource-intensive process. When it is necessary to conserve resources, the
analysis process does not record all IP addresses involved in the ping sweep activity. In this case, the process must
estimate the count of IP addresses or port numbers. To estimate the count, the process compares the current IP
address or port count with the most recent IP addresses or port counts in cache memory.
The following example shows the drill-down view of a one-to-many port scan event entry.
The following table describes the port scan-specific fields in the drill-down view of an IPS port scan event entry.
Field Description
IP Protocol TCP or UDP
Victim Port Port number last attacked on the most recent victim.
Victim IP IP address of the most recent victim.
NOTE: For most IPS port scan events, certain statistics are estimated values rather than exact counts. The following
values are provided as reference information only:
l Victim IP Count
l Victim Port Count
l Attacker IP Count
Analysis of port scan activity is a resource-intensive process. When it is necessary to conserve resources, the
analysis process does not record all IP addresses or port numbers involved in the port scan activity. In rhis case, the
process must estimate the count of IP addresses or port numbers. To estimate the count, the process compares the
current IP address or port count with the most recent IP addresses or port counts in cache memory.
NOTE: Reconnaissance detection consumes additional system resources. Depending on your traffic load and IPS
policies, operating the platform in reconnaissance detection mode can slow IPS processing.
The platform uses default threshold values for ping sweep detection and port scan detection. You can configure
higher detection thresholds to reduce false positive IPS events. See Configuring the Detection Thresholds for
Reconnaissance Events (CLI).
Prerequisites
Procedure
2. Check the current status of the feature. In the following example, the feature is not yet enabled.
3. Enable or disable the feature. In the following example, the command enables the feature.
4. Confirm your changes. The following example displays the default settings.
The system initializes with default threshold values for ping sweep detection and port scan detection. You can
configure higher thresholds to reduce false positive IPS events.
Prerequisites
l Enable IPS detection of reconnaissance activity. See Enabling IPS Detection of Reconnaissance Activity (CLI).
Procedure
2. Check the current status of the feature. In the following example, the feature is enabled with default values.
3. Configure a new ping sweep threshold value. In the following example, the threshold is raised to 35.
4. Configure a new port scan threshold value. In the following example, the threshold is raised to 300.
Brute-force detection is enabled if an active IPS policy selects one or more IPS brute-force rules.
IPS brute-force events do not trigger FireEye event notifications and cannot be acknowledged.
l IPv4 FTP
l IPv4 Mysql
l IPv4 Postgress
l IPv4 rsh
l IPv4 SMB
At the time of this release, detailed inspection mode enables the platform to detect brute-force attacks by
applications that use ports for the following protocols:
l IPv4 Telnet
l IPv4 VNC
l IPv4 rlogin
l IPv6 Telnet
l IPv6 FTP
Prerequisites
Procedure
2. Select the time frame you want to view by using the two Duration fields in the control bar.
3. Select Show Recon Brute-Force Events on the right side of the control bar. The list expands to include IPS
reconnaissance events and brute-force events.
6. Press Enter.
The following example shows the IPS Events page filtered to show IPS brute-force events only. For more
information, see Showing Brute-Force Events (Web UI).
One-to-Many
If the entry represents a single attacker conducting the same attack on multiple victims, the Victim IP field
displays a green plus icon ( ) next to the IP address of the most recent victim. Click the green plus icon (or
the triangle in column 2) to expand the entry. The drill-down view displays the IP addresses of the last five
victims of the attack but the IP count and port range of the most recent victim only.
Many-to-One
If the entry represents multiple attackers conducting the same attack on a single victim, the Attacker IP field
displays a green plus icon ( ) next to the IP address of the most recent attacker. Click the green plus icon
(or the triangle in column 2) to expand the entry. The drill-down view displays the IP addresses of the last
five attackers but the IP count and port range of the most recent attacker only.
One-to-One
If the entry represents one victim and one attacker, no green plus icon appears. The drill-down view does
not list additional victims or attackers, though the number of attacks may be quite high.
For example, suppose the IPS Events list includes an entry that represents ten attackers and one victim (a 10: 1
entry) of Telnet brute-force attacks. When the entry is collapsed, you can see the IP address of the most recent
attacker and the total number of attacks (in the # IPS Events field). When you expand the entry, you can see the IP
addresses of four more recent attackers. Other statistics in the drill-down view, such as Total Connection Count and
Victim IP Count, are aggregates of all ten attackers. Elsewhere in the IPS Events list, you will also see ten one-to-
one entries that you might think are already accounted for in the 10: 1 entry. However, these entries contain
individual statistics for each attacker.
The following example shows the drill-down view of a one-to-many Telnet brute-force event entry.
The following table describes the brute force-specific fields in the drill-down view of an IPS brute-force event entry.
Field Description
IP Protocol TCP or UDP
Victim Port Port number last attacked on the most recent victim.
Victim IP IP address of the victim.
NOTE: For most brute-force events, some statistics are estimated values rather than exact counts. The following
values are provided as reference information only:
l Victim IP Count
l Attacker IP Count
Brute-force analysis is a resource-intensive process. When it is necessary to conserve resources, the analysis
process does not record all IP addresses involved in the attack. In this case, the process must estimate the count of
IP addresses or port numbers. To estimate the count, the process compares the current IP address or port count
with the most recent IP addresses or port counts in cache memory.
Prerequisites
Procedure
The system initializes with a default threshold value for detecting brute-force events. You can configure a higher
threshold to reduce false positive IPS events.
Prerequisites
Procedure
2. Check the current value of the threshold. In the following example, the feature is enabled with default values.
3. Configure a new brute-force threshold value. In the following example, the threshold is raised to 10.
Prerequisites
l Choose a custom IPS policy to use. If you need to configure a new policy for this purpose, use one of the
following topics:
l Editing an IPS Policy
l (Recommended) If the policy you want to edit is applied to appliance monitoring interfaces, remove the policy
from the interfaces.
Procedure
2. Click Edit for the custom policy you want to edit, or click Clone and Edit to edit a clone of a default policy.
4. Click Search Rules.
5. Use the checkboxes ( ) in the Enabled column to specify which IPS brute-force rules are enforced.
l Select only the options for IPS brute-force rules you want to apply.
6. Click Save Custom Policy.
7. If the New Policy Name text box appears, enter a name for the new policy and then click Save.
8. Select the monitoring interface to which you want to apply the policy.
Prerequisites
Procedure
2. Locate the brute-force event entry type to suppress. See Showing Brute-Force Events (Web UI).
3. Make note of the name of the IPS rule that detected these brute-force events. The rule name is displayed in the
Rule field.
5. In Blocking Action section, locate the drop-down menu to the left of the name of the IPS brute-force rule you
want to suppress.
6. Select Suppress.
7. Click Commit.
IPS Event Notifications
In addition to displaying IPS events and IPS alerts in the IPS Events page of the Web UI, you can configure the
platform to send FireEye notifications for IPS events. IPS event notifications contain the following information:
Configuration details are provided in the Setting Up IPS section of this guide. See Configuring How IPS Event
Notifications Are Sent.
l instant—Send notification only when an IPS event is detected. This is the default value.
l confirmation—Send notification only if an IPS event is verified to be either an IPS alert or not an attack.
l dual—Send notifications both when an IPS event is detected and when an attack has been confirmed.
By default, the system is configured to use instant delivery mode, which is useful in an organization that archives
notifications and then filters and analyzes the information later. When you first activate IPS features, we recommend
that you use dual mode so that you see both detection and confirmation of IPS events. If your organization does not
archive the volume of notifications generated in this mode, you can decrease the volume of notifications by using
confirmation mode.
Configuration details are provided in the Setting Up IPS section of this guide. See Testing IPS Event Notifications
(Web UI).
l After you initiate an IPS test-fire event, the event appears in the IPS Events page for approximately 5 minutes
before it disappears from the page display and the events database. IPS test-fire events are listed with the rule
name IPS-TEST-FIRE: Malicious PDF Downloaded.
l If a configured notification method (email,HTTP, rsyslog, or SNMP) fails, correct the notification settings, and
then repeat the test.
Testing details are provided in the Setting Up IPS section of this guide. See Configuring When IPS Event
Notifications Are Sent.
IPS Event Acknowledgment
This topic covers the following information:
Acknowledged IPS events are not reflected in the statistics that appear on the right side of the control bar:
Acknowledged IPS events are not reflected in the What's Happening panel of the Dashboard. For more
information, see Dashboard > What's Happening.
To include all acknowledged event entries again, select the Show ACK Events option near the center of the control
bar. In the second column, a green triangle ( ) indicates that the entry represents a group of acknowledged IPS
events.
To view the details for a group of acknowledged IPS events, click the green triangle ( ) in the second column.
If you are managing your IPS-enabled appliance from a CM Series appliance, you can acknowledge IPS events
locally at the NX Series appliance or remotely from the CM Series appliance. If you acknowledge IPS events locally,
the updated acknowledgment information is aggregated at the CM Series appliance. However, if you acknowledge
IPS events remotely, the updated acknowledgment information is aggregated at the CM Series appliance but is not
pushed to the NX Series appliance you updated.
Prerequisites
Procedure
2. (Optional) To change the entries retrieved, use any of the following options in the control bar:
3. (Optional) To filter the entries retrieved, use any of the following Show / Hide Filters options in the heading
row. For a description of each field, see IPS Events Page.
l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
4. Select the checkbox ( ) in the leftmost column of the list heading row.
If you want to unselect all entries visible on the current page, clear the checkbox in the heading row.
All entries retrieved (including entries not visible on the current page) are selected.
If you want to unselect all entries not visible in the current page, click Clear All.
If you want to unselect all entries visible on the current page, clear the checkbox in the leftmost column of the
list heading row.
The list refreshes. If Show Ack Events (located near the center of the control bar) is not selected, the
acknowledged entries no longer appear anywhere in the IPS Events pages.
Prerequisites
Procedure
2. (Optional) To change the entries retrieved, use any of the following options in the control bar:
3. (Optional) To filter the entries retrieved, use any of the following Show / Hide Filters options in the heading
row. For a description of each field, see IPS Events Page.
l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
5. Select the checkbox ( ) in the leftmost column of the list heading row.
If you want to unselect all entries visible on the current page, clear the checkbox in the heading row.
The list refreshes. If Show Ack Events (located near the center of the control bar) is not selected, the
acknowledged entries no longer appear anywhere in the IPS Events pages.
You cannot undo the acknowledgment of an IPS event entry. For more information, see About IPS Event
Acknowledgment.
Prerequisites
Procedure
2. (Optional) To change the entries retrieved, use any of the following options in the control bar:
3. (Optional) To filter the entries retrieved, use any of the following Show / Hide Filters options in the heading
row. For a description of each field, see IPS Events Page.
l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
5. Select the checkbox ( ) in the leftmost column of the list heading row.
If you want to unselect all entries visible on the current page, clear the checkbox in the heading row.
6. Clear selections until only the entries you want to acknowledge remain selected.
The list refreshes. If Show Ack Events (located near the center of the control bar) is not selected, the
acknowledged entries no longer appear anywhere in the IPS Events pages.
Prerequisites
Procedure
The list refreshes to include acknowledged IPS events. In the second column, a green triangle ( ) indicates
that the entry represents a group of acknowledged IPS events.
3. To view the details for a group of acknowledged IPS events, click the green triangle ( ) in the second column.
Displaying Details About IPS Policies Applied to Monitoring Interfaces (CLI) 130
About IPS Policies
This topic covers the following information:
l You activate an IPS policy by applying it to monitoring interfaces on your appliance. If your appliance has more
than one monitoring interface, you can apply an IPS policy to each interface separately.
l While an IPS policy is active, the monitoring interface to which the policy is applied is also said to be active.
When you apply an IPS policy to a monitoring interface, the IPS-enabled rules engine uses the policy-selected IPS
rules to analyze the network traffic traversing the interface. When the rules engine matches a traffic flow to an active
IPS rule, the platform generates an IPS event. If a client-targeted IPS event is found to correlate with MVX-verified
malware attacks detected by standard NX Series features, the platform generates an IPS alert for the IPS event.
If no IPS policies are active on an IPS-enabled platform, the appliance uses only standard NX Series content rules
to analyze traffic passing through the monitoring interfaces. Threat protection for that traffic is limited to detection of
HTTP-based malware attacks directed at client machines.
The following table lists the default IPS policies and each policy's the rule-selection attributes.
Values of Rule-Matching Attributes
Default IPS Policy Description
attack-target min-severity max-severity
Comprehensive Selects both client-centric and server-centric client, server 1 10
rules, regardless of the attack severity level.
The default IPS policies are typically sufficient for your initial baselining. If you want to refine the IPS rule-selection
criteria, you can use custom IPS policies.
You must specify values for the attack target type and range of attack severity level. You can configure optional
criteria based on attack category, attack subcategory, and protocol used as the attack vector. You can configure
optional rule exclusion and rule inclusions based on signature ID.
l active—Indicates whether the IPS policy is active on one or more monitoring interfaces.
l writeable—Indicates whether the IPS policy is configurable. Only custom IPS policies are configurable.
l modified_date—Date and time at which the IPS policy was last modified.
Policy state attributes are inherent to every IPS policy, and they are maintained by the system. Policy state attributes
are not used to select IPS rules, and they are not directly configurable. For more information about policy state
attributes, see the show ips policies CLI command description.
attack-target
The policy matches vulnerabilities or IPS rules oriented toward client systems, server systems, or both:
l client—Matches rules oriented toward client systems.
l server—Matches rules oriented toward server systems.
min-severity
The policy matches vulnerabilities or IPS rules that cover attacks of the specified severity level or greater.
Range: 1 through 10.
max-severity
The policy matches vulnerabilities or IPS rules that cover attacks of the specified severity level or less.
Range: 1 through 10.
category
The policy matches vulnerabilities or IPS rules that cover attacks of the specified attack category:
l brute_force
l command_execution
l cross-site_scripting
l denial_of_service
l directory_traversal
l exploit
l policy_bypass
l reconnaissance
l other
subcategory
If a category match attribute is specified, you can narrow the category match to rules that cover the specified
type of attack subcategory.
brute_force subcategories:
l telnet-bf
l ftp-bf
l vnc-bf
l mysql-bf
l smb-bf
l rsh-bf
l postgresql-bf
l rlogin-bf
command_execution subcategories:
l input_validation_error
l directory_traversal
cross-site_scripting subcategories:
l input_validation_error
l other
denial_of_service subcategories:
l input_validation_error
l resource_exhaustion
l other
directory_traversal subcategories:
l information_disclosure
l input_validation_error
exploit subcategories:
l code_execution
l command_execution
l command_injection
l design_weakness
l directory_traversal
l information_leakage
l input_validation_error
l other
policy_bypass subcategories:
l authentication_weakness
reconnaissance subcategories:
l authentication_weakness
l information_disclosure
l other
other subcategories:
l pingsweep
l tcp_portscan
l udp_portscan
protocol
The policy matches vulnerabilities or IPS rules related to the specified network protocols. For protocols that
use encryption, the IPS-enabled rules engine inspects the initial negotiation messages only. At the time of
this software release, IPS rules detect threats that exploit the following protocols:
AgentX, Arkeia Network Backup Client, Autonomy Connected Backup, Avaya WinPDM,
BakBone NetVault, BigAnt Server, Blue Coat BCAAA, CA ARCserve, CA eTrust, CA License,
CA Products, CA Products Discovery Service, Cisco UCM, Citrix, CUPS, CVS, DCE-RPC, DHCP,
Digium Asterisk, DNS, EMC, eSignal, Ethereal, Flexera FlexNet manager, FTP,
Fujitsu SystemcastWizard, GAIM, Ganglia Meta Daemon, GDS DB, GE Proficy, GIMP, GIOP,
HP Data Protector, HP Intelligent Mgmt Center, HP LeftHand Virtual SAN, HP Mercury,
HP OpenView, HP Operations Agent, HP StorageWorks, HTTP, http, IAX2, IBM DB2, IBM Director,
IBM SolidDB, IBM Tivoli, ICQ, IEC 61131, IMAP, Intellicom NetBiter Config, IPSwitch WS_
FTP, IRC, ISAKMP, iSCSI, KADM5, Kerberos, KPASSWD, LANDesk Management Suite, LDAP, LLMNR, LPD,
McAfee ePO, Microsoft TMG, MMS, MS Host Integration Server, MSN Messenger, NCP, NDMP,
NetBIOS, NFS, NMAP, NNTP, Novell Netware, Novell ZENworks, NTP, Oracle WebLogic, POP3,
Portmap, Quest Software Big Brother, RADIUS, RAW, RDP, RIM BlackBerry Server, RMI, RPC, RSH,
RTMP, RTSP, sadmind, SADMIND, SAP MaxDB, SAP NetWeaver, SCADA, Siemens SIMATIC WinCC, SIP,
SKINNY, SMS, SMTP, SNMP, SOCKS, SpamAssassin, SQL, Squid Proxy, SSH, Symantec, TDS, Telnet, TFTP,
Timbuktu, TLS, TNS, TrendMicro, Trillian IM, Unisys BIS, VMware, VNC, WCCP, WHO, WINS,
Yahoo Messenger, and Zend Technologies Zend Server.
NOTE: This list is dynamic and subject to expansion as the FireEye Research Labs team discovers new
vulnerabilities and responds by updating threat detection algorithms and delivering new IPS rules.
exclude
Exclude the IPS rule that contains the specified signature ID.This attribute overrides the match attributes of
the policy.
include
Include the IPS rule that contains the specified signature ID.
For more information, see Editing the Rule Inclusion and Exclusion Attributes of IPS Policy (CLI) and Excluding
Rules or Overriding the Actions of Rules Selected by an IPS Policy (Web UI).
Settings > IPS Page
This topic covers the following information:
Policy Name
Names of the default IPS policies and custom IPS policies you have defined.
Active on Interface
The monitoring interfaces on which the policy is active.
Rules Enabled
Total number of IPS rules selected by the policy.
Actions
Actions you can take on any IPS policy:
l Apply Policy—(If policy is inactive) Apply to a monitoring interface.
l Apply Policy to another Interface—(If policy is already active) Apply to a monitoring interface.
l Remove Policy from Interface—Remove from the monitoring interfaces.
For information about Web UI page used to edit IPS policies, see Settings > IPS > Policy Editor Page.
Recon Status
To toggle the status (ON or OFF) of IPS detection of reconnaissance activity, click Change. For more
information, see IPS Detection of Reconnaissance Activity.
Settings > IPS > Policy Editor Page
This topic covers the following information:
l Clone or Clone and Edit—For a custom or default policy, click this link to create a clone, edit the clone, save
the clone as a custom policy, and optionally apply the new policy to monitoring interfaces.
l Edit—For a custom IPS policy, click this link to edit the policy and then optionally apply the updated policy to
monitoring interfaces.
The following example shows the Policy Editor page for a clone of the FireEye_Default policy:
You can perform the following operations in the Policy Editor page:
l Enable or disable forced blocking for an IPS rule matched by the policy.
l Save your changes and optionally apply the policy to monitoring interfaces.
Theses operations are described in Editing an IPS Policy. The remainder of this topic provides an overview of the
elements in the Policy Editor page.
x enabled | y blocked
Displays summary counts of the rules selected by the policy:
l x—Number of active rules.
l y—Number of active rules that block malicious traffic (by rule definition or policy override).
l Severity range—Minimum and maximum attack severity levels covered by the vulnerabilities or IPS
rules matched by the policy.
l Attack target list—Protection orientation of the matched rules: client, server, or both.
Enabled
This option is selected if the rule is enabled for the IPS policy you are viewing.
Rule Name
Name of an IPS rule in the appliance's IPS rules database
Custom Rule
Category
Threat category detected by the rule. For more information about this optional rule-match attribute, see
Attributes of IPS Policies.
Severity
Threat severity level covered by the rule. For more information about this required rule-match attribute, see
Attributes of IPS Policies.
Direction
Orientation of threats detected by the rule:
l to_client
l from_server
l both
CVE (Reference ID)
Identification number of the Common Vulnerabilities and Exposures (CVE) database entry that describes
the vulnerability covered by the rule.
Protocol
Network protocol used by the threat detected by the rule. For more information about this optional rule-
match attribute, see Attributes of IPS Policies.
Block
This option is selected if the rule is forced to block matched traffic for the IPS policy you are viewing.
Prerequisites
l Log in to the CLI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
Procedure
The following example displays the attributes of the custom IPS policy named myCustom1.
Fingerprint of policy :
2014/09/25 10:24:48 | 287fd1bda05326809e195cccf5e9798c
Prerequisites
Procedure
2. Display the appliance interfaces and the current application of IPS policies to monitoring interfaces.
In the following example, the appliance has two monitoring interfaces and two default IPS policies are active
on the interfaces.
Prerequisites
Procedure
The following example shows that the newly created custom policy has the same match attributes as the
Comprehensive default IPS policy, which does not specify rule exclusion or inclusion attributes. For more
information, see Attributes of IPS Policies.
Fingerprint of policy :x
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
4. (Optional) To modify the rule-matching attributes of the new IPS policy, see Editing the Rule Match Attributes of
an IPS Policy (CLI).
5. (Optional) To modify the rule exclusion and inclusion attributes of the new IPS policy, see Editing the Rule
Inclusion and Exclusion Attributes of an IPS Policy (CLI).
You can clone an IPS policy using either the Web UI or the CLI of an IPS-enabled NX Series appliance:
Prerequisites
NOTE: If you are managing the IPS-enabled platform from a CM Series appliance, an Operator has view
access only.
Procedure
2. In the row for the IPS policy you want to apply, click the Apply Policy link (if the policy is not currently active) or
the Apply Policy to Another Interface link (if the policy is already active on an interface).
You can apply the policy to one or more interfaces, depending on the number of monitoring ports on your
NX Series appliance. The following example shows an Apply Policy dialog box for an appliance that has two
interfaces.
3. Select the interface to which you want to apply the policy. The following guidelines apply to this step:
l If the IPS policy is already active, the dialog box shows the interface to which it is already applied.
l If you apply an IPS policy to an interface that already has a policy, the system automatically removes the
previous policy from the interface and applies the newly specified policy.
l If your environment uses asymmetric routing, apply the same IPS policy to both monitoring interfaces. If
request and response packets traverse separate links to the two monitoring interfaces, the platform
applies the same IPS rules to the upstream and downstream traffic.
4. To apply the selected IP policy now, click Apply Policy, and then click Done.
The table shows the current status of the IPS policies defined on the appliance.
Prerequisites
Procedure
The following example creates a clone of the FireEye_Default default policy and names the clone
myCustom1.
The following example shows that the newly created custom policy has the same match attributes as the
Comprehensive default IPS policy.
Fingerprint of policy :
2014/09/26 08:55:55 | 791c1c0bcd3b604630616acac14a96b1
4. (Optional) If you want to modify the rule-matching attributes of the new policy, see Editing the Rule Match
Attributes of an IPS Policy (CLI).
5. (Optional) If you want to modify the rule exclusion or inclusion attributes of the new policy, see Editing the Rule
Inclusion and Exclusion Attributes of an IPS Policy (CLI).
Editing an IPS Policy
You can edit certain attributes of a custom IPS policy. For a description of all attributes of an IPS policy, see
Attributes of IPS Policies.
Using the Web UI, you can disable and re-enable IPS rules matched by the policy. You can also override the
blocking action specified by a rule matched by the policy. Using the CLI, you can edit the rule match, rule inclusion,
and rule exclusion attributes of a policy.
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (CLI)
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
NOTE: You cannot edit a default IPS policy, but you can edit a clone of a default IPS policy.
NOTE: You cannot edit a default IPS policy, but you can edit a clone of a default IPS policy.
Prerequisites
NOTE: If you are managing the IPS-enabled platform from a CM Series appliance, an Operator has view
access only.
Procedure
2. Display the match attributes of the custom IPS policy you want to modify.
In the following example, the custom IPS policy named myCustom1 is a clone of the default IPS policy named
Comprehensive and does not currently specify either of any optional match attributes.
Fingerprint of policy :
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
In the following example, one match attribute (attack-target client) is removed from the policy, one match
attribute (min-severity) is overwritten with a new value, and an optional match attribute is added.
4. Verify your changes, and note that the policy fingerprint is also changed.
Fingerprint of policy :
2014/09/26 11:29:05 | a3c225e74dc2904e2a1109d707f3e963
NOTE: You cannot edit a default IPS policy, but you can edit a clone of a default IPS policy.
Prerequisites
l Know the signature ID of the IPS rule that you want to reference. You obtain rule signature IDs from a FireEye
customer support representative, or in the drill-down view of an entry in the IPS Events page. For more
information, see IPS Events Page Drill-Down View.
Procedure
2. Display the attributes of the custom IPS policy you want to modify.
Fingerprint of policy :
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
The following example adds one rule-exclusion attribute and two rule-inclusion attributes to the custom IPS
policy myCustom3.
Fingerprint of policy :
2014/09/26 11:40:21 | 30b14d7ea2ddcae7ccdc6b41ff2c6110
Prerequisites
Procedure
2. For the IPS policy you want to view and configure, open the Policy Editor page:
l For a custom policy, click either Clone or Edit in the Actions column.
The page lists all IPS rules in the appliance database. You can filter the list on the Rule Name and CVE ID
fields. You can sort the list on the other columns of the table. For more detailed information, see
Settings > IPS > Policy Editor Page.
3. In the text box next to the Search Rules button, type the text string to be matched against the Rule Name and
CVE ID fields.
4. Click Search Rules. The Policy Editor page displays the rules that match the search string.
If you need to clear the filter, clear the search string text box and then click Search Rules.
5. Using the filtered list of IPS rules, you can edit the configuration settings in the Enabled column and in the
Block column:
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
From the Web UI, you can edit the rule inclusion and exclusion attributes of a custom IPS policy.
NOTE: You cannot edit a default IPS policy, but you can edit a clone of a default IPS policy.
Prerequisites
NOTE: An Operator managing the IPS-enabled platform from a CM Series appliance has view access only.
Procedure
2. For the IPS policy you want to view and configure, open the Policy Editor page:
l For a custom policy, click either Clone or Edit in the Actions column.
The page lists all IPS rules in the appliance database that are selected y the IPS policy.
3. (Optional) Filter the IPS rules on the Rule Name or CVE ID fields. For details, see Filtering the Rules Listed in
the IPS Policy Editor (Web UI).
4. (Optional) Sort the list on the other columns of the table. For more detailed information, see
Settings > IPS > Policy Editor Page.
l To add a rule to the rule inclusion attribute of the policy, select the Enabled option.
l To add a rule to the rule exclusion attribute of the policy, clear the Enabled option.
6. Click Save Custom Policy.
7. If you are editing a default IPS policy, specify a name for the custom IPS policy you want to create with your
changes. Do not specify the name of an existing IPS policy.
8. If you want to apply the changed or new policy to monitoring interfaces, select the interface or interfaces and
then click Apply Policy. Otherwise, click No, I will do it later.
NOTE: You cannot override rule actions for a default IPS policy, but you can edit a clone of a default IPS policy.
Prerequisites
NOTE: An )perator managing the IPS-enabled platform from a CM Series appliance has view access only.
Procedure
2. For the IPS policy you want to view and configure, open the Policy Editor page:
l For a custom policy, click either Clone or Edit in the Actions column.
The page lists all IPS rules in the appliance database that are selected by the IPS policy.
3. (Optional) Filter the IPS rules on the Rule Name or CVE ID fields. For details, see Filtering the Rules Listed in
the IPS Policy Editor (Web UI).
4. (Optional) Sort the IPS rules on the other columns of the table. For more detailed information, see
Settings > IPS > Policy Editor Page.
5. Configure the action performed by matched rules that are enabled for this policy:
l To allow an enabled rule to perform the action specified in the rule definition, leave the Block option
unselected.
l To force an enabled rule to block traffic when matched for this policy, select the Block option.
NOTE: The settings you configure in the Block column are specific to this IPS policy only. The settings do not
impact the individual IPS rule definitions.
6. Click Save Custom Policy.
7. If you are editing a default IPS policy, specify a name for the custom IPS policy you want to create with your
changes. Do not specify the name of an existing IPS policy.
8. If you want to apply the changed or new policy to monitoring interfaces, select the interface or interfaces and
then click Apply Policy. Otherwise, click No, I will do it later.
Prerequisites
NOTE: If you are managing the IPS-enabled platform from a CM Series appliance, an Operator has view
access only.
l Make sure that the IPS policy is not applied to any monitoring interfaces.
l If the policy you want to delete is active, click the Remove Policy from Interface link to remove the policy
from an interface.
Procedure
3. Verify that the entry for that policy no longer appears in the table.
Prerequisites
l Make sure that the IPS policy is not applied to any monitoring interfaces.
l If the policy you want to delete is active, use the show ips interfaces command to display the interface to
which the policy is applied, and then use the no ips apply command to remove the policy from an
interface.
Procedure
You can apply IPS policies to monitoring interfaces by using either the Web UI or the CLI.
Prerequisites
l (Optional) If you need more specific rule-selection criteria than are provided by the default IPS policies,
configure custom IPS policies. For more information, see IPS Policy Configuration.
Procedure
2. 1. In the row for the IPS policy you want to apply, click the Apply Policy link (if the policy is not currently
active) or the Apply Policy to Another Interface link (if the policy is already active on an interface).
You can apply the policy to one or more interfaces, depending on the number of monitoring ports on your
NX Series appliance. The following example shows an Apply Policy dialog box for an appliance that has
two interfaces.
2. Select the interface to which you want to apply the policy. The following guidelines apply to this step:
l If the IPS policy is already active, the dialog box shows the interface to which it is already applied.
l If you apply an IPS policy to an interface that already has a policy, the system automatically removes
the previous policy from the interface and applies the newly specified policy.
l If your environment uses asymmetric routing, apply the same IPS policy to both monitoring interfaces.
If request and response packets traverse separate links to the two monitoring interfaces, the platform
applies the same IPS rules to the upstream and downstream traffic.
3. To apply the selected IP policy now, click Apply Policy, and then click Done.
The table shows the current status of the IPS policies defined on the appliance.
Prerequisites
l (Optional) If you need more specific rule-selection criteria than is provided by the default IPS policies,
configure custom IPS policies. For more information, see IPS Policy Configuration.
Procedure
2. Display the appliance interfaces and the current application of IPS policies to appliance interfaces.
In the following example, the appliance has two monitoring interfaces. A default IPS policy is active on one
interface, and no IPS policy is active on the other interface.
NOTE: For IPS-enabled platforms deployed in environments with asymmetric routing, apply the same IPS
policy to both monitoring interfaces. If request and response packets traverse separate links to the two
monitoring interfaces, the platform applies the same IPS rules to the upstream and downstream traffic.
The following example applies the IPS custom policy named myCustom1 to both monitoring interfaces,
replacing the FireEye_Default on interface A.
NOTE: For IPS-enabled platforms deployed in environments with asymmetric routing, apply the same IPS
policy to both monitoring interfaces. If request and response packets traverse separate links to the two
monitoring interfaces, the platform applies the same IPS rules to the upstream and downstream traffic.
To delete a custom IPS policy definition from an IPS-enabled platform, see Deleting a Custom IPS Policy.
Prerequisites
Procedure
To stop applying policy-selected IPS rules to the traffic at all monitoring interfaces:
1. Open the Settings > IPS page.
In the following example, the default IPS policy FireEye_Default is applied to monitoring interface A.
2. To remove IPS policies from all monitoring interfaces, click Remove Policies from All Interfaces and then
click Yes.
When no IPS policies are applied, the appliance functions as a standard NX Series appliance.
l The platform continues to detect malware. Additional MVX-verified malware (malware alerts) continue to
appear in the Alerts > Hosts and the Alerts > Alerts pages.
l The platform no longer detects IPS events. No additional MVX-correlated IPS events (IPS alerts) appear in
the Alerts > Hosts, Alerts > Alerts, or IPS Events pages.
Prerequisites
Procedure
To stop applying policy-selected IPS rules to the traffic at all monitoring interfaces:
1. Enter CLI configuration mode.
2. Display the appliance interfaces and the current application of IPS policies to appliance interfaces.
In the following example, the appliance has two monitoring interfaces and two default IPS policies are active
on the interfaces.
Without IPS policies applied to monitoring interfaces, the platform functions as a standard NX Series
appliance:
l The platform continues to detect malware. Additional MVX-verified malware (malware alerts) continue to
appear in the Alerts > Hosts and the Alerts > Alerts pages.
l The platform no longer detects IPS events. No additional MVX-correlated IPS events (IPS alerts) appear in
the Alerts > Hosts, Alerts > Alerts, or IPS Events pages.
To delete a custom IPS policy definition from an IPS-enabled platform, see Deleting a Custom IPS Policy.
Prerequisites
Procedure
2. In the row for the IPS policy you want to remove, click Remove Policy from Interface in the Action column.
In the following example, the default IPS policy named Comprehensive is selected for removal.
3. Select the interface from which you want to remove the policy, click Remove Policy, and then click Done.
The table in the Settings > IPS page shows that the IPS policy is removed from the interface.
Traffic that passes through the interface is analyzed using standard NX Series content rules only.
Prerequisites
Procedure
2. Display the appliance interfaces and the current application of IPS policies to monitoring interfaces.
In the following example, the appliance has two monitoring interfaces and two default IPS policies are active
on the interfaces.
3. To remove an IPS policy from a monitoring interface, enter no ips apply policyName and include the
interface interfaceName parameter to specify the interface from which the policy is to be removed.
In the following example, the IPS custom policy named myCustom1 is removed from interface B.
In the following example, the IPS custom policy named myCustom1 is removed from interface B.
Traffic that passes through interface B is analyzed using standard NX Series content rules only.
l The Auto Add Rules option is enabled by default. If your platform receives new IPS security content rules, the
system re-evaluates active IPS policies against the updated database of IPS rules.
l If your platform receives new IPS security content rules while Auto Add Rules is disabled, the system does not
re-evaluate active IPS policies against the updated database of IPS rules. In this case, you can force the
platform to re-evaluate an active policy. By removing the policy from an interface and then reapplying the
policy to the interface.
l You enable or disable the Auto Add Rules option globally (for all monitoring interfaces on the platform). You
cannot apply the option on a per-port, per-interface, or per-policy basis.
An IPS-enabled platform's rules database can receive new IPS rules from two different sources:
l A scheduled or explicit update of security content includes new FireEye-provided IPS rules
If your IPS-enabled platform is subscribed to the FireEye Dynamic Threat Intelligence (DTI) cloud, you can schedule
daily or hourly downloads of new security content rules available from the DTI cloud, or you can download new
security content rules when you choose. FireEye recommends that you configure your appliance to check for
security content updates either daily or hourly. For more information, see the NX Series System Administration
Guide.
An operator can add, modify, or delete custom IPS rules in the platform database. For more information, see
Importing Custom IPS Rules (Web UI).
Prerequisites
Procedure
l For the only active policy (FireEye_Default) the Auto Add Rules column displays Yes because the feature
is enabled.
If any IPS policies are active, the Auto Add Rules column values change for those policies.
l When Auto Add Rules is ON, the Auto Add Rules column displays "Yes" for the active policies. When
security content updates load new IPS rules, the appliance automatically re-evaluates active IPS policies
and—if any new rules match the policy match attributes—the new rules are included at the associated
interface.
l When Auto Add Rules is OFF, the Auto Add Rules column displays No for the active policies. When
security content updates load new IPS rules, the appliance does not automatically re-evaluate active IPS
policies. You can force the platform to re-evaluate active policies by removing the policies from monitoring
interfaces and then re-applying the policies to the interfaces.
In the following example, the Auto Add Rules option (displayed and configured below the table) is disabled
(OFF). The default IPS policy FireEye_Default is active on monitoring interface A, and the Auto Add Rules
column for that policy displays No.
Prerequisites
Procedure
2. Display the status of the automatic IPS rule addition feature for active IPS policies. In the following example,
the Auto-update rules for an active policy field shows that the Auto Add Rules option is enabled.
l If the feature is enabled (if the Auto-update rules for an active policy field displays enabled), you can
disable the feature.
l If the feature is disabled (if the Auto-update rules for an active policy field displays disabled), you can
re-enable the feature.
4. Verify the configuration change. In the following example, the Auto-update rules for an active policy field
shows that the Auto Add Rules option is disabled.
About IPS Blockmode
IPS blockmode is a platform-wide policy to allow, deny, or force blocking of traffic matched by IPS rules. IPS
blockmode is enabled by default. Only IPS rules with the blocking action block can drop matched traffic. The other
states for IPS blockmode (disabled and all) enable you to override the blocking actions of all IPS rules.
Enabled
When an IPS rule matches a traffic flow, the platform blocks or allows the traffic as specified by the block
action of the rule. If the matched IPS rule specifies the block action value blockable, the system handles the
matched traffic as if the block action value were noblock, except that you can override the blockable action
on a per-rule basis only. See Options to Disable or Force Blocking for a Vulnerability or an IPS Rule.
IPS blockmode is enabled by default.
Disabled
All matched IPS rules act as detection-only rules, even rules that specify blocking.
Disabling of IPS blockmode is useful when you first enable IPS features on an existing deployment of an
NX Series appliance.
IMPORTANT! When IPS blockmode is disabled, IPS rules cannot block malicious activity.
All
All matched IPS rules act as blocking rules, regardless of the block action specified by the rule.
Forced blocking is useful if you are testing the accuracy of every rule in an IPS policy by running the policy
against known test traffic.
When an IPS rule matches a traffic flow, the system generates an IPS event and sends IPS event notifications (if
notifications are configured). The action taken on the traffic flow is determined by two factors:
The following table describes the action taken on matched traffic based on the two determining factors.
IPS Blockmode Action Specified by the Matched IPS Rule
State block no block blockable
Enabled Block Allow Allow
Disabled Allow Allow Allow
All Block Block Block
l The CLI configuration ips blockmode disabled, which disables blocking for all IPS rules, takes precedence
over rule overrides specified for a vulnerability or IPS rule.
l The CLI configuration ips blockmode all, which forces blocking for all IPS rules, takes precedence over rule
overrides specified for a vulnerability or IPS rule. On such a system, traffic that matches an IPS rule that is
suppressed or suppressed and disabled is not suppressed and is blocked.
If you want all IPS rules pass matched traffic, disable IPS blockmode. The appliance operates with standard
malware rules in blocking mode (as specified in the malware rule definitions) but with IPS rules in detection-only
mode, even for IPS rules that specify blocking. This configuration option is relevant only when the platform is
deployed inline and the monitoring interface is configured for inline blocking.
IMPORTANT! When IPS blockmode is disabled, IPS rules with blocking action set to block are not allowed to block
malicious activity detected in the matched traffic.
Prerequisites
Procedure
In the following example, the platform blocks or allows matched traffic as specified by the block action of the
rule (for interfaces configured for inline blocking). This is the default state.
3. Configure the platform to pass all matched packets, even if the matched IPS rule specifies blocking.
4. Verify that you have disabled the blocking actions specified by matched IPS rules.
You can force all matched IPS rules to block traffic. In this mode, all matched IPS rules act as blocking rules,
regardless of the block action specified by the rule. This configuration option is relevant only when the platform is
deployed inline and the monitoring interface is configured for inline blocking.
Prerequisites
Procedure
In the following example, the platform has previously been configured to force all IPS rules to pass matched
traffic.
3. Configure the platform to force all IPS rules to block matched traffic.
4. Verify that you have globally re-enabled the blocking actions specified by matched IPS rules.
If you have disabled IPS blockmode or if you have set IPS blockmode to forced blocking, you can re-enable IPS
blockmode so that the system resumes blocking malicious activity as specified by the active IPS rules. This
configuration option is relevant only when the platform is deployed inline and the monitoring interface is configured
for inline blocking.
Prerequisites
Procedure
In the following example, the platform has previously been configured to disable blocking actions specified by
matched IPS rules.
3. Configure the platform to block or allow matched traffic as specified by the block action of the rule. Only traffic
matched by IPS rules that specify the blocking action block will be blocked.
l Web UI Procedures:
l CLI Procedures:
For interfaces configured for inline blocking, you can configure the IPS-enabled platform to disable or force blocking
of traffic matched by a particular IPS rule. This configuration overrides the blocking action specified within the IPS
rule itself. You can configure the override to apply to one or all monitoring interfaces on the appliance.
l IPS rule—To disable or force blocking for an individual IPS rule, specify the eight-digit signature ID for that rule.
l Vulnerability—Where multiple IPS rules address aspects of the same network vulnerability, you can disable or
force blocking for all of those IPS rules by specifying the signature name for that vulnerability.
Although a blocking policy based on a signature ID can be more specific than a blocking policy based on a
signature name, you cannot determine when this is the case. Therefore, we recommend you specify a signature ID
rather than a signature name when you want to disable or force blocking for an IPS rule.
You can use the signature ID to configure a custom IPS policy that explicitly includes or excludes any IPS rule that
references a specific signature ID. For more information, see Attributes of IPS Policies (rule exclusion and inclusion
attributes) and Modifying a Custom IPS Policy.
NOTE: This configuration applies to interfaces configured for inline blocking only. Furthermore, this configuration
has no effect unless the action option of the IPS rule is defined as blockable, as opposed to noblock.
NOTE: This configuration applies to interfaces configured for inline blocking only. Furthermore, this configuration
has no effect unless the action option of the IPS rule is defined as blockable, as opposed to noblock.
To display or undo disabled or forced blocking for IPS rules, use the Settings > Inline Policy Exceptions page.
Prerequisites
Procedure
a. In the IPS Events page, identify the IPS event or IPS alert associated with the IPS rule whose action you
want to override.
b. Click the triangle in the left column of that row to open the drill-down view.
c. Decide whether you want to override the rule action at a per-rule level or at a per-vulnerability level.
l To force blocking of traffic that matches an individual IPS rule, you will use the drop-down lists in the
row labeled Set Sig ID Blocking Policy.
l To force blocking of traffic that matches all IPS rules that address the same vulnerability, you will use
the drop-down lists in the row labeled Set Sig Name Blocking Policy.
To understand the difference between applying the override at the rule level or at the vulnerability level,
see About Disabled or Forced Blocking for a Vulnerability or an IPS Rule.
l Block—Force blocking of traffic that matches the vulnerability or rule on the specified interface.
l Unblock—Disable blocking of traffic that matches the vulnerability or rule on the interface.
4. Click Commit.
5. To verify your changes, go to the Settings > Inline Policy Exceptions page. For more information, see
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI).
For more information, see About Forced Blocking for a Vulnerability or an IPS Rule.
Prerequisites
Procedure
2. In the Malware column, locate the entry that lists the IPS rule (identified by a signature ID) or vulnerability
(identified by a signature name) for which you want to disable forced blocking.
4. Click Update.
NOTE: This configuration applies to interfaces configured for inline deployment only. Furthermore, this
configuration has no effect unless the action option of the IPS rule is defined as blockable, as opposed to simply
noblock (the default value).
For more information, see About Disabled or Forced Blocking for a Vulnerability or an IPS Rule.
Prerequisites
Procedure
l To specify a vulnerability, use the name keyword and specify the rule name, enclosed in double quotation
marks. To specify an individual rule, use the id keyword and specify the eight-digit rule identifier.
NOTE: When you display details about blocking or suppression configured for a vulnerability or IPS rule,
the CLI command output truncates rule names to 32 characters.
l To disable blocking, specify the do-not-block exception mode. To force blocking, specify the block
exception mode.
l To specify the interface for which the exception applies, use the on keyword and specify A, B, C, D, or
ALL.
The following example configures forced blocking for traffic that matches all "Exploit Kit Landing Page" rules on
all interfaces. This command applies to interfaces deployed inline and configured for inline blocking.
hostname (config) # policymgr signature name "Exploit Kit Landing Page" block on ALL
Prerequisites
Procedure
l To specify a vulnerability, use the name keyword and specify the rule name, enclosed in double quotation
marks. To specify an individual rule, use the id keyword and specify the eight-digit rule identifier.
l To undo disabled blocking, specify the do-not-block exception mode. To undo forced blocking, specify
the block exception mode.
l To limit the undo operation to a specific interface, use the on keyword and specify A, B, C, or D. If you do
not specify an interface, the system restores the blocking action for the vulnerability or IPS rule on all
interfaces configured for inline blocking and also removes the corresponding signature entry from the
table in the show policymgr signaWeb UI Settings > Policy Exceptions page.
Both of the following forms of the no policymgr signature command disable forced blocking for traffic that
matches all "Exploit Kit Landing Page" rules on interfaces configured for inline blocking:
l The following command allows the corresponding signature entry to remain in the table, but resets the
Interface and Policy fields reset to None.
hostname (config) # no policymgr signature name "Exploit Kit Landing Page" block
on ALL
l The following command removes the corresponding signature entry from the table.
Before entering no policymgr signature name "Exploit Kit Landing Page" and refreshing the policy manager,
the show command output included an entry for the Exploit Kit Landing Page vulnerability:
After you enter no policymgr signature name "Exploit Kit Landing Page" and refresh the policy manager, no
override is applied to the Exploit Kit Landing Page vulnerability on interface A.
l Web UI procedures:
l CLI procedures:
You can configure an IPS-enabled platform to suppress an IPS rule at one or all monitoring interfaces on the
appliance. Traffic that matches a suppressed IPS rule is handled according to the blocking action specified in the
rule definition. For interfaces configured for inline blocking, you can choose to suppress an IPS rule and at the
same time disable the blocking action specified in the rule definition.
l To suppress an individual IPS rule, specify the signature ID for that rule.
l To suppress all IPS rules that reference a particular vulnerability, specify the signature name for that
vulnerability.
Although a suppression policy based on a signature ID can be more specific than a suppression policy based on a
signature name, you cannot determine when this is the case. Therefore, we recommend you specify a signature ID
rather than a signature name when you want to suppress an IPS rule.
You can use the signature ID to configure a custom IPS policy that explicitly includes or excludes any IPS rule that
references a specific signature ID. For more information, see Attributes of IPS Policies (rule exclusion and inclusion
attributes) and Modifying a Custom IPS Policy.
l Suppression of reconnaissance activity (ping sweeps or port scans) or brute-force attacks must be configured
for all monitoring interfaces. It cannot be configured for individual interfaces.
l The CLI configuration ips blockmode all, which forces blocking for all IPS rules, takes precedence over rule
overrides specified for a vulnerability or IPS rule. On such a system, traffic that matches an IPS rule that is
suppressed or suppressed and disabled is not suppressed and is blocked.
Use suppression to disable IPS rules that, on your network, are noisy and generate false positives.
Prerequisites
Procedure
a. In the IPS Events page, identify the IPS event or IPS alert associated with the IPS rule you wantto
suppress.
b. Click the triangle in the left column of that row to open the drill-down view.
l To suppress an individual IPS rule, you will use the drop-down lists in the row labeled
Set Sig ID Blocking Policy.
l To suppress all IPS rules that address the same vulnerability, you will use the drop-down lists in the
row labeled Set Sig Name Blocking Policy.
NOTE: If you are suppressing an IPS rule that detects reconnaissance activity (ping sweeps or port scans) or
brute-force attacks, you must apply the configuration to all monitoring interfaces. The Web UI does not allow
you to suppress IPS reconnaissance rules or IPS brute-force rules for individual interfaces.
l Suppress—Suppress the vulnerability or IPS rule on the specified interface. Matched traffic is handled
according to the blocking action specified in the rule definition.
l Suppress & Unblock—Suppress the vulnerability or IPS rule and also disable the blocking action
specified in the rule definition. This mode is not available unless the appliance is deployed inline and the
interface is configured for inline blocking mode.
4. Click Commit.
5. To verify your changes, go to the Settings > Inline Policy Exceptions page. For more information, see
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI).
Prerequisites
Procedure
2. In the Malware column, locate the entry that lists the IPS rule (identified by a signature ID) or vulnerability
(identified by a signature name) for which you want to disable suppression.
4. Click Update.
Prerequisites
Procedure
l To specify a vulnerability, use the name keyword and specify the rule name, enclosed in double quotation
marks. To specify an individual rule, use the id keyword and specify the eight-digit rule identifier.
l To suppress the vulnerability or IPS rule, specify the suppress exception mode. When traffic matches a
suppressed vulnerability or IPS rule, the system does not generate notifications and does not log events
in the database. Blocking action is performed as specified by the blocking action in the rule definition.
To suppress the vulnerability or IPS rule and also disable the blocking action specified in the rule
definition, specify the suppress-unblock exception mode. The suppress-unblock mode is valid only for
interfaces configured for inline blocking.
l To specify the interface for which the exception applies, use the on keyword and specify A, B, C, D, or
ALL.
NOTE: If you are suppressing an IPS rule that detects reconnaissance activity (ping sweeps or port scans)
or brute-force attacks, you must apply the configuration to all monitoring interfaces. You cannot suppress
IPS reconnaissance rules or IPS brute-force rules for individual interfaces.
The following example suppresses the individual rule with identifier 85308152 when active on interface B.
Prerequisites
Procedure
l To specify a vulnerability, use the name keyword and specify the rule name, enclosed in double quotation
marks. To specify an individual rule, use the id keyword and specify the eight-digit rule identifier.
l To undo suppression, specify the suppress exception mode. To undo suppression with blocking allowed,
specify the suppress-unblock exception mode.
l To specify the interface on which to disable suppression of the vulnerability or rule, use the on keyword
and specify A, B, C, D, or ALL.
The following example disables suppression of the individual rule with identifier 85308152 when active on
interface A.
Prerequisites
Procedure
The following example shows two overrides to vulnerabilities and one override to an individual IPS rule.
The page lists IPS rule overrides and other policy exceptions in the following columns:
Malware
Name of the vulnerability or signature ID of an individual IPS rule.
Interface
Monitoring interface on which the IPS rule override or other policy exception applies: A, B, C, D, or ALL.
Policy
Override action applied. For information about Block and Unblock, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about Suppress and Suppress&Unblock,
see Options to Suppress a Vulnerability or an IPS Rule.
Delete
Selects the override to be deleted.
2. (Optional) If the list is long, you can filter it on the Malware column.
Custom IPS rules can include descriptions of malware families based on textual or binary patterns contained in
samples of identified families. The custom IPS rule descriptions consist of a set of strings and a Boolean expression
that determines the rule’s logic.
Like IPS events (potential network threats) detected using FireEye-provided or locally generated IPS rules,
IPS events detected using custom IPS rules are confirmed by automatic correlation with client-centric attacks
already verified by the signature-less NX Series rules engines that use the Multi-Vector Execution (MVX) engine on
the appliance.
The IPS-enabled rules engine supports Snort 2.9 rule format, with certain FireEye-specific requirements and
options defined in this section. You can import custom IPS rules into an IPS-enabled platform by uploading an
ASCII file that contains one or more custom IPS rules. Within the file, rules are delimited by a pair of CR-LF
characters.
A custom IPS rule consists of two main components: a rule header followed by a rule body:
rule-header (rule-body)
The rule body is enclosed in parentheses [ ( ) ] and consists of required and optional rule options. Individual rule
options are terminated by a semicolon ( ; ).
The following is an example of a custom IPS rule. Line breaks are inserted for readability only:
Description
Specifies the action to perform, the protocol to which the rule applies, and the source and destination addresses
and ports.
Syntax
Parameters
rule-action
Action to be taken on a packet that matches the rule conditions:
• alert—Send an alert message.
NOTE: If you upload a custom IPS rule with a header that specifies an action other than alert (such as drop,
log, or reject), the behavior of the IPS-enabled rules engine regarding that rule is undefined.
protocol
Type of packet to be analyzed:
• icmp—Internet Control Message Protocol
• ip—Internet Protocol
• tcp—Transmission Control Protocol
• udp—User Datagram Protocol
src-ip
Source IP address match criteria:
• address—Match the single specified numeric address.
• address-A:address-B—Match the range of IP addresses.
• address-A:—Match IP addresses above address-A.
• :address-B—Match IP addresses below address-B.
• any—Match any IP address.
src-port
Source port number match criteria:
• port—Match the specified source port number.
• !port—Do not match the specified source port number.
• port-A:port-B—Match source port numbers within the range.
• !port-A:port-B—Do not match source port numbers within the range.
• any—Match any port number.
directional-op
Direction of traffic to be matched:
• –>—Match unidirectional traffic from source machine to destination machine only.
• <>—Match bidirectional traffic.
dst-ip
Destination IP address match criteria:
• address—Match the single specified numeric address.
• address-A:address-B—Match the range of IP addresses.
•address-A:—Match IP addresses above address-A.
• :address-B—Match IP addresses below address-B.
• any—Match any IP address.
dst-port
Destination port number match criteria:
• port—Match the specified destination port number.
• !port—Do not match the specified destination port number.
• port-A:port-B—Match destination port numbers within the range.
• !port-A:port-B—Do not match destination port numbers within the range.
• any—Match any port number.
Description
The rule body consists of required and optional rule options that follow the same syntax rules as Snort 2.9 rules.
Syntax
(ips-rule-option; [ips-rule-option;])
A custom IPS rule must include the following Snort 2.9 rule options:
sid:signature-ID; [rev:revision;]
Uniquely identifies a custom IPS rule:
• signature-ID—Numeric ID from 85000000 through 85099999. No default value.
• revision—(Optional) As required to uniquely identify the signature. If not specified, default value is 1.
If a custom IPS rule body does not specify this option, the rule is rejected.
IMPORTANT! Except to re-create a particular custom IPS rule, do not re-use the signature-ID of a previously
imported IPS rule, even if you deleted the previous rule and verified that the rule no longer generates
IPS events. The platform user interface can display misleading IPS event information if you import a custom
IPS rule that re-uses the signature-ID of a different IPS rule that you previously imported, applied to a
monitoring interface, and subsequently deleted.
msg:"message-text";
Message to be used with logging or alerts for this rule. Up to 255 ASCII characters enclosed in double
quotes. Valid characters are alphanumeric characters, spaces, a period (.), hyphen (-), or an underscore (_).
No default value. Use the backslash (\) as an escape character as needed to avoid confusing the rule
parser.
IMPORTANT! Messages that begin with "FE" are reserved messages. Using "FE" as the first two characters
of the message string can cause unintended results.
The following FireEye-specific options for custom IPS rules are not required but are recommended.
NOTE: The IPS-enabled rules engine uses default values for any FireEye-specific rule options that are not specified
in the rule body.
action:block-action;
Blocking action that the IPS rules engine is to take, in addition to generating an IPS event:
• block—Drop the current packet and all subsequent packets in the flow.
• noblock—(Default) Allow the current packet and all subsequent packets in the flow to pass.
• blockable—Same as noblock, but enables you to force blocking on a per-rule basis.
See Options to Disable or Force Blocking for a Vulnerability or an IPS Rule.
attack-target:target;
Match traffic flows that target the specified host type. You can specify more than one attack target option.
• client—(Default) Match flows that target a client.
• server—Match flows that target a server.
All IPS policies specify one or more attack target attributes.
protocol:protocol;
Name of the presentation-layer protocol associated with the rule. Up to 32 characters long.
• text-string—Match flows that use the specified protocol as the attack vector. Example: http
• unknown—(Default)
To enable the rule to be selected by a custom IPS policy that specifies one or more protocol match
attributes, include one or more instances of this rule option.
severity:level;
Severity of the vulnerability that the rule detects. Numeric value from 1 to 10. Default value is 10.
category:category-name; [sub_category:target;]
Category of the vulnerability that the rule detects.
Subcategory of the vulnerability category specified.
For more information, see Attributes of IPS Policies.
The following Snort 2.9 rule options are not required in IPS custom rules but are recommended.
content:[!]"content-string"; [nocase;]
Search packet payload for an exact match of a string and trigger a response based on that data. The search
string can contain mixed text and binary data. Binary data is represented as hexadecimal numbers enclosed
within pipe characters (|). No default value. A custom IPS rule can specify multiple content options.
• !—(Optional) Match on packets that do not contain the specified content.
• nocase—(Optional) When searching for the specified pattern, ignore case.
flow:[ (established | not_established | stateless) ]
[, (to_client | to_server | from_client | from_server) ]
[, (no_stream | only_stream) ]
[, (no_frag | only_frag) ];
Used in conjunction with TCP stream reassembly to apply rules only to certain directions of the traffic flow:
• to_client—Trigger on server responses from A to B.
• to_server—Trigger on client requests from A to B.
• from_client—Trigger on client requests from A to B.
• from_server—Trigger on server responses from A to B.
• established—Trigger on established TCP connections only.
• not_estabished—Trigger only when no TCP connection is established.
• stateless—Trigger regardless of the state of the stream processor.
• no_stream—Do not trigger on rebuilt stream packets.
• only_stream—Trigger on rebuilt stream packets only.
• no_frag—Do not trigger on rebuilt frag packets.
• only_frag—Trigger on rebuilt frag packets only.
reference:id-system,id-vulnerability; [reference:id-system,id-vulnerability;]
One or more informational references to vulnerabilities described in external attack identification systems.
Referenced vulnerabilities provide additional information about the IPS event generated.
• id-system—Snort rule keyword that identifies the external attack identification system.
• id-vulnerability—Identifier for the vulnerability defined in the attack identification system database.
The following table lists the URL prefixes for the attack identification systems supported for Snort 2.9 rules:
id-system URL Prefix
bugtraq http://www.securityfocus.com/bid/
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
mcafee http://vil.nai.com/vil/content/v_
msb http://technet.microsoft.com/en-us/security/bulletin/
nessus http://cgi.nessus.org/plugins/dump.php3?id=
osvdb http://osvdb.org/show/osvdb/
secunia http://secunia.com/community/advisories/
url http://
author:"authorName";
Identifies the author of the rule. Default value of authorName is "" (empty string).
Example: author:"John Q. Doe";
release_date:date;
Identifies the date the rule was released, specified in mm-dd-yyyy format. Default value is today's date.
modify_date:date;
Identifies the date the rule was modified, specified in mm-dd-yyyy format. Default value is today's date.
Best Practice: You can export a copy of all of the custom IPS rules from your IPS-enabled platform to an ASCII file
named ips_custom_user_rules.txt. You can add, modify, or delete rules and then import the updated file to the
platform, replacing all of the previously imported custom IPS rules.
Prerequisites
l Create an ASCII text file that contains custom IPS rules. The file must be accessible from the local desktop from
which you access the Web UI of the IPS-enabled platform. For information about the format of a custom IPS
rules file, see Syntax for Custom IPS Rules.
Procedure
To import custom IPS rules from a file accessible from the local desktop:
1. Open the Settings > IPS page.
3. Click Browse, locate the text file that contains the custom IPS rules you want to import, and then click Open.
l If the following message appears, the platform was unable to validate the file and therefore did not import
the rules file. For details, click Download Error Log to download the ips_custom_user_error.txt file.
l If the following message appears, the platform successfully imported the rules and the Web UI displays
the file conten below the message.
In the following example, the platform successfully imported four custom IPS rules.
Prerequisites
Procedure
3. Download a text file that contains all custom IPS rules in the database.
a. Click Download File. A dialog box prompts you to open or save the ASCII text file named ips_custom_
user_rules.txt.
b. Specify that you want to open the file in the text editor of your choice or that you want to save the file.
c. Click OK to proceed with your choice and close the dialog box.
The following example shows custom IPS rules downloaded from an IPS-enabled platform and opened in a
text editor:
You can add, modify, or delete individual rules in the file and then import the contents of the updated file back
to the platform.
Prerequisites
Procedure
l Report Overview
l Prerequisites
Report Overview
The IPS Executive Summary report provides a high-level view of IPS statistics for the specified reporting period.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_
executive_summary_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your
appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report consists of several sections: a summary of IPS events, IPS Top 10 lists, a percentage breakdown of IPS
critical and major events (severity levels 4 - 10) by threat category, and a trend chart of IPS critical and major alerts.
Events Summary
This section of the report summarizes IPS event counts for the specified reporting period:
l MVX Correlated IPS—Total number of IPS alerts. The platform generates an IPS alert for a traffic flow that
matches one or more IPS rules and has also been correlated with one or more zero-day attacks confirmed
separately by the MVX engine. For details, see the Top 10 MVX-Correlated IPS Events section of this report.
l IPS Critical—Number of IPS events of threat severity level 7 - 10, as shown in the Alerts pages and the
IPS Events page by an icon such as the following:
l IPS Major—Number of IPS events of threat severity level 4 - 6, as shown in the Alerts pages and the
IPS Events page by an icon such as the following:
l IPS Minor—Number of IPS events of threat severity level 1 - 3, as shown in the Alerts pages and the
IPS Events page by an icon such as the following:
This section of the report lists the ten most-triggered IPS rules for the specified reporting period.
NOTE: If you need a report that lists a specific number of most-triggered IPS rules, you can generate an IPS Top N
Attacks report and specify any value for N, from 1 through 100.
This section of the report lists the ten most-triggered IPS rules that detected events that correlate with MVX-verified
malware events during the specified reporting period.
NOTE: If you need a report that lists a specific number of most-triggered IPS rules that detected MVX-correlated
events, you can generate an IPS Top MVX-Correlated report and specify any value for N, from 1 through 100. That
report provides the top MVX-correlated IPS events, the top perpetrators of MVX-correlated IPS events, and the top
victims of MVX-correlated IPS events,
Top 10 Attackers
This section of the report lists the ten most-active attackers found by IPS rules during the specified reporting period.
NOTE: If you need a report that lists a specific number of most-active attackers found by IPS rules, you can generate
an IPS Top N Attackers report and specify any value for N, from 1 through 100.
Top 10 Victims
This section of the report lists the ten most-attacked victims found by IPS rules during the specified reporting period.
NOTE: If you need a report that lists a specific number of most-attacked victims found by IPS rules, you can
generate an IPS Top N Victims report and specify any value for N, from 1 through 100.
This section of the report shows the percentage breakdown of critical and major events (severity levels 4 - 10) by
category during the specified reporting period. The PDF formatted report displays a color-coded pie chart of the
percentage breakdown for the attack categories. The CSV formatted report lists both the percentage and event
count for each attack category
This section of the report displays a chart that tracks the number of infections associated with critical IPS events
(severity levels 7 - 10) and major IPS events (severity levels 4 -6) detected during the specified reporting period.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
4. In the Time frame field, select the period of time that the report is to cover.
l between—Report covers analysis performed between the specified From date and time and the specified
To date and time.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
9. In the Time frame field, select the period of time that the report is to cover.
l between—Report covers analysis performed between the specified From date and time and the specified
To date and time.
10. Click Schedule Report. The scheduled report is added to the top of the scheduling list.
l Report Overview
l Prerequisites
Report Overview
The IPS Policy Configuration Summary report provides a high-level view of active IPS policies.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_
policy_configuration_summary_hostName_dateCreated_timeCreated, where hostName is the host name
assigned to your appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report contains the following sections for each active monitoring interface:
At the top of the report, two colored boxes identify the active IPS policies by monitoring interface.
In the following example, the platform has one monitoring interface and the default IPS policy Comprehensive is
active on the interface:
In the following example, the platform has two monitoring interfaces and the custom IPS policies a_policy and b_
policy are active on the interfaces:
The first interface-specific section of the report displays two colored boxes:
l Active Rules—The number of active IPS rules for the active monitoring interface.
l Rules Excluded—The number of IPS rules explicitly excluded by an attribute of the IPS policy applied to the
monitoring interface. Note: You can configure rule-exclusion and rule-inclusion attributes for custom IPS
policies only.
In the following example, the IPS policy applied to the monitoring interface matches 1199 IPS rules in the appliance
database. If the IPS policy is configured with IPS rule exclusion attributes, none of those attributes affect the
matched IPS rules, because the number of Rules Excluded is 0.
For each active monitoring interface, the second section of the report breaks down the active rules (but not the
excluded rules) into the following statistics:
Protocol
Number of IPS rules that cover vulnerabilities in each protocol, such as HTTP, NetBIOS, POP3, DNS, DHCP,
and Telnet. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criterion.
ttack target
Number of IPS rules that cover vulnerabilities related to each target host type, such as client, server, or client
or server. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
Threat category
Number of IPS rules that cover vulnerabilities within each supported threat category, such as denial_of_
service, exploit, and other. For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criterion.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
When the report is complete, a link to the report file appears below the Generate Reports label.
l Report Overview
l Prerequisites
Report Overview
The IPS Policy Configuration Details report provides a high-level view of active IPS policies, followed by a list of
IPS rules activated by the policies.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_
policy_configuration_detail_hostName_dateCreated_timeCreated, where hostName is the host name assigned to
your appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report contains the following sections for each active monitoring interface:
At the top of the report, two colored boxes identify the active IPS policies by monitoring interface.
In the following example, the platform has one monitoring interface and the default IPS policy Comprehensive is
active on the interface:
In the following example, the platform has two monitoring interfaces and the custom IPS policies a_policy and b_
policy are active on the interfaces:
The first interface-specific section of the report displays two colored boxes:
l Active Rules—The number of active IPS rules for the active monitoring interface.
l Rules Excluded—The number of IPS rules explicitly excluded by an attribute of the IPS policy applied to the
monitoring interface. Note: You can configure rule-exclusion and rule-inclusion attributes for custom IPS
policies only.
In the following example, the IPS policy applied to the monitoring interface matches 1199 IPS rules in the appliance
database. If the IPS policy is configured with IPS rule exclusion attributes, none of those attributes affect the
matched IPS rules, because the number of Rules Excluded is 0.
For each active interface, the second section breaks down the active rules (but not the excluded rules) into the
following statistics:
Protocol
Number of IPS rules that cover vulnerabilities in each protocol, such as HTTP, NetBIOS, POP3, DNS, DHCP,
and Telnet. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criterion.
Attack target
Number of IPS rules that cover vulnerabilities related to each target host type, such as client, server, or client
or server. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
Threat category
Number of IPS rules that cover vulnerabilities within each supported threat category, such as denial_of_
service, exploit, or other. For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criteria.
For each active interface, the third section lists all active rules, including the following information:
l Rule name
l Attack target
l Attack category
l Protocol
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
When the report is complete, a link to the report file displays below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
When the report is complete, a link to the report file displays below the Generate Reports label.
l Prerequisites
Report Overview
The Top N Attacks report lists the specified number (1 through 100) of most-triggered IPS rules during the
specified reporting period:
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_top_
n_attack_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
and dateCreated and timeCreated identify the date and time the report was created.
NOTE: If you need a report that lists IPS rules that triggered MVX-correlated IPS events, you can generate an IPS
Top N MVX Correlated report and view the report section titled Top <n> Attacks.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
4. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
6. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
9. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
11. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l Report Overview
l Prerequisites
Report Overview
The Top N Attackers report lists the specified number (1 through 100) of most-active attackers found by IPS rules
during the specified reporting period:
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_top_
n_attacker_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
and dateCreated and timeCreated identify the date and time the report was created.
NOTE: If you need a report that lists attacker hosts that sent MVX-correlated attacks detected by IPS rules, you can
generate an IPS Top N MVX Correlated report and view the report section titled Top <n> Attackers.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
4. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
6. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
9. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
11. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l Report Overview
l Prerequisites
Report Overview
The Top N Victims report lists the specified number (1 through 100) of most-attacked victims found by IPS rules
during the specified reporting period:
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_top_
n_victim_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
and dateCreated and timeCreated identify the date and time the report was created.
NOTE: If you need a report that lists victim hosts of MVX-correlated attacks detected by IPS rules, you can generate
an IPS Top N MVX Correlated report and view the report section titled Top <n> Victims.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
4. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
6. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
9. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
11. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l Report Overview
l Prerequisites
Report Overview
For each monitoring interface you specify, the IPS Top N MVX-Correlated report contains information about MVX-
correlated attacks detected using IPS rules.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_top_
n_mvx_correlated_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your
appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report contains the following sections for each active monitoring interface:
Top N Attacks
This section of the report identifies the top N IPS rules that detected attacks during the specified reporting period,
including the number of associated attacks.
Report Field Name Report Field Description
# List item number.
Rule Description Descriptive name of an IPS rule used to detect MVX-correlated attacks.
# of Times Verified Number of MVX-correlated attacks detected by the IPS rule during the specified reporting
period.
Top N Attackers
This section of the report identifies the IP addresses of the top N attackers responsible for the most attacks during
the specified reporting period.
Report Field Name Report Field Description
# List item number.
Attacker IP address of attacker responsible for an MVX-correlated IPS event.
# of Victims Number of victims of the MVX-correlated attacks detected by IPS rules and sent by this
attacker during the specified reporting period.
Top N Victims
This section of the report identifies the top N victims of the most attacks detected by IPS rules during the specified
reporting period.
Report Field Name Report Field Description
# List item number.
Victim IP address of a victim of an attack detected using an IPS rule.
# of Rules Matched Number of IPS rules used to detect attacks on the victim during the specified reporting
period.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
4. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
6. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
l hourly
l daily
l weekly
l monthly
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
9. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
11. In the Time frame field, select the period of time that the report is to cover.
When the report is complete, a link to the report file appears below the Generate Reports label.
ips apply 229
ips auto-update enable 231
ips brute-force threshold 234
ips detail-filter 235
ips policy 237
policymgr signature 248
Syntax
User Role
Release Information
Support for notification of inline packet inspection process state changes on IPS-enabled platforms introduced in
Release 7.2.0.
Description
On an IPS-enabled platform only, enable or disable notifications for inline packet inspection process state changes.
By default, an IPS-enabled platform is disabled for sending notifications of inline packet inspection process state
changes. For more information, see Configuring Notification of Inline Packet Inspection Process State Changes
(CLI).
For more information about the email CLI command, see the FireEye CLI Command Reference.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
(Optional) Use the no form of the command to disable notifications for inline packet inspection process state
changes.
inline-engine-down
If the option is enabled, starting of the inline packet inspection process triggers an email notification.
inline-engine-up
If the option is enabled, stopping of the inline packet inspection process triggers an email notification.
Sample Commands
Syntax
User Role
Release Information
Support for notification of IPS critical events on IPS-enabled platforms introduced in Release 7.2.0.
Description
On an IPS-enabled platform only, enable or disable notifications for IPS events using the notification method you
specify. By default, an IPS-enabled platform is enabled for sending notifications of IPS critical events by email,
posting to Web servers, logging messages to a remote syslog server, and SNMP traps. For more information, see
IPS Event Notifications.
For more information about the fenotify CLI command, see the FireEye CLI Command Reference.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
(Optional) Use the no form of the command to disable notifications for IPS critical events.
notifyMethod
Method for notification of IPS critical events:
l email—Send notifications by email to one or more addresses using SMTP as configured by using
the fenotify email default, fenotify email enable, and fenotify email service commands.
l http—Post notifications to one or more Web servers as configured by using the
fenotify http default, fenotify http enable, and fenotify http service commands.
l rsyslog—Send notifications to a remote syslog server as configured by using the
fenotify rsyslog default, fenotify rsyslog enable, and fenotify rsyslog service commands.
l snmp—Send traps to one or more SNMP servers as configured by using the
fenotify snmp default, fenotify snmp enable, and fenotify snmp service commands.
alert ips-event enable
Distribute notifications for IPS events.
enable
Apply the specified policy to all monitoring interfaces on the appliance.
Sample Commands
Syntax
User Role
Release Information
Description
Configures when IPS event notifications are delivered. For more information, see IPS Event Notifications.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
mode
Specify the delivery mode for IPS event notifications:
l instant—Send only when an IPS event is detected. This is the default value.
l confirmation—Send only when an attack has been confirmed (either positive or negative).
l dual—Send both when an IPS event is detected and when an attack has been confirmed.
By default, the system is configured to use instant delivery mode, which is useful in an organization that
archives notifications and then filters and analyzes the information later. When you first activate IPS features,
we recommend that you use dual mode so that you see both detection and confirmation of IPS events. If
your organization does not archive the volume of notifications generated in this mode, you can decrease the
volume of notifications by using confirmation mode.
Sample Output
ips apply
To apply or remove an IPS policy on a monitoring interface, use the ips apply command in configuration mode.
Syntax
User Role
Release Information
Description
Apply the rule-selection criteria (match attributes, exclusion list, and inclusion list) of the specified IPS policy to the
network traffic passing through the specified monitoring interface. The system automatically sets the value of the
policy's active attribute to yes. If a different IPS policy was already active on the interfaces, the system automatically
removes that policy from the interfaces before applying the new policy.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
Use the no form of the command to explicitly remove the specified IPS policy from the specified monitoring
interface or to remove all IPS policies from all interfaces. When the interface is not associated with an IPS
policy, traffic that passes through the interface is analyzed using standard NX Series content rules only.
all
Remove all IPS policies from all monitoring interfaces. Supported for the no form of the command only.
policyName
Name of the IPS policy to apply to monitoring interfaces on the NX Series appliance.
interface interfaceName
Apply the specified policy to the specified monitoring interface:
l A—Monitoring interfaces labeled pether3 and pether4.
l B—Monitoring interfaces labeled pether5 and pether6 (on appliances with two port pairs).
Sample Commands
ips auto-update enable
To disable or re-enable automatic addition of new IPS rules to active interfaces, use the ips auto-update enable
command in configuration mode.
Syntax
User Role
Admin role
Release Information
Description
Control whether the IPS-enabled rules engine re-evaluates active IPS policies when the database of IPS rules is
updated.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Default
The option is enabled by default. If your platform receives new IPS security content rules, the system re-evaluates
active IPS policies against the updated database of IPS rules.
Parameters
no
Use the no form of this command to disable automatic re-evaluation of active IPS policies when IPS rules
are updated.
Sample Output
l ips auto-update enable
l no ips auto-update enable
ips auto-update enable
ips blockmode
By default, IPS blockmode is enabled. To disable IPS blockmode, restore IPS blockmode, or force blocking for all
IPS rules, use one of the ips blockmode commands in configuration mode.
Syntax
User Role
Admin role
Release Information
Description
On an IPS-enabled platform deployed inline and with a monitoring interface configured for inline deployment,
manage the IPS blockmode setting. To display the current setting, use the show ips status CLI command in enable
mode. For more information, see Options to Disable or Force Blocking for All IPS Rules.
no ips blockmode
Re-enable IPS blockmode. Traffic that matches an active IPS rule is blocked or allowed as specified by the
block action of the rule. If the matched IPS rule specifies the block action value blockable, the system
handles the matched traffic as if the block action value were noblock, except that you can override the
blockable action on a per-rule basis only. See Options to Disable or Force Blocking for a Vulnerability or an
IPS Rule.
The following table lists each form of the command and its effect on the IPS blockmode state. The last three fields
describe the action taken by the matched rule.
IPS Blockmode Action Specified by the Matched IPS Rule
CLI Configuration Command
State block no block blockable
no ips blockmode enabled Block Allow Allow
ips blockmode disabled disabled Allow Allow Allow
ips blockmode all all Block Block Block
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
To display the status of IPS blocking mode, use the show ips status CLI command in enable mode. For more
information, see Options to Disable or Force Blocking for All IPS Rules.
Default
Parameters
None.
Sample Output
l no ips blockmode
no ips blockmode
ips brute-force threshold
To configure the IPS detection threshold for brute-force attacks on an IPS-enabled platform, use the
ips brute-force threshold command in configuration mode.
Syntax
ips brute-force threshold value
User Role
Release Information
Description
Configures the login failure event threshold for triggering a brute-force event. To display the current setting, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of Brute-Force
Attacks.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
value
The platform triggers an IPS brute-force event when the number of .failed login attempts to or from the same
IP address within a rolling 60-second window exceeds this value. The valid range is 5 through 1000. The
default value is 5.
Sample Output
ips brute-force threshold 10
ips detail-filter
To enable detailed packet inspection on an IPS-enabled platform, use the ips detail-filter command in
configuration mode.
Syntax
User Role
Admin role
Release Information
Description
This command configures the IPS-enabled engine to perform detailed packet inspection for a list of protocol ports.
The list of protocol ports is dynamic, and FireEye controls the list through periodic updates of IPS security content.
IPS detailed packet inspection is useful for inspecting traffic flows to email protocols and detecting brute-force
attacks.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Default
Parameters
no
Use the no form of this command to disable IPS detailed filtering.
Sample Output
l ips detail-filter
l no ips detail-filter
ips detail-filter
no ips detail-filter
ips policy
To create or delete a custom IPS policy, use the ips policy command in configuration mode.
Syntax
User Role
Release Information
Description
Create or delete a new custom IPS policy. The new policy inherits the match attributes of the default IPS policy
named Comprehensive. For more information, see IPS Policy Configuration.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
Use the no form of the command to delete a custom IPS policy. The policy must be inactive.
policyName
Name of the custom IPS policy to create or delete. Custom IPS policy names are case-sensitive and can
consist of alphanumeric characters only.
Sample Output
l ips policy myCustom1
l no ips policy myCustom1
ips policy myCustom1
no ips policy myCustom1
ips policy clone
To clone an IPS policy definition, use the ips policy clone command in configuration mode.
Syntax
User Role
Release Information
Description
Clone the specified IPS policy in order to create a new custom IPS policy.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
existingPolicyName
Name of the existing IPS policy to copy. You can clone a default IPS policy or a custom IPS policy.
newPolicyName
Name of the new IPS policy to create. Custom IPS policy names are case-sensitive and can consist of
alphanumeric characters only.
Sample Command
ips policy match
To add, change, or remove rule-selection match attributes on a custom IPS policy, use the ips policy match
command in configuration mode.
Syntax
User Role
Release Information
Description
For a custom IPS policy only, you can add, change, or remove rule-selection match attributes.
For more information about IPS policies, see IPS Policy Configuration.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
Use the no form of the command to remove an attack-target, category, sub_category, or protocol match
attribute from the policy.
attack-target hostType
(Required) Select rules for the specified type of targeted host:
l client—Matches rules oriented toward client systems.
l server—Matches rules oriented toward server systems.
category categoryName
(Optional) Select rules for the specified type of attack category:
l brute_force
l command_execution
l cross-site_scripting
l denial_of_service
l exploit
l reconnaissance
l unknown
l other
sub_category subCategoryName
(Optional) If a category match attribute is specified, you can narrow the category match to rules that cover
the specified type of attack subcategory.
brute_force subcategories:
l telnet-bf
l ftp-bf
l vnc-bf
l mysql-bf
l smb-bf
l rsh-bf
l postgresql-bf
l rlogin-bf
command_execution subcategories:
l input_validation_error
l directory_traversal
cross-site_scripting subcategories:
l input_validation_error
l other
denial_of_service subcategories:
l input_validation_error
l resource_exhaustion
l other
directory_traversal subcategories:
l information_disclosure
l input_validation_error
exploit subcategories:
l code_execution
l command_execution
l command_injection
l design_weakness
l directory_traversal
l information_leakage
l input_validation_error
l other
policy_bypass subcategories:
l authentication_weakness
other subcategories:
l authentication_weakness
l information_disclosure
l other
max-severity maxLevel
(Required) Select rules that cover vulnerabilities of the specified severity level or lower, but not below the
level specified by the min-severity minLevel setting. Range: 1 through 10, inclusive.
min-severity minLevel
(Required) Select rules that cover vulnerabilities of the specified severity level or higher, but not exceeding
the level specified by the max-severity maxLevel setting. Range: 1 through 10, inclusive.
protocol protocolName
(Option for custom policies only) Select IPS rules that cover vulnerabilities related to the specified network
protocols. At the time of this software release, IPS rules detect threats that exploit the following protocols:
ABB products, AgentX, Arkeia Network Backup Client, Autonomy Connected Backup,
Avaya WinPDM, BakBone NetVault, BigAnt Server, Blue Coat BCAAA, CA ARCserve, CA eTrust,
CA License, CA Products, CA Products Discovery Service, Cisco UCM, Citrix, CUPS, CVS,
DCE-RPC, DHCP, Digium Asterisk, DNS, EMC, eSignal, Ethereal, Flexera FlexNet manager, FTP,
Fujitsu SystemcastWizard, GAIM, Ganglia Meta Daemon, GDS DB, GE Proficy, GIMP, GIOP,
HP Data Protector, HP Intelligent Mgmt Center, HP LeftHand Virtual SAN, HP Mercury,
HP OpenView, HP Operations Agent, HP StorageWorks, HTTP, http, IAX2, IBM DB2, IBM Director,
IBM SolidDB, IBM Tivoli, ICQ, IEC 61131, IMAP, Intellicom NetBiter Config, IPSwitch WS_
FTP, IRC, ISAKMP, iSCSI, KADM5, Kerberos, KPASSWD, LANDesk Management Suite, LDAP, LLMNR, LPD,
McAfee ePO, Microsoft TMG, MMS, MS Host Integration Server, MSN Messenger, NCP, NDMP,
NetBIOS, NFS, NMAP, NNTP, Novell Netware, Novell ZENworks, NTP, Oracle WebLogic, POP3,
Portmap, Quest Software Big Brother, RADIUS, RAW, RDP, RIM BlackBerry Server, RMI, RPC, RSH,
RTMP, RTSP, sadmind, SADMIND, SAP MaxDB, SAP NetWeaver, SCADA, Siemens SIMATIC WinCC, SIP,
SKINNY, SMS, SMTP, SNMP, SOCKS, SpamAssassin, SQL, Squid Proxy, SSH, Symantec, TDS, Telnet, TFTP,
Timbuktu, TLS, TNS, TrendMicro, Trillian IM, Unisys BIS, VMware, VNC, WCCP, WHO, WINS,
Yahoo Messenger, and Zend Technologies Zend Server.
For protocols that use encryption, the IPS-enabled rules engine inspects the initial negotiation messages
only.
NOTE: This list is dynamic and subject to expansion as the FireEye Research Labs team discovers new
vulnerabilities and responds by updating threat detection algorithms and delivering new IPS rules.
Sample Output
ips policy rules
To include or exclude a specific IPS rule in a custom IPS policy, use the ips policy rules command in configuration
mode.
Syntax
User Role
Release Information
Description
Modify the specified IPS policy by specifically including or excluding the specified IPS rule. The policy must be
inactive. For more information about IPS policies, see IPS Policy Configuration.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
Use the no form of the command to remove the specified rule-exclusion or rule-inclusion attribute from the
specified IPS policy. The policy must be inactive.
policyName
Name of the custom IPS policy to modify. The policy must be inactive.
include sigID
Signature ID of the IPS rule to include, provided the rule is in the appliance database.
exclude sigID
Signature ID of the IPS rule to exclude, even if the rule is in the appliance database and a match attribute in
the policy would otherwise select the rule. This attribute overrides attributes specified by the
ips policy match command.
Sample Output
Syntax
User Role
Admin role
Release Information
Description
You can enable the IPS-enabled engine detect reconnaissance activity. To display the status of this feature, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of
Reconnaissance Activity.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Default
Parameters
no
Use the no form of this command to disable IPS detection of reconnaissance activity.
Sample Output
Syntax
This command is available only when IPS detection of reconnaissance activity are enabled. However, IPS detection
of brute-force attacks is enabled by default.
User Role
Release Information
Description
On a platform enabled for IPS detection of reconnaissance activity, configure the IPS detection thresholds for
triggering ping sweep events and port scan events. To display the current settings, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of
Reconnaissance Activity.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
ping-sweep value
The platform triggers an IPS ping sweep event when the number of ICMP exchanges to or from the same IP
address within a rolling 60-second window exceeds this value. The valid range is 10 through 1000. The
default value is 20.
port-scan value
The platform triggers an IPS port scan event when the number of TCP or UDP exchanges to or from the
same IP address within a rolling 60-second window exceeds this value. The valid range is 10 through 1000.
The default value is 200.
Sample Output
l ips reconnaissance ping-sweep
l ips reconnaissance port-scan
ips reconnaissance ping-sweep
ips reconnaissance port-scan
policymgr signature
To override the specified blocking action for a vulnerability or IPS rule, or to suppress a vulnerability or IPS rule, use
the policymgr signature command in configuration mode. This command is available on NX Series appliances.
Syntax
NOTE: To take effect, a policymgr command must be followed by the policymgr refresh-policy command.
User Role
Release Information
Command syntax and functionality enhanced in Release 7.5.0 to support disabled or forced blocking for a
vulnerability or IPS rule and to support suppression of a vulnerability or IPS rule.
Description
Disable or force blocking of matched traffic for a vulnerability or IPS rule active on the specified interface; or
suppress a vulnerability or IPS rules on the specified interface.
l Disabled or forced or blocking is supported for IPS rules with the action option defined as blockable on
monitoring interfaces configured for inline blocking mode.
l Suppression of reconnaissance activity (ping sweeps or port scans) or brute-force attacks must be configured
for all monitoring interfaces. You cannot suppress IPS reconnaissance rules or IPS brute-force rules for
individual monitoring interfaces.
To undo this operation—to restore the blocking action or to disable suppression for a vulnerability or IPS rule—use
the no form of the command.
Use the show policymgr signatures CLI command in enable mode to display policy details about blocking or
suppression applied to vulnerabilities or individual IPS rules active on an IPS-enabled platform.
For information about blocking, see Options to Disable or Force Blocking for a Vulnerability or an IPS Rule. For
information about suppression see Options to Suppress a Vulnerability or an IPS Rule.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM Series
platform using the central management platform proxying mechanism.
Defaults
If you do not specify this command, traffic that matches the vulnerability or IPS rule is blocked as specified in the
rule definition, triggers IPS events, and generates IPS notifications as configured for the event type.
l If you use the command without specifying an exception mode and interface name:
The system configures a default exception policy for the specified vulnerability or IPS rule. On
interfaces configured for inline blocking, traffic that matches the vulnerability or IPS rule is blocked if the
action option in the rule definition is set to blockable.
l If you use the no form of the command without specifying an exception mode and interface name:
The system restores the blocking action or disables suppression for the specified vulnerability or rule
on all interfaces. Unlike using the command and specifying a specific override and ALL interfaces, this
command removes the corresponding signature from the table in the show policymgr signatures CLI
command output and from the table in the Web UI Settings > Inline Policy Exceptions page.
Parameters
signatureID
Specify a signature ID to impact traffic that matches an individual IPS rule.
signatureName
Specify an IPS rule name to impact traffic that matches all IPS rules that address the same vulnerability.
exceptionMode
To disable or force blocking for the vulnerability or rule on the specified interface, specify one of the
following values. These exception modes apply only to rules with the action option set to blockable and are
valid only for interfaces configured for inline blocking. For more information, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule.
l block—Force blocking of traffic that matches the vulnerability or rule on the specified interface.
l do-not-block—Disable blocking of traffic that matches the vulnerability or rule on the interface.
To suppress the vulnerability or rule for traffic matched on the specified interface, specify one of the
following values. For more information, see Options to Suppress a Vulnerability or an IPS Rule.
l suppress—Suppress the vulnerability or IPS rule on the specified interface so that matched traffic
does not trigger IPS events or generate IPS notifications. Matched traffic is handled according to the
blocking action specified in the rule definition.
l suppress-unblock—On interfaces configured for inline blocking, suppress the vulnerability or IPS
rule and also disable the blocking action specified in the rule definition.
interfaceName
Specify the NX Series appliance monitoring interface: A, B, C, D, or ALL.
Sample Output
show policymgr signature name (Disable Blocking for a Vulnerability on All Interfaces)
hostname # policymgr signature name "Exploit Kit Landing Page" do-not-block on ALL
Syntax
show fenotify alerts
User Role
Release Information
Description
On IPS-enabled platforms only, the display of FireEye event notification alerts includes IPS events for each
notification method. FireEye threat prevention platforms support notifications by sending email, posting to Web
servers, logging messages to a remote syslog server, and sending SNMP traps. For more information, see IPS
Event Notifications.
For more information about all other forms of the show fenotify CLI command, see the FireEye CLI Command
Reference.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM Series central
management platform using the CMC proxying mechanism.
Parameters
None.
Output Fields
Sample Output
The following sample output shows the configuration of FireEye event notification alerts. The platform sends email
notifications for all event types (domain-match, infection-match, ips-event, malware-callback, malware-object, and
web-infection) and send remote syslog notifications for events of type ips-event only.
FireEye Alerts:
Digest notification:
Time : 12:00
Enabled : yes
The sample output corresponds to the following Settings > Notifications page in the Web UI:
Syntax
User Role
Release Information
Command output enhanced for IPS-enabled NX Series platforms to include IPS delivery mode in Release 7.5.0.
Description
Displays information about IPS event notification delivery mode, delivery option for HTTP or HTTPS notifications,
and a delivery option for Rsyslog notifications. For more information, see IPS Event Notifications.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
None
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.
l instant—Send only when an IPS event is detected. This is the default value.
l confirmation—Send only when an attack has been confirmed (either positive or
negative).
l dual—Send both when an IPS event is detected and when an attack has been
confirmed.
You can use the following CLI commands to configure the system to pst event messages to
Web servers usig HTTP or HTTPS: fenet proxy auth, fenet proxy host, and
fenet proxy user-agent. For more information, see the NX Series Threat Management
Guide.
Rsyslog notification Delivery option to strip off line feedback for event notifications sent to a remote syslog server:
Stripping off line
feedback l yes—System strips off line feedback. This is the default mode.
l no—System does not strip off line feedback.
You can use the following CLI commands to configure the system to send event notifications
to a remote syslog server: fenotify rsyslog default, fenotify rsyslog enable, and
fenotify rsyslog service. For more information, see the NX Series Threat Management
Guide.
Sample Output
Syntax
User Role
Release Information
Description
Display the names of monitoring interfaces on the NX Series appliance or the names of active IPS policies. For
more information, see IPS Policy Application at Monitoring Interfaces.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
None
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.
Sample Output
Syntax
User Role
Release Information
Description
Display attributes for IPS policies defined on an IPS-enabled appliance. By default, the command output displays
non-match attributes for the specified IPS policy. You can include optional parameters to show match attributes or
the exclusion list or inclusion list of the IPS policy.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
policyName
Name of the IPS policy whose attributes are to be displayed.
Output Fields
The following table describes the output fields for the show ips policies command. Fields are listed in the
approximate order in which they appear in the output.
State Attributes
active Indicates whether the IPS policy is active:
NOTE: You cannot delete a policy while it is active. You cannot or edit a default policy.
Match Attributes
attack-target Type of network host machine that the rule covers.
min-severity Attack severity level of the rule is equal to or above this lower limit. Range: 1 – 10.
max-severity Attack severity level of the rule is equal to or below this upper limit. Range: 1 – 10.
category (Option for custom IPS policies) Category of the network attack that the rule covers.
sub_category (Option for custom IPS policies) Subcategory of the network attack that the rule covers.
protocol (Option for custom IPS policies) Network protocol covered by the rule.
Sample Output
Fingerprint of policy :
2014/09/25 10:24:48 | 287fd1bda05326809e195cccf5e9798c
Syntax
User Role
Release Information
Description
Displays the IPS detection thresholds for reconnaissance activity and brute-force attacks, provided that IPS
detection of reconnaissance activity is enabled.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
None.
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.
Sample Output
Syntax
User Role
Release Information
Description
Display the platform-wide status of blocking for IPS rules, the status of the IPS policy manager daemon, and the
status of the IPS license.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
If an IPS policy manager (ips) command fails to respond, the IPS policy manager daemon might have stopped due
to insufficient CPU or memory resources. If you are logged in to the CLI as Admin, you can restart the IPS policy
manager daemon by using the following command in enable mode:
Parameters
None.
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.
Sample Output
l show ips status (Loading of IPS Rules Into Rules Engine is Complete)
l show ips status (Loading of IPS Rules Into Rules Engine is In Progress)
show ips status (Loading of IPS Rules Into Rules Engine is Complete)
show ips status (Loading of IPS Rules Into Rules Engine is In Progress)
Syntax
User Role
Release Information
Command output enhanced in Release 7.5.0 to support disabled or forced blocking for a vulnerability or IPS rule
and to support suppression of a vulnerability or IPS rule.
Description
Displays the deployment mode and policy mix of monitoring interfaces on the NX Series appliance. Also displays
the overrides—disabled or forced blocking or suppression—applied to vulnerabilities or IPS rules active on the
appliance monitoring interfaces.
For information about disabled or forced blocking a vulnerability or IPS rule, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about disabled or forced blocking for all rules activated
on the appliance, see Options to Disable or Force Blocking for All IPS Rules.
For information about suppression, see Options to Suppress a Vulnerability or an IPS Rule.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
None
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.
l block—The appliance is deployed inline and blocks malicious traffic at this interface.
l bypass—The appliance is deployed inline but does not analyze or block traffic at this
interface.
l tap—The appliance is deployed in SPAN or TAP mode and monitors malicious traffic at this
interface.
policy Type of standard (non-IPS) policy active on the interface:
l mixed—Both local and global policies are active on the interface. The local policy overrides
the global policy.
l --—Matched traffic cannot be blocked because the interface is not configured for inline
blocking.
SUPPRESSED Indicates whether the specified signature is suppressed or allowed on the specified interface:
Sample Output
l Aggregation of IPS Data
IPS Policy Configuration
From a CM series platform CLI, you can create, modify, or delete custom IPS policies on a managed IPS-
enabled platform. For more information, see Configuring an IPS Policy Using a CMC Profile (CLI).
For general information about NX Series appliances managed from a CM Series appliance, see the NX Series
System Administration Guide.
IPS Events
On a CM series platform that manages one or more IPS-enabled platforms, you can filter the
Alerts > Web MPS > IPS Events page to display IPS events and IPS alerts for a single IPS-enabled platform
or for multiple platforms. If the CM series platform manages multiple IPS-enabled platforms, the page
displays consolidated results.
IPS Alerts
On a CM series platform that manages one or more IPS-enabled platforms, you can filter the
Alerts > Web MPS > Alerts page to display the IPS alerts for a single NX Series appliance or for a group of
NX Series appliances. If the CM series platform manages multiple IPS-enabled platforms, the page displays
consolidated results that include all IPS alerts generated on the managed appliances.
IPS Reports
On a CM series platform that manages one or more IPS-enabled platforms, you can use the Reports page
to generate the following IPS-specific reports:
l IPS Executive Summary
l IPS Top N Attacks
l IPS Top N Attackers
l IPS Top N Victims
l IPS Top N MVX-Correlated
IPS Custom Rules
The CM series platform Settings > IPS page does not support importing of IPS custom rules to a managed
IPS-enabled platform.
Prerequisites
Procedure
2. Configure the first command of the CMC profile to create a custom IPS policy.
The following example configures profile c1 to create a custom IPS policy named p1.
hostname (config) # cmc profile c1 comment "IPS policy for IPS-ena NX platforms"
hostname (config) # cmc profile c1 command 1 "ips policy p1"
3. Configure the profile to specify required match attributes for the custom IPS policy.
The following example configures the attack-target, min-severity, and max-severity attributes.
4. (Optional) Configure the profile to specify optional match attributes for the custom IPS policy.
hostname (config)# cmc profile c1 command 5 "ips policy p1 match protocol SNMP"
5. (Optional) Configure the profile to specify optional rule exclusion or inclusion attributes for the custom IPS
policy.
The following example configures the optional rules exclude and rules include attributes.
hostname (config) # cmc profile c1 command 6 "ips policy p1 rules exclude 85300001"
hostname (config) # cmc profile c1 command 7 "ips policy p1 rules include 85300002"
hostname (config) # cmc profile c1 command 8 "ips policy p1 rules include 85300003"
6. Before you save the CMC profile to managed IPS-enabled platforms, list the CLI commands and comments in
the profile.
The following example step lists the CLI commands in the profile c1.
NOTE: To delete a command from the profile, use the no cmc profile name command and specify the
command sequence_number option. The following example deletes the eighth command from the profile:
l To apply the profile to a single managed appliance, use the cmc profile name command and specify the
apply appliance name option.
The following example step applies the profile to the appliance NX_4400_IPS.
The configuration for the managed appliance NX_4400_IPS includes the definition of the custom IPS
profile p1.
l To apply the profile to a group of managed appliances, use the cmc profile name command and specify
the apply group name option.
The following example step applies the profile to the appliances in the group NXips, which is composed
of IPS-enabled appliances named NX_900_IPS and NX_10000_IPS.
The configurations for the managed appliances in group NXips include the definition of the custom IPS
profile p1.
Prerequisites
l Verify that you can access the IPS-enabled platforms you want to manage.
l Verify that the IPS policy to be applied at multiple platforms is identical across those platforms by comparing
the fingerprints.
NOTE: For this software release, IPS policy fingerprints can be verified from the CLI only.
In the following example, the IPS policy p1 is defined identically on the two IPS-enabled platforms that are
centrally managed in the group NXips.
host (config) # cmc execute group NXips command "show ips policies p1 fingerprint"
============ Appliance NX_900_IPS ============
Execution was successful.
Execution output:
2014/04/18 12:36:34 | 4862cb13e6777d20c3b720d9d5b471a4
============ Appliance NX_10000_IPS ============
Execution was successful.
Execution output:
2014/04/18 13:01:58 | 4862cb13e6777d20c3b720d9d5b471a4
Procedure
2. Use the Group and Appliance drop-down menus to select the IPS-enabled platforms you want to manage.
4. To apply an IPS policy to monitoring interfaces on multiple managed IPS-enabled platforms, click Apply Policy
in the Actions column for that policy.
5. Select the monitoring interfaces to which you want the IPS policy applied.
6. Click Apply Policy.
7. Click Done.
Prerequisites
l Verify that the IPS policy to be applied at multiple platforms is identical across those platforms by comparing
the fingerprints.
In the following example, the IPS policy p1 is defined identically on the managed appliances in the group
NXips.
host (config) # cmc execute group NXips command "show ips policies p1 fingerprint"
============ Appliance NX_900_IPS ============
Execution was successful.
Execution output:
2014/04/18 12:36:34 | 4862cb13e6777d20c3b720d9d5b471a4
============ Appliance NX_10000_IPS ============
Execution was successful.
Execution output:
2014/04/18 13:01:58 | 4862cb13e6777d20c3b720d9d5b471a4
Procedure
The following example applies IPS policy p1 to interface A on appliance named NX4400.
host (config) # cmc execute appliance NX4400 command "ips apply p1 interface A"
============ Appliance NX4400 ============
Execution was successful.
Execution output:
(none)
l To apply the policy to interfaces on a group of managed appliances, use the cmc execute group name
command and specify the command command_text option.
The following example applies IPS policy p1 to interface A of the appliances in group NXips, which is
composed of IPS-enabled appliances NX_900_IPS and NX_10000_IPS.
host (config) # cmc execute group NXips command "ips apply p1 interface A"
============ Appliance NX_900_IPS ============
Execution was successful.
Execution output:
(none)
============ Appliance NX_10000_IPS ============
Execution was successful.
Execution output:
(none)
The IPS policy p1 is activated on interface A of the managed appliances in group NXips.