NX Ips 7.6.0 PDF

NX Series
IPS Feature Guide
Release 7.6
FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other
countries. All other trademarks are the property of their respective owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves the right to
change, modify, transfer, or otherwise revise this publication without notice.
Copyright © 2015 FireEye, Inc. All rights reserved.
NX Series IPS Feature Guide
Release 7.6
Revision 1
FireEye Contact Information:
Website: www.fireeye.com
Support Email: support@fireeye.com
Phone:
United States: 877.FIREEYE (877.347.3393)
United Kingdom: 44.203.106.4828
Other: 408.321.6300
Contents
INTRODUCING IPS ON NX SERIES APPLIANCES 7
IPS Features 8
IPS Events and IPS Alerts 11
IPS Support in the NX Series Web UI 13
IPS Support in the NX Series CLI 14
INITIAL CONFIGURATION OF IPS 15
Preparing the Appliance to Support IPS Features 16
Enabling IPS Capabilities 19
Configuring How IPS Event Notifications Are Sent 23
Configuring When IPS Event Notifications Are Sent 28
Configuring Notification of Inline Packet Inspection Process State Changes (CLI) 31
INITIAL ACTIVATION OF IPS 35
Optional: Disabling or Forcing Blocking for All IPS Rules (CLI) 36
Activating IPS Processing 38
Displaying IPS Events and Alerts (Web UI) 41
Testing IPS Event Notifications 46
Optional: Re-Enabling Blocking for All IPS Rules (CLI) 48
Beyond the Basics: Fine-Tuning the IPS Configuration 49
IPS INFORMATION IN THE DASHBOARD 51
About the Dashboard of an IPS-Enabled Appliance 52
Dashboard > What's Happening 55
Dashboard > IPS Trend 57
IPS ALERTS FOR MVX-CORRELATED EVENTS 59
About IPS Event Correlation and Verification 60
IPS Events Page 62
IPS Events Page Drill-Down View 67
Alerts > Hosts Page 69
Alerts > Alerts Page 74
Alerts > Callback Activity Page 78
Copyright © 2015 FireEye, Inc. 3

IPS DETECTION OF RECONNAISSANCE ACTIVITY 81
About IPS Detection of Reconnaissance Activity 82
Showing IPS Reconnaissance Events (Web UI) 83
Reconnaissance Event Entries in the IPS Events Page 85
IPS Reconnaissance Event Details for Ping Sweeps 87
IPS Reconnaissance Event Details for Port Scans 88
Enabling IPS Detection of Reconnaissance Activity (CLI) 90
Configuring the Detection Thresholds for Reconnaissance Events (CLI) 91
IPS DETECTION OF BRUTE-FORCE ATTACKS 93
About IPS Detection of Brute-Force Attacks 94
Showing Brute-Force Events (Web UI) 95
Brute-Force Event Entries in the IPS Events Page 97
Brute-Force Event Details 99
Enabling Detailed Inspection Mode (CLI) 100
Configuring the Detection Threshold for Brute-Force Attacks (CLI) 101
Disabling Detection of Brute-Force Attacks (Web UI) 102
Suppressing an IPS Brute-Force Rule (Web UI) 104
IPS EVENT AND ALERT MANAGEMENT 105
IPS Event Notifications 106
IPS Event Acknowledgment 108
IPS POLICIES 117
About IPS Policies 118
Attributes of IPS Policies 120
Settings > IPS Page 124
Settings > IPS > Policy Editor Page 126
Displaying the Attributes of an IPS Policy (CLI) 129
Displaying Details About IPS Policies Applied to Monitoring Interfaces (CLI) 130
IPS POLICY CONFIGURATION 131
Creating a Custom IPS Policy (CLI) 132
Cloning an IPS Policy 133
Editing an IPS Policy 136
4 Copyright © 2015 FireEye, Inc.

Release 7.5
Deleting an IPS Policy 146
IPS POLICY APPLICATION AT MONITORING INTERFACES 149
Applying an IPS Policy to Monitoring Interfaces 150
Removing All IPS Policies from Monitoring Interfaces 153
Removing a Single IPS Policy from Monitoring Interfaces 156
Managing Auto-Addition of New IPS Rules to Active Interfaces 159
IPS RULE ACTION OVERRIDES 163
Options to Disable or Force Blocking for All IPS Rules 164
Options to Disable or Force Blocking for a Vulnerability or an IPS Rule 170
Options to Suppress a Vulnerability or an IPS Rule 176
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI) 182
IPS RULES BASED ON CUSTOM SIGNATURES 185
Overview of Custom IPS Rules 186
Syntax for Custom IPS Rules 187
Importing Custom IPS Rules (Web UI) 193
Downloading Custom IPS Rules (Web UI) 195
Deleting All Custom IPS Rules (Web UI) 197
IPS REPORTS 199
IPS Executive Summary 200
IPS Policy Configuration Summary 204
IPS Policy Configuration Details 207
IPS Top N Attacks 211
IPS Top N Attackers 214
IPS Top N Victims 217
IPS Top N MVX-Correlated 220
APPENDIX: CLI SUPPORT FOR IPS FEATURES 223
email notify event (Option for IPS) 224
fenotify alert ips-event 226
fenotify preferences ips-delivery-mode 228
ips apply 229
ips auto-update enable 231

ips blockmode 232
ips brute-force threshold 234
ips detail-filter 235
ips policy 237
ips policy clone 238
ips policy match 239
ips policy rules 243
ips reconnaissance enable 245
ips reconnaissance threshold 246
policymgr signature 248
show fenotify alerts (Output for IPS) 251
show fenotify preferences 253
show ips interfaces 255
show ips policies 256
show ips reconnaissance 259
show ips status 261
show policymgr signatures 264
APPENDIX: CM SERIES SUPPORT FOR IPS FEATURES 267
Overview of CM Series Support for IPS-Enabled Platforms 268
Configuring an IPS Policy Using a CMC Profile (CLI) 270
Applying an IPS Policy to Managed Platforms (Web UI) 273
Applying an IPS Policy to Managed Platforms (CLI) 274

Introducing IPS on NX Series Appliances
This section provides an overview of IPS for this release of FireEye NX Series threat prevention platforms.
IPS Features 8
IPS Events and IPS Alerts 11
IPS Support in the NX Series Web UI 13
IPS Support in the NX Series CLI 14

Introducing IPS on NX Series Appliances NX Series IPS Feature Guide
IPS Features
FireEye Integrated Intrusion Prevention System (IPS) features can be added to an NX Series appliance to optimize
network security and enable compliance. The combination of signature-based and signatureless technologies
protects against known and unknown threats, reduces false alerts, and highlights attacks hidden within the noise.
Expanded Scope of Network Threat Protection

FireEye™ IPS features enable you to deploy a FireEye NX Series network threat prevention platform as a single-
device, multiphase solution that protects your network from attacks across multiple protocols. The NX Series
appliance detects known and zero-day attack vulnerabilities in and exploits delivered to client machines in your
network via HTTP.
When you activate IPS features, the NX Series appliance capabilities expand to detect Web-borne threats that use
a variety of protocols and can attack clients, servers, or both. Configurable, policy-based selection of the security
content rules in the appliance's IPS rules database, combined with automatic correlation of detected threats and
verified attacks, ensure that IPS alerts point to actionable activity.
NX Series Platform: Protection from Client-Directed HTTP-based Malware

The standard NX Series appliance, without IPS features enabled, protects network clients against malware attacks
that use either OS exploits or Web infections as HTTP-based propagation vectors. Using its signature-based and
signature-less internal rules engines, the NX Series appliance provides turnkey client vulnerability coverage. The
appliance automatically detects HTTP attack vulnerabilities in client systems and applications, detects infected
hosts, and blocks unauthorized outbound transmissions across multiple protocols.
The NX Series subsystem builds its database of security content rules in several ways:
l Locally generated and custom rules—Based on the Web traffic that the NX Series appliance monitors in your
network, the appliance's rules engines continuously expand the appliance's database of organically generated
content rules. Each rule specifies a malware fingerprint, criteria for matching the rule to monitored data
packets, and the actions that the appliance is to take on a matched packet. You can also upload custom rules
so that your appliance detects and generates alerts for specific traffic patterns that you identify.
l Enterprise-wide rules—If you use FireEye's CM Series appliance to centrally manage multiple NX Series
appliances, EX Series appliances, and security content updates, NX Series content rules are shared among
your integrated appliances.
l Dynamically generated rules—Using malware intelligence information shared by customers that connect to
FireEye's Dynamic Threat Intelligence (DTI) cloud, FireEye analyzes code for malicious intent and creates a
fingerprint of all confirmed malware. If you enable a network connection from your NX Series appliance to the
DTI cloud, FireEye automatically pushes dynamically generated content rules to your appliance in real time.
NOTE: All FireEye appliances can download security content, software updates, and software patches from the
FireEye DTI cloud. You can also choose to send anonymized threat intelligence information from the
NX Series appliance to the global subscriber base via the DTI cloud.
The patented Multi-Vector Virtual Execution (MVX) engine, the core of all FireEye platforms, accurately confirms
zero-day and targeted advanced persistent threat (APT) attacks. The threat verification performed by the
MVX engine enables the standard NX Series appliance to protect your client systems against known malware as
well as zero-day malware attacks, while triggering near-zero false positive alerts.

Release 7.5 IPS Features
NX Series Platform With IPS: Client and Host Protection Across Multiple Protocols
The addition of IPS features extends the NX Series appliance's scope of protection beyond client-centric HTTP-
based malware. IPS features use signature-based content rules to detect client-centric and server-centric attacks
over multiple protocols. To activate IPS processing, you add a FireEye IPS license to the appliance and then apply
a set of IPS security content rules to the network traffic that passes through the monitoring interfaces. The
characteristics of the security content rules applied at an interface are determined by the IPS policy you select for
that traffic flow.
IPS features include a set of default IPS policies that specify basic IPS rule-selection criteria. The default policies
support initial baseline profiling and all basic deployment scenarios. As an option—based on the profile of
IPS alerts triggered, the content of your Web traffic, and your corporate Web use policies—you can create custom
IPS policies to fine-tune the selection of IP rules applied to your network traffic.
The default IPS policies select IPS rules using the following criteria :
l Attack target (client, server, or both) to which the IPS rule applies
l Attack severity level range (1 - 10 or smaller) to which the IPS rule applies
A custom IPS policy enables you to specify more fine-grained selection criteria for selecting IPS rules:
l Additional match criteria (attack protocol, attack category, or attack category and subcategory)
l Explicit exclusion or inclusion of specific rules based on signature ID
Just as you can with standard NX Series content rules, you can share dynamically created IPS rules across
centrally managed NX Series appliances in the enterprise. Similarly, you can automatically download dynamically
created IPS rules to the appliance database. You can also enable a global option that automatically re-evaluates
active IPS policies against new IPS rules and then adds matched new rules at the active monitoring interfaces.
Automatic Correlation and Verification of Identified Threats

To minimize false positive alerts, an IPS-enabled platforms verifies IPS events (threats detected by IPS rules) by
using event correlation and aggregation algorithms. The algorithms compare the characteristics of client-targeted
IPS events against those of attacks verified by standard NX Series features. When an algorithm correlates an
IPS event with an MVX-verified malware alert, the platform generates an IPS alert for the IPS event.
The platform inspects the other IPS events in the MVX engine, using the same vulnerability execution environment
as the original session that contained the matched traffic. If the result of MVX verification shows the IPS event to be
non-malicious, the platform categorizes the even as non-attack.
Detection of Reconnaissance Activity and Brute-Force Attacks

The IPS-enabled platform can detect reconnaissance activity and brute-force attacks.
The IPS-enabled rules engine uses IPS brute-force rules to detect repeated failed login attempts. The engine also
detects common password-stealing and password-guessing mechanisms, such as dictionary attack. When a brute-
force attack is found, the platform triggers a brute-force event.
An IPS-enabled platform can detect reconnaissance activity in progress early in the threat life cycle before intruders
gain a full understanding of your network. The platform detects ping sweeps and port scans that target ports, hosts,
or networks. When suspicious activity reaches a threshold, the platform triggers a ping sweep event or a port scan
event.

Automatic Protection from Advanced Evasion Techniques

Persistent, well-funded attackers commonly use advanced evasion techniques (AETs) to bypass firewalls and
network intrusion detection systems and gain undetected access to target systems. An AET combines several
different known evasion methods to create a new hacking method. It works by subdividing malicious code and then
sending the fragments, disguised, across multiple protocols. Signature-based content rules alone are not effective
against AETs.
When deployed inline, an IPS-enabled platform prevents exploits and attacks that have been disguised by AETs.
Before the platform applies policy-selected signature rules to your monitored traffic, its IPS-enabled rules engine
preprocesses the traffic, detecting instances of AETs and modifying the content to normalize the disguised threats.
An inline-deployed IPS-enabled platform with monitoring interfaces configured for inline blocking prevents network
attacks disguised by the following advanced evasion techniques that attempt to bypass signature rules:
Advanced Evasion Technique Detection and Normalization by IPS Preprocessing

IP fragmentation attack IP packet stream preprocessing within the IPS-enabled rules engine
reassembles IP fragments into proper packet sequences based on a Windows-
specific endpoint behavior.
NOTE: On a standard NX Series appliance, detection and normalization of IP

fragmentation attacks is performed by preprocessing within the appliance's
signature rules engine.
TCP stream segmentation TCP packet stream preprocessing within the IPS-enabled rules engine reorders
and reassembles TCP segments into proper packet sequences based on a
Windows-specific endpoint behavior.
NOTE: On a standard NX Series appliance, detection and normalization of TCP

segmentation attacks is performed by preprocessing within the appliance's
signature rules engine.
HTTP URL obfuscation HTTP preprocessing within the IPS-enabled rules engine performs URL
decoding in order to detect and normalize HTTP URLs that employ the following
encoding techniques:
l Hexadecimal, binary, DWORD, and octal encoding
l Escape encoding
l Unicode encoding
l UTF-8 encoding
l Path character transformations and expansions
HTML encodings HTML preprocessing within the IPS-enabled rules engine detects and
normalizes malicious HTML documents that use the following techniques:
l Chunked encoding
l GZIP compression
l Base 64 character encoding of binary data

Release 7.5 IPS Events and IPS Alerts
IPS Events and IPS Alerts

This topic covers the following information:
l Malware Events
l Malware Alerts
l IPS Events
l IPS Alerts
Malware Events
A standard NX Series appliance (or an IPS-enabled appliance without IPS rules activated against a monitoring
interface) automatically monitors the network traffic that passes through all monitoring interfaces, checking for
client-targeting malware delivered via HTTP and detecting suspicious callbacks over multiple protocols. By default
and without entailing any configuration settings, the NX Series appliance automatically performs malware detection
based on standard NX Series security content rules.
When operating in standard mode without IPS features activated, the NX Series appliance uses all the malware
detection security content rules—FireEye-provided, locally generated, and dynamically generated signature-based
rules—in the appliance rules database. If you have incorporated custom security content rules for malware
detection, the NX Series appliance also applies those rules to all monitoring interfaces.
Malware Alerts
Malware events detected by the standard NX Series signature-based rules engine identify various incidents as they
correlate to specific phases of the malware infection life cycle. The platform sends the suspected exploits to the
Multi-Vector Virtual Execution (MVX) engine for detonation and second stage analysis. The MVX engine provides
dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted
advanced persistent threat (APT) attacks by detonating suspicious files and Web objects within virtual machine
environments. Because the MVX engine operates in an isolated and virtualized network, this traffic remains internal
to the appliance.
Signature-less verification within the purpose-built MVX engine means that the standard NX Series rules for
malware detection raise near-zero false positive events. The standard NX Series platform automatically applies its
entire database of standard NX Series rules to network traffic at all appliance monitoring ports with no filtering or
other tuning required.
To investigate MVX-verified malware events, you can filter or sort the list of alerts in the Web UI Alerts page and
drill down for more details about specific alerts. For more information, see the NX Series Threat Management
Guide.
IPS Events
If you apply an IPS policy to monitoring interfaces on an IPS-enabled platform, the system uses IPS rules—in
addition to the FireEye-provided and locally generated standard NX Series signature rules—to analyze the traffic
passing through those ports. The system uses the IPS rules to detect traffic patterns that indicate the delivery of
potential client-targeting and server-targeting threats to your environment over multiple protocols.
You can configure NX Series notification settings to automatically distribute IPS events by email using SMTP email,
posting to Web servers, logging messages to remote syslog servers, or sending traps to SNMP servers.

To investigate suspicious traffic flows detected by IPS rules, you can filter or sort the list of events in the IPS Events
page and drill down for more details about specific events. For more information, see IPS Events Page and
IPS Events Page Drill-Down View.
IPS Alerts for MVX-Correlated IPS Events

In traditional IPS solutions, signature-based rules for detecting vulnerabilities and exploits generate a high rate of
false-positive alerts. IPS-enabled platforms significantly reduce false-positive alerts by applying event correlation
algorithms to IPS events whenever possible. The algorithms ensure that IPS alerts are limited to IPS events that
correlate with attacks verified by standard NX Series features. The event correlation feature cannot be disabled and
is not configurable.
The Web UI lists IPS alerts (IPS events that correlate with MVX-verified malware alerts) in both the Alerts page and
the IPS Events page.
l Displayed in the IPS Events page, identified by the following badge:
l Displayed in the Alerts page, identified by the following badge:
For more information, see IPS Events Page, Alerts > Hosts Page, and Alerts > Alerts Page.
NOTE: If an IPS event is detected on a monitoring interface configured for inline deployment mode, and if the event
was triggered by an IPS rule match on traffic that was blocked, the platform is unable to correlate the IPS event with
MVX-verified malware alerts. The blocking action causes all subsequent packets in that session to be dropped, and
consequently the signature-based rules engine cannot send objects from the suspicious traffic flow to the MVX
engine for confirmation of the client-targeting attack. Without this MVX verification component, the IPS-enabled
rules engine cannot determine whether the IPS event qualifies as an IPS alert.

Release 7.5 IPS Support in the NX Series Web UI
IPS Support in the NX Series Web UI

When IPS capabilities are enabled, the NX Series Web UI supports IPS features through additional elements.
IPS Component NX Series Web UI Support — IPS-Enabled Platforms Only

IPS statistics Included in the followingDashboard panels:
l What's Happening—Displays the number of recent IPS alerts.

l IPS Trend—Graph of recent IPS alerts and IPS critical events.
IPS policy application and Managed from the Settings > IPS page:
IPS rules auto-add control l Clone, edit, or delete an IPS policy.
l Apply or remove an IPS policy at a monitoring interface.
l Enable or disable the Auto Add Rules feature.
IPS rule action overrides Managed from the drill-down view of the IPS Events page:
l Disable or allow blocking for all IPS rules.
l Force blocking per IPS rule.
l Suppress a noisy IPS rule.
IPS custom rules Managed from the Settings > IPS page:
l Import custom IPS rules from a file (deletes all existing custom IPS rules).
l Download all existing custom IPS rules to a file.
IPS events Managed from the IPS Events page:
(including IPS alerts) l Display all IPS events and IPS alerts.
l Acknowledge IPS events.
l Enable or disable IPS detection of reconnaissance activity.
IPS alerts In the Alerts > Hosts and Alerts > Alerts pages, IPS alerts are identified by the
(MVX-correlated IPS events) following badge:
In the IPS Events page, IPS alerts are identified by the following badge:
IPS events verified as In the IPS Events page, IPS events that have been verified to be non-malicious are
non-malicious identified by the following badge:
IPS reports Supported in the Reports page by the following IPS-specific reports:

l IPS Executive Summary
l IPS Policy Configuration Summary
l IPS Policy Configuration Detail
l Top N Attacks
l Top N Attackers
l Top N Victims
l IPS Top N MVX-Correlated

IPS Support in the NX Series CLI

On an IPS-enabled platform, the NX Series CLI supports IPS through enhanced or additional CLI commands:
IPS Feature NX Series CLI Support — IPS-Enabled Platforms Only
Inline packet inspection The following command enables or disables email notification of state changes
(stopping and starting) of the inline packet inspection process:
l email notify event inline-engine-down (Option for IPS)
l email notify event inline-engine-down (Option for IPS)
IPS event notification The following commands manage notifications for IPS events:
l fenotify alert ips-event (Option for IPS)
l fenotify preferences ips-delivery-mode
l show fenotify alerts (Output for IPS)
l show fenotify preferences
IPS policy configuration The following commands manage custom IPS policies:
l ips policy
l ips policy clone
l ips policy match
l ips policy rules
l show ips policies
IPS policy application The following commands display the associations of IPS policies to interfaces:
l ips apply
l show ips interfaces
l show policymgr signatures
Inline blocking mode The following commands disable, allow, or force blocking actions for all IPS rules:
l ips blockmode disabled
l no ips blockmode
l ips blockmode all
Auto-addition of new IPS The following command enables or disables automatic addition of new IPS rules to
rules to active interfaces active IPS policies:
l ips auto-update enable
IPS detection of The following commands enable and configure IPS detection of reconnaissance
reconnaissance activity and activity and brute-force attacks:
brute-force attacks l ips brute-force threshold
l ips detail-filter
l ips reconnaissance enable
l ips reconnaissance threshold
l show ips reconnaissance

Initial Configuration of IPS
Before you activate IPS processing, configure basic IPS features, without custom IPS policies or rules.
Preparing the Appliance to Support IPS Features 16
Enabling IPS Capabilities 19
Configuring How IPS Event Notifications Are Sent 23
Configuring When IPS Event Notifications Are Sent 28
Configuring Notification of Inline Packet Inspection Process State Changes (CLI) 31

Initial Configuration of IPS NX Series IPS Feature Guide
Preparing the Appliance to Support IPS Features

This section covers the following information:
l Preparing to Support IPS Features (Web UI)
l Preparing to Support IPS Features (CLI)
Preparing to Support IPS Features (Web UI)

This topic describes how to use the Web UI to prepare an NX Series appliance to support IPS features.
Procedure
To prepare the appliance to support IPS features:

1. Log in to the appliance Web UI as Operator or Admin. To display the role associated with your user account,
use the show whoami CLI command
To access the FireEye Appliance login page for your NX Series appliance, open a supported Web browser
and enter https://appliance in the address box, where appliance is the IP address or hostname of your
appliance.
2. Verify that your NX Series model supports IPS features. IPS features are supported on NX 900, NX 1400,
NX 2400, NX 4400/4420, NX 7400/7420, and NX 10000 appliances running Release 7.2.0 software or newer.
o The appliance model information appears in the About > Health Check page, within the
System Information section. See the Model field.
o The installed version of the appliance image appears in the About > Update page, in the
Appliance Image row. See the Installed Version field.

Release 7.5 Preparing the Appliance to Support IPS Features
3. Verify that the appliance can connect to FireEye's DTI cloud, as described in the NX Series System
Administration Guide.
The following list summarizes security content update requirements for a standalone NX Series appliance.
o The appliance communicates with the DTI cloud through its ether1 Ethernet management interface, and
the ether1 port requires a static IP address or reserved DHCP address and IP subnet mask.
o Your network configuration must allow the appliance to establish outbound connections from the
management over UDP port 53 and TCP port 443 to the Internet and exchange data encrypted via 256-bit
SSL (Secure Sockets Layer).
NOTE: These communications port requirements are in addition to the basic requirements that network
configuration must allow the appliance management port to be accessed via TCP port 22 (for the SSH
command-line interface) and TCP port 443 (for the HTTPS Web user interface).
o Your network configuration must allow the appliance to connect to cloud.fireeye.com. If your network
configuration includes domain-based proxy ACL rules, ensure that the rules allow access to the
*.fireeye.com domain.
o Receiving security content updates from the DTI cloud requires login credentials. If you do not have DTI
cloud login credentials, contact support@fireeye.com or visit the FireEye Customer Support Portal (login
required): http://www.fireeye.com/support/.
4. Verify that the appliance is licensed for security content updates.
Open the Settings > Appliance Licenses page to display information about licenses on the appliance.
Security content updates are enabled if the Appliance License Settings table displays a license for the
"CONTENT_UPDATES" feature, and the license is both "valid" and "active".
If you do not have a license for security content updates, contact support@fireeye.com or visit the FireEye
Customer Support Portal (login required): http://www.fireeye.com/support/.
5. (Recommended) Schedule automatic updating of security content. The following steps summarize the more
detailed information provided in the NX Series System Administration Guide.
a. Open the Settings > DTI Network page to display settings for the FireEye services installed on the
appliance.
b. In the Service Type column, click the Security Contents link to display the scheduling settings in the
Settings column.
c. Use the Update Frequency field to specify how often the appliance receives automatic updates of
security content.
d. If you want to enable or disable notifications of security content uploads, select or clear the option in the
Notify field.
e. Click Apply Settings.
Next Step in Setting Up IPS
Go to Enabling IPS Capabilities.

Preparing to Support IPS Features (CLI)

This topic describes how to use the CLI to prepare an NX Series appliance to support IPS features.
Procedure
To prepare the appliance to support IPS features:

1. Log in to the appliance CLI as Operator or Admin. To display the role associated with your user account, use
the show whoami CLI command.
You can access the CLI from your computer through a direct connection (from a null modem cable to the
appliance's DB-9 serial console port) or remotely (through a secure shell [SSH] connection over port 22 to the
appliance's ether1 management port).
2. Verify that your NX Series model supports IPS features. IPS features are supported on NX 900, NX 1400,
NX 2400, NX 4400/4420, NX 7400/7420, and NX 10000 appliances running Release 7.2.0 software or newer.
To verify the appliance model and software version, check the Product model and Product release fields in
the output of the show version command.
3. Verify that the appliance can connect to FireEye's DTI cloud, as described in the NX Series System
Administration Guide.
The following list summarizes the requirements for security content updates for a standalone NX Series
appliance.
o The appliance communicates with the DTI cloud through its ether1 Ethernet management interface, and
the ether1 port requires a static IP address or reserved DHCP address and IP subnet mask.
o Your network configuration must allow the appliance to establish outbound connections from the
management over UDP port 53 and TCP port 443 to the Internet and exchange data encrypted via 256-bit
SSL (Secure Sockets Layer).
NOTE: These communications port requirements are in addition to the basic requirements that network
configuration must allow the appliance management port to be accessed via TCP port 22 (for the SSH
command-line interface) and TCP port 443 (for the HTTPS Web user interface).
o Your network configuration must allow the appliance to connect to cloud.fireeye.com. If your network
configuration includes domain-based proxy ACL rules, ensure that the rules allow access to the
*.fireeye.com domain.
o Receiving security content updates from the DTI cloud requires login credentials. If you do not have DTI
cloud login credentials, contact support@fireeye.com or visit the FireEye Customer Support Portal (login
required): http://www.fireeye.com/support/.
4. Verify that your appliance is licensed for security content updates. The security content updates service license
is in place if the show licenses CLI command output displays a license for the "CONTENT_UPDATES"
feature, and the license is both "valid" and "active".
If you do not have a license for security content updates, contact support@fireeye.com or visit the FireEye
Customer Support Portal (login required): http://www.fireeye.com/support/.
5. (Recommended) Use the fenet security-content autoupdate schedule command to schedule automatic

updates of security content.
Go to Enabling IPS Capabilities.

Release 7.5 Enabling IPS Capabilities
Enabling IPS Capabilities
l About Enabling IPS Capabilities
l Enabling IPS Capabilities (Web UI)
l Enabling IPS Capabilities (CLI)
About Enabling IPS Capabilities

You enable IPS capabilities on a supported NX Series appliance by adding the IPS license key generated for that
appliance.
NOTE: After you enable IPS capabilities on an appliance, you must explicitly activate IPS features on the appliance
by applying IPS policies to monitoring interfaces. This task is described in Activating IPS Processing.
If you remove the IPS license, the platform is no longer IPS-enabled. If you re-apply the IPS license, the platform is
IPS-enabled again, and the platform re-applies any IPS policies that were active at the time you removed the IPS
license.
If an IPS-licensed appliance does not have the requisite IPS rules installed, you cannot apply IPS policies to
appliance monitoring interfaces. Similarly, if an IPS-licensed appliance does not have the requisite version of guest
images installed, the appliance cannot perform MVX verification.
NOTE: If you upgrade the software version on an NX Series appliance from Release 7.0.2 or 7.1.0 software to
Release 7.2.0 software, the upgrade process automatically downloads security content to the appliance database.
Therefore, as a prerequisite to upgrading to Release 7.2.0 software, the appliance must have a valid and active
license for the Content Updates service.
In a single-appliance deployment, the NX Series appliance can download security content updates (as well as
software updates and software patches) from FireEye via a network connection to the FireEye Dynamic Threat
Intelligence (DTI) cloud. For an NX Series appliance in a central management system (CMS) domain, the
CM Series appliance obtains update files from the DTI cloud and distributes them to the connected appliances.
You can enable or disable IPS capabilities by using either the Web UI or the CLI to add or remove the IPS license
key.
Enabling IPS Capabilities (Web UI)

To use the Web UI to add an IPS license to a supported platform, use the Settings > Appliance Licenses page.
The first time you add an IPS license to an NX Series platform, the system automatically downloads additional
security content to the platform database. After you complete the steps in this topic, the platform is enabled for IPS
capabilities and is ready for configuration and activation of IPS processing.
NOTE: After you enable IPS capabilities, the Web UI prompts you to apply IPS policies to monitoring interfaces on
the appliance. The steps in this procedure recommend that you exit from this prompt. You can apply IPS policies
later by using the Settings > IPS page or by using CLI commands.
Prerequisites
l Complete the steps described in Preparing the Appliance to Support IPS Features.
l Obtain an IPS license key from FireEye.
l Log in to the appliance Web UI as Operator or Admin.

Procedure
To enable IPS capabilities on a supported NX Series appliance:

1. Open the Settings > Appliance Licenses page to display the list of licenses installed on the NX Series
appliance. Current licenses display the attribute “true” in both the Valid column and the Active column.
2. Enter your IPS license key in the License Key text box, and then click Add License.
If no monitoring interface is associated with an IPS policy, a dialog box informs you that the IPS license is
successfully added.
3. If this dialog box appears, click No, I will do it later. Within the sequence of tasks in Setting Up IPS Features,
you will configure other IPS settings (such as IPS event notifications) before you apply IPS policies to
monitoring interfaces on the appliance.
Go to Configuring How IPS Event Notifications Are Sent.
Enabling IPS Capabilities (CLI)

This topic describes how to use the CLI to add an IPS license to a supported platform. The first time you add an IPS
license to an NX Series platform, the system automatically downloads additional security content to the platform
database. After you complete the steps in this topic, the platform is enabled for IPS capabilities and is ready for
configuration and activation of IPS processing.
Prerequisites
l Complete the steps described in Preparing the Appliance to Support IPS Features.
l Obtain an IPS license key from FireEye.
l Log in to the appliance CLI as Operator or Admin.

Release 7.5 Enabling IPS Capabilities
Procedure
To enable IPS capabilities on a supported NX Series appliance:

1. Enter CLI configuration mode.
hostname > enable

hostname # configure terminal
hostname (config) #
2. Display the licenses installed on the appliance.
In the following example, the show licenses command output shows that three licenses are installed on the
appliance, but no IPS license is installed.
hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-1111-1111-1111-1111-1111-1111-1111-1111-1111-1111-
1111-1111-1111-111
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance
Valid: yes
Product: MPS (ok)
Agreement: EULA (ok)
Op Mode: inline (ok)
Active: yes
License 2: LK2-FIREEYE_SUPPORT-2222-2222-2222-2222-2222-2222
Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
Active: yes
License 3: LK2-CONTENT_UPDATES-3333-3333-3333-3333-3333-3333-3333-3333
Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Sharing: all (ok)
Active: yes
3. Add the IPS license key to your appliance, as shown in the following example.
hostname (config) # license install LK2-IPS-4444-4444-4444-4444-4444-4444-4444-4444

4. Display the licenses installed on the appliance.
The following example shows that an IPS license is the last license added to the appliance.
hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-1111-1111-1111-1111-1111-1111-1111-1111-1111-1111-
1111-1111-1111-111
...
License 2: LK2-FIREEYE_SUPPORT-2222- 2222-2222-2222-2222-2222

...
License 3: LK2-CONTENT_UPDATES-3333-3333-3333-3333-3333-3333-3333-3333
...
License 4: LK2-IPS-4444-4444-4444-4444-4444-4444-4444-4444
Feature: IPS
Description: IPS feature
Valid: yes
Tied to product: MPS (ok)
Active: yes
Go to Configuring How IPS Event Notifications Are Sent.

Release 7.5 Configuring How IPS Event Notifications Are Sent
Configuring How IPS Event Notifications Are Sent

l Criteria for Sending IPS Event Notifications
l Configuring How IPS Event Notifications Are Sent (Web UI)
l Configuring How IPS Event Notifications Are Sent (CLI)
Criteria for Sending IPS Event Notifications

IPS event notification is supported by all of the FireEye event notification methods: sending email using SMTP,
posting to Web servers, logging messages to remote syslog servers, or sending traps to SNMP servers.
l IPS event notifications sent by rsyslog include all severity levels (1 through 10).
l IPS event notifications sent by email, HTTP, or SNMP are limited to IPS critical events (severity levels 7 through
10) and IPS alerts (MVX-correlated IPS events).
FireEye Event Notification Method Criteria for IPS Event Notifications

rsyslog—Log notification messages to remote syslog servers. Minor severity (1–3),
Major severity (4–6),
Critical severity (7–10)
email—Send notification email messages using SMTP. Critical severity or MVX-correlated
http—Post notification messages to Web servers using HTTP. Critical severity or MVX-correlated
snmp—Send traps to SNMP servers. Critical severity or MVX-correlated
You can configure when IPS event notifications are sent by using either the Web UI or the CLI.
Configuring How IPS Event Notification Are Sent (Web UI)

This topic describes how to use the Web UI to configure the FireEye event notification delivery methods that an IPS-
enabled platform uses to send IPS event notifications.
Prerequisites
l Set the default time zone for event notifications, as described in the NX Series System Administration Guide.

l Enable and configure the notification services you will use for IPS event notifications:
Email
IPS critical event notifications are sent by email to one or more addresses using SMTP.
Configure email settings for administrative events, as described in "Configuring Administrative Email
Settings Using the Web UI" in the NX Series System Administration Guide.
To configure SMTP for event notifications, open the Settings > Notification page, click the email
column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring Email Notifications" in the NX Series
Threat Management Guide.
Web server
IPS critical event notifications are posted to one or more Web servers.
To configure Web servers for event notifications, open the Settings > Notification page, click the http
column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring HTTP Notifications" in the NX Series
Remote syslog server

All IPS event notifications are sent to a remote syslog server.
To configure a remote syslog server for event notifications, open the Settings > Notification page, click
the rsyslog column heading, and then configure the settings that appear in the Settings column and
also in a separate panel below the main table. For details, see "Configuring rsyslog Notifications" in the
NX Series Threat Management Guide.
SNMP
IPS critical event notification traps are sent to one or more SNMP servers.
To configure an SNMP server for event notifications, open the Settings > Notification page, click the
snmp column heading, and then configure the settings that appear in the Settings column and also in a
separate panel below the main table. For details, see "Configuring SNMP Notifications" in the
NX Series Threat Management Guide.

Procedure
To configure notification of IPS events:

1. Open the Settings > Notifications page to display the current configuration of event notifications.
In the following example, all FireEye event notification methods are enabled, and all events types except IPS
events are enabled for notification:
2. Enable notification methods for critical and major IPS events by selecting options in the IPS Critical row:
l To enable or disable all notification methods for IPS events, select or clear the option in the Global
column. If you select this option, you can enable or disable IPS event notification for any notification
method. If you clear this option, you cannot enable IPS event notifications for any notification method.
l To enable email notifications for IPS critical events, select the option in the email column.
l To enable Web server notifications for IPS critical events, select the option in the http column.
l To enable remote syslog server notifications for IPS critical, major, or minor events, select the option in the
rsyslog column.
l To enable SNMP traps for IPS critical events, select the option in the snmp column.
3. To configure a notification method, click the link in the column heading. Then configure the settings that appear
in the Settings column and also in a separate panel below the main table. For more detailed information, see
the NX Series System Administration Guide.
4. To enable or disable daily digest mode for email notifications, click Enable or Disable next to the "Daily Digest"
message below the table. To change the time the digest is sent, choose a new time and click Update.

Go to Configuring When IPS Event Notifications Are Sent.
Configuring How IPS Event Notifications Are Sent (CLI)

This topic describes how to use the CLI to configure the FireEye event notification delivery methods that an IPS-
enabled platform uses to send IPS event notifications.
Prerequisites
l Use the fenotify enable CLI command in configuration mode to enable FireEye notifications.
l Use the fenotify default timezone CLI command in configuration mode to set the default time zone for event
notifications. For more information, see the NX Series System Administration Guide and the
FireEye CLI Command Reference.
l Enable and configure the notification services you will use for IPS event notifications:
Email
IPS critical event notifications are sent by email to one or more addresses using SMTP.
Configure email settings for administrative events, as described in "Configuring Administrative Email
Settings Using the CLI" in the NX Series Threat Management Guide.
To configure SMTP for event notifications, use the fenotify email default, fenotify email enable, and
fenotify email service commands.
Web server
IPS critical event notifications are posted to one or more Web servers.
To configure Web servers for event notifications, use the fenotify http default, fenotify http enable, and
fenotify http service commands.
Remote syslog server

All IPS event notifications are sent to a remote syslog server.
Configure aremote syslog server for event notifications by using the
fenotify rsyslog default, fenotify rsyslog enable, and fenotify rsyslog service commands.
SNMP
IPS critical event notification traps are sent to one or more SNMP servers.
To configure an SNMP server for event notifications, use the fenotify snmp default, fenotify snmp
enable, and fenotify snmp service commands.
For more information, see the FireEye CLI Command Reference.

Procedure
To configure delivery methods for IPS event notifications:

hostname > enable

hostname (config) #
2. Enable or disable IPS event notification for each notification protocol.
l To enable IPS event notification for a notification protocol, enter the fenotify command, and specify a
notification protocol followed by the alert ips-event enable options.
l To disable IPS event notification for a notification protocol, use the no form of the command.
The following example commands enable sending notifications of IPS critical events by email, posting to Web
servers, logging messages to a remote syslog server, and by SNMP traps:
hostname (config) # fenotify email alert ips-event enable

hostname (config) # fenotify http alert ips-event enable
hostname (config) # fenotify rsyslog alert ips-event enable
hostname (config) # fenotify snmp alert ips-event enable
NOTE: Major-severity and minor-severity IPS events are supported for remote syslog servers only.
3. Verify your changes.
hostname (config) # show fenotify alerts
FireEye Notification Enabled: yes

FireEye Alerts:
email http rsyslog snmp
--------------------------------
Global yes yes yes yes
domain-match yes |no no yes no
infection-match yes |no no yes no
ips-event yes |yes yes yes yes
malware-callback yes |no no yes no
malware-object yes |no no yes no
web-infection yes |no no yes no
Digest notification:
Time : 12:00
Enabled : yes
Go to Configuring When IPS Event Notifications Are Sent.

Configuring When IPS Event Notifications Are Sent

l About IPS Event Notification Delivery Modes
l Configuring When IPS Event Notifications Are Sent (Web UI)
l Configuring When IPS Event Notifications Are Sent (CLI)
About IPS Event Notification Delivery Modes

If IPS event notifications are configured, the system uses one of the following delivery modes:
l instant—Send notification only when an IPS event is detected. This is the default value.
l confirmation—Send notification only when an attack has been confirmed (either positive or negative).
l dual—Send notifications both when an IPS event is detected and when an attack has been confirmed.
By default, the system is configured to use instant delivery mode, which is useful in an organization that archives
notifications and then filters and analyzes the information later. When you first activate IPS features, we recommend
that you use dual mode so that you see both detection and confirmation of IPS events. If your organization does not
archive the volume of notifications generated in this mode, you can decrease the volume of notifications by using
confirmation mode.
You can configure when IPS event notifications are sent by using either the Web UI or the CLI.
Configuring When IPS Event Notifications Are Sent (Web UI)

This topic describes how to use the Web UI to configure when IPS event notifications are sent for an IPS-enabled
platform.
When you first activate IPS features, we recommend that you use dual delivery mode for IPS event notification
instead of the default instant delivery mode. The dual mode enables you see both detection and confirmation of
IPS events. For more information about all delivery modes, see IPS Event Notifications.
Prerequisites
l Configure FireEye notifications for IPS events. For more information, see Configuring How IPS Events
Notifications Are Sent.

Release 7.5 Configuring When IPS Event Notifications Are Sent
Procedure
To configure when IPS event notifications are sent:

1. Open the Settings > Notifications page to display the current configuration of event notifications.
2. In the Event Type column, select the IPS event notification the delivery mode.
When you first activate IPS features, we recommend that you use dual mode.
Go to Configuring Notification of Inline Packet Processing State Change (CLI). You cannot configure this option
from the Web UI.

Configuring When IPS Event Notifications Are Sent (CLI)

This topic describes how to use the CLI to configure when IPS event notifications are sent for an IPS-enabled
platform.
When you first activate IPS features, we recommend that you use dual delivery mode for IPS event notification
instead of the default instant delivery mode. The dual mode enables you see both detection and confirmation of
IPS events. For more information about all delivery modes, see IPS Event Notifications.
Prerequisites
l Configure FireEye notifications for IPS events. For more information, see Configuring How IPS Event
Procedure
To configure when IPS event notifications are sent:

hostname > enable

hostname (config) #
2. Configure the delivery mode.
When you first activate IPS features, we recommend that you use dual mode.
hostname (config) # fenotify preferences ips dual
hostname # show fenotify preferences

Notification customized settings:
IPS delivery mode: dual
HTTP(s) notification using fenet proxy: yes
Rsyslog notification Stripping off line feedback: yes
Go to Configuring Notification of Inline Packet Processing State Change (CLI). You cannot configure this option
from the Web UI.

Release 7.5 Configuring Notification of Inline Packet Inspection Process State Changes (CLI)
Configuring Notification of Inline Packet Inspection Process State

Changes (CLI)
You can configure an IPS-enabled platform to send email notifications whenever the state of the inline packet
inspection process state changes.
Prerequisites
Before you configure an IPS-enabled platform for email notification when the inline packet inspection process starts
or stops, perform the following prerequisite tasks:
l Use the fenotify default timezone CLI command in configuration mode to set the default time zone for FireEye
notifications. For more information, see the NX Series System Administration Guide and the
FireEye CLI Command Reference.
l Configure email settings for administrative events, as described in "Configuring Administrative Email Settings
Using the CLI" in the NX Series Threat Management Guide.
hostname (config) # email ?

auth Set authentication options for sending email
autosupport Set handling of automatic support email
dead-letter Configure settings for saving undeliverable emails
domain Override domain from which emails appear to come
mailhub Set the mail relay to be used to send emails
mailhub-port Set mail port to be used to send emails
notify Set handling of events and failures via email
return-addr Set the username in the return address for email notifications
return-host Include hostname in return address for email notifications
send-test Send test email to all configured event and failure recipients
ssl Configure security options for email

Procedure
To configure email notifications for inline packet inspection process state changes:
hostname > enable

hostname (config) #
2. Check the email settings for administrative events by entering the show email command.
In the following example, email notifications for administrative events are configured to be sent to the email
address my-first.my-last@my-domain.com.
hostname # show email

Mail hub: 172.16.2.27
Mail hub port: 25
Domain override: www.my-domain-override.com
Return address: do-not-reply
Include hostname in return address: yes
Current reply address: do-not-reply@my-host.www.my-domain-override.com
Security mode: tls-none

Verify server cert: yes
Supplemental CA list: default-ca-list
SMTP authentication: disabled
Dead letter settings:

Save dead.letter files: yes
Dead letter max age: 14 days
Email notification recipients:

my-first.my-last@my-domain.com (all events, in detail)
Autosupport emails
Enabled: yes
Recipient: eng-autosupport@fireeye.com
Mail hub: owa.fireeye.com
Security mode: tls-none
Verify server cert: yes
Supplemental CA list: default-ca-list
SMTP authentication: disabled
3. Enable or disable notifications when the inline packet inspection process stops. Enter one of the following
forms of the email notify event command:
l To enable notifications when the inline packet inspection process stops, enter the email notify event
command, and specify the inline-engine-down parameter.
l To disable this notification option, you would use the no form of the command.
The following example command enables notifications when inline packet inspection processing stops.
hostname (config) # email notify event inline-engine-down

Release 7.5 Configuring Notification of Inline Packet Inspection Process State Changes (CLI)
4. Enable or disable notifications when the inline packet inspection process starts. Enter one of the following
forms of the email notify event command:
l To enable notifications when the inline packet inspection process starts, enter the email notify event
command, and specify the inline-engine-up parameter.
l To disable this notification option, you would use the no form of the command.
hostname (config) # email notify event inline-engine-up
Go to Initial Activation of IPS.


Initial Activation of IPS
After you complete initial configuration of IPS, you activate IPS processing, test notifications, and display IPS data.
Optional: Disabling or Forcing Blocking for All IPS Rules (CLI) 36
Activating IPS Processing 38
Displaying IPS Events and Alerts (Web UI) 41
Testing IPS Event Notifications 46
Optional: Re-Enabling Blocking for All IPS Rules (CLI) 48
Beyond the Basics: Fine-Tuning the IPS Configuration 49

Initial Activation of IPS NX Series IPS Feature Guide
Optional: Disabling or Forcing Blocking for All IPS Rules (CLI)

This topic is relevant only if your appliance is deployed inline and the monitoring interface is configured for inline
blocking.
When an IPS rule matches a traffic flow, the action taken on the traffic flow is determined by the IPS blockmode
setting on the appliance and the blocking action specified by the matched IPS rule. By default, IPS-enabled
appliances operate with IPS blockmode enabled. When an IPS rule matches a traffic flow, the system blocks or
allows the traffic as specified by the block action of the rule. For a detailed description of IPS blockmode, see
Options to Disable or Force Blocking for All IPS Rules.
During the initial baselining phase for your IPS deployment, you will likely use one or both of the non-default
settings for IPS blockmode:
l Observing IPS rules on an established NX Series appliance—If you are activating IPS for the first time on an
existing deployment of an NX Series appliance, we recommend that initially you operate the platform in
monitoring-only mode. With IPS blockmode disabled, the system generates IPS events, IPS alerts, and IPS
notifications, but no traffic is blocked.
l Testing IPS rules against known traffic—If you are testing the accuracy of every rule in an IPS policy by
running the policy known test traffic, then all IPS rules must be blocking. For this type of testing, you would
configure the platform to force blocking for all IPS rules.
After you complete these types of initial testing, be sure to re-enable IPS blockmode. Otherwise, your system will
continue to pass all matched traffic or block all matched traffic,
Prerequisites
l Log in to the appliance CLI as Admin.
Procedure
To disable or force blocking actions for all matched IPS rules:

hostname > enable

hostname (config) #
2. Configure the appliance to disable or force IPS blocking, depending on your evaluation needs.
l To disable the blocking actions specified by all matched IPS rules:
hostname (config) # no ips blockmode
l To force blocking action for all matched IPS rules:
hostname (config) # ips blockmode all

Release 7.5 Optional: Disabling or Forcing Blocking for All IPS Rules (CLI)
3. (Recommended) Customize appliance login messages to notify users that blocking actions are either disabled
or forced for all IPS rules active on the appliance. You can configure three types of login messages:
l Local banner—Text that appears after the username is entered in the CLI session.
l Remote banner—Text that appears in the Web UI and SSH login pages.
l Message of the Day—Text that appears after a user is authenticated and logged in to the CLI.
For more information, see the NX Series System Administration Guide.
Go to Activating IPS Processing.

Activating IPS Processing

l About Activating IPS Processing
l Activating IPS Processing (Web UI)
l Activating IPS Processing (CLI)
About Activating IPS Processing

After you enable IPS capabilities on an NX Series appliance, IPS features are not activated until you apply IPS
policies to monitoring interfaces. Without IPS policies applied to monitoring interfaces, the appliance functions as a
standard NX Series appliance that detects and, if deployed and configured inline, can block client-centric HTTP-
based malware.
An IPS-enabled platform provides the following default IPS policies:
l FireEye_Default—Detects client-directed and server-directed threats of critical severity (levels 7 through 10).
l Comprehensive—Detects client-directed and server-directed threats of all severity (levels 1 through 10).
l Default_Server_Protection—Detects server-directed threats of critical severity.
l Default_Client_Protection—Detects client-directed threats of critical severity.
For detailed information about default IPS policies, see IPS Policies. For detailed information about selecting the
IPS rules that analyze your network traffic, see Applying an IPS Policy to Monitoring Interfaces.
You can activate IPS processing by using either the Web UI or the CLI.
Activating IPS Processing (Web UI)

To use the Web UI to activate IPS processing on an IPS-enabled appliance, use the Settings > IPS page.
Prerequisites
l Add an IPS license to an NX Series appliance that supports IPS features.
l Log In to the appliance Web UI as Operator or Admin.

Release 7.5 Activating IPS Processing
Procedure
To apply a default IPS policy to a monitoring interface:

1. Open the Settings > IPS page to display the association of monitoring interfaces to IPS policies.
In the following example, IPS is enable but no IPS policies are applied to the appliance monitoring interfaces.
When no IPS policies are active, the appliance functions as a standard NX Series appliance.
2. In the row for the IPS policy you want to apply, click Apply Policy in the Actions column.
NOTE: When you first activate IPS features, we recommend that you use the FireEye_Default IPS policy.
3. Select the monitoring interfaces you want to associate with the policy.
4. Click Apply Policy, and then click Done.
The table row for the IPS policy reflects your configuration changes:
l The Active on Interface column displays the letter designator for the interface associated with the policy.
l The Rules Enabled column displays the number of IPS rules in the appliance database that match the
selection criteria specified by the policy. To see a list of the active rules, you can generate the IPS Policy
Configuration Summary report or the IPS Policy Configuration Details report.
l The Actions column displays the actions available for the policy.
After a few minutes, IPS event detection results are displayed in the Web UI and are available in reports.
Go to Displaying IPS Events and Alerts (Web UI).
Activating IPS Processing (CLI)

This topic describes how to use the CLI to activate IPS processing on an IPS-enabled appliance.

Prerequisites
Before you begin activating IPS features with default IPS policies, perform the following prerequisite tasks:
l Add an IPS license to an NX Series appliance that supports IPS features.
Procedure
To apply a default IPS policy to a monitoring interface:

hostname > enable

hostname (config) #
2. Display the appliance interfaces and the current application of IPS policies to appliance interfaces.
In the following example, the appliance has two monitoring interfaces and no IPS policies are active on the
interfaces.
hostname # show ips interfaces

Interface : A
Policy applied : empty
Rule count : 0
Interface : B
Rule count : 0
3. Apply an IPS policy to each monitoring interface.
NOTE: For IPS-enabled platforms deployed in environments with asymmetric routing, apply the same IPS
policy to both monitoring interfaces. If request and response packets traverse separate links to the two
monitoring interfaces, the platform applies the same IPS rules to the upstream and downstream traffic.
In the following example, the IPS policy named FireEye_Default is applied to interface A, and the IPS policy
named Comprehensive is applied to interface B.
hostname (config) # ips apply FireEye_Default interface A
hostname (config) # ips apply Comprehensive interface B

Interface : A
Policy applied : FireEye_Default
Rule count : 2640
Interface : B
Policy applied : Comprehensive
Rule count : 6882
4. After a few minutes, IPS event detection results are displayed in the Web UI and are available in reports.
Go to Displaying IPS Events and Alerts (Web UI).

Release 7.5 Displaying IPS Events and Alerts (Web UI)
Displaying IPS Events and Alerts (Web UI)

This topic describes how to display the results of IPS detection and blocking activities performed by your IPS-
enabled platform.
When the IPS-enabled rules engine matches a traffic flow to an active IPS rule, the platform generates an IPS event.
For client-targeted IPS events that correlate with MVX-verified malware alerts, the platform triggers IPS alerts.
l IPS events and IPS alerts are listed in the IPS Events page.
l IPS alerts for client-targeted attacks are listed in the Alerts page, in both the Hosts page and the Alerts page.
l IPS event statistics are reflected in two panels in the Dashboard page.
l From the Reports page, you can generate IPS-specific reports that contain summaries and detailed
information about HTTP-based malware alerts, IPS alerts, and IPS events.
l If you configured FireEye event notifications for IPS events, notifications are sent using the notification methods
you configured.
You can use this information to determine how to customize your configuration of IPS packet processing.
Prerequisites
Before you begin analyzing initial IPS results, perform the following prerequisite tasks:
l Log In to the appliance Web UI as Monitor,Analyst, or Admin.
l (Recommended) Configure notifications of IPS events.
l (Optional) Disable or re-enable IPS block mode if needed.
l Apply default IPS policies to monitoring interfaces.
l Wait several minutes for IPS event detection to begin to appear in the Web UI.

Procedure
To display IPS data:

1. To verify that the IPS rules you activated are detecting IPS events, select the IPS Events page.
The IPS Events page lists all IPS events detected by the platform within the time frame specified in the
Duration fields.
If an entry represents one or more MVX-correlated IPS events (IPS alerts), the following badge appears in the
Badges column:
If an entry represents one or more IPS events that have been verified to be non-malicious, the following badge
appears in the Badges column:
For more information, see IPS Events Page.

2. To display a list of all alerts triggered on the appliance, select the Alerts page. Different pages list malware
alerts (MVX-verified malware events), IPS alerts (MVX-correlated IPS events), and callback events.
Alerts > Hosts
This page lists all malware alerts and IPS alerts, grouped by victim IP address and attack rule name.
Multiple alerts associated with the same victim and signature rule are combined in a single entry. If an
entry represents one or more IPS alerts, the following badge appears in the IPS column:
For more information, see Alerts > Hosts Page.
Alerts > Alerts
This page lists all malware alerts and IPS alerts, grouped by attack rule name only. Multiple alerts
associated with the same signature rule are combined in a single entry. If an entry represents one or
more IPS alerts, the following badge appears in the IPS column:
For more information, see Alerts > Aterts Page.
Alerts > Callback Activity
This page lists all callback events associated with a malware alert. For more information, see
Alerts > Callback Activity Page.

3. For a high-level view of the IPS-specific threat intelligence gathered by the IPS-enabled platform, select the
Dashboard page and view the following dashboard panels:
What's Happening
For IPS-enabled platforms only, this panel includes the count of IPS alerts detected by the appliance,
provided that the value is not zero.
Click MVX Correlated IPS Events to open the IPS Events page filtered to display only IPS alerts.
IPS Trend
For IPS-enabled platforms only, this panel contains a two-series line graph that plots the number of
IPS alerts and IPS critical events detected by the appliance over the past month, week, or day of IPS
analysis.
For more information, see IPS Information in the Dashboard.

4. To generate IPS-specific reports, select the Reports page. The following reports are available on IPS-enabled
platforms only:
IPS Executive Summary
Provides a high-level view of IPS statistics.
IPS Policy Configuration Summary

Identifies IPS policies active on monitoring interfaces; counts the active IPS rules and excluded IPS
rules at each active monitoring interface; and summarizes the characteristics of the active IPS rules at
each active monitoring interface.
IPS Policy Configuration Details

Provides the same information as the IPS Policy Configuration Summary, but also lists the active
rules, excluded rules, and included rules at each monitoring interface.
IPS Top N Attacks

Extracts traffic analysis statistics about IPS rules used to detect suspicious events.
IPS Top N Attackers

Extracts traffic analysis statistics about hosts that sent suspicious traffic detected by IPS rules.
IPS Top N Victims

Extracts traffic analysis statistics about hosts that received suspicious traffic detected by IPS rules.
IPS Top N MVX-Correlated

Provides the Top N Attacks, Top N Attackers, and Top N Victims reports.
For more information, see IPS Reports.
5. If you disabled IPS blockmode while evaluating the fit of IPS rules to your environment, be sure to re-enable
IPS blockmode after you finish customizing the configuration of IPS packet processing by your platform.
Go to Optional: Re-Enabling Blocking for All IPS Rules (CLI).

Testing IPS Event Notifications

After you activate IPS processing on the platform and verify detection of IPS events, you should test the FireEye
notifications for IPS alerts. You can test-fire IPS events from the Web UI or the CLI.
l Testing IPS Event Notifications (Web UI)
l Testing IPS Event Notifications (CLI)
Testing IPS Event Notifications (Web UI)

This topic describes how to use the Web UI to test IPS event notifications.
Prerequisites
l Configure IPS event notifications, as described in Initial Configuration of IPS.
l Apply IPS policies to the appliance monitoring interfaces, as described in Activating IPS Processing.
Procedure
To test IPS event notifications:

1. Open the Settings > Notifications page.
In the following example, all FireEye event notification methods are enabled, and IPS events are enabled for
notification by email and rsyslog:
2. in the drop-down list below the table, select IPS Critical.

Release 7.5 Testing IPS Event Notifications
3. Click Test-Fire.
The system generates an IPS event of severity level 8, which should trigger event notifications for all
notification methods configured on the platform.
4. Go to the IPS Events page.
Look for the test-fire IPS event near the top of the list. By default, the list displays the most recent events at the
top. IPS test-fire events are listed with the rule name IPS-TEST-FIRE: Malicious PDF Downloaded.
NOTE: After you initiate an IPS test-fire event, the event appears in the IPS Events page for approximately
5 minutes before it disappears from the page display and from the events database.
5. Look for the test-fire IPS event in the other event notification targets you configured for IPS events.
If a configured notification method fails, correct the notification settings, and then repeat the test.
Go to Re-Enabling Blocking for All IPS Rules (CLI).
Testing IPS Event Notifications (CLI)

This topic describes how to use the CLI to test IPS event notifications.
Prerequisites
l Configure IPS event notifications, as described in Initial Configuration of IPS.
l Apply IPS policies to the appliance monitoring interfaces, as described in Activating IPS Processing.
Procedure
To test IPS event notifications:

1. Test your IPS event notification settings by entering the fenotify test-fire command.
hostname (config) # fenotify test-fire ips-event
The platform generates an IPS event of severity level 8, which should trigger event notifications for all
notification methods configured on the platform.
2. If a configured notification method fails, correct the configuration settings, and then repeat the test.
Go to Re-Enabling Blocking for All IPS Rules (CLI).

Optional: Re-Enabling Blocking for All IPS Rules (CLI)

Administrators often disable the blocking actions specified by matched IPS rules while they are evaluating the fit of
IPS rules to the network traffic. While IPS blockmode is disabled, the IPS-enabled platform operates with standard
malware rules in blocking mode (as specified in the malware rule definitions) but with IPS rules in detection-only
mode. Matched IPS rules do not affect monitored traffic flows, but the matched traffic generates IPS events,
IPS alerts, and IPS event notifications. For more information, see Options to Disable or Force Blocking for All
IPS Rules.
IMPORTANT! If you disabled IPS blockmode while evaluating the fit of IPS rules to your environment, be sure to
follow these steps to re-enable IPS blockmode after you finish configuring IPS.
Prerequisites
l Log in to the appliance CLI as Admin.
Procedure
To re-enable blocking actions specified by matched IPS rules:

hostname > enable

hostname (config) #
2. Configure the appliance to re-enable blocking actions specified by matched IPS rules.
3. (Recommended) Customize appliance login messages to notify users that blocking actions are enabled for all
IPS rules active on the appliance. You can configure three types of login messages:
l Local banner—Text that appears after the username is entered in the CLI session.
l Remote banner—Text that appears in the Web UI and SSH login pages.
l Message of the Day—Text that appears after a user is authenticated and logged in to the CLI.
For more information, see the NX Series System Administration Guide.

Release 7.5 Beyond the Basics: Fine-Tuning the IPS Configuration
Beyond the Basics: Fine-Tuning the IPS Configuration

Based on the results of IPS detection and blocking activities performed by your IPS-enabled platform, you can
customize the IPS detection and blocking features on your platform.
Configuring and Applying Custom IPS Policies

You can apply custom IPS policies that you configure with specific rule-matching criteria or with specific
rule-inclusion and rule-exclusion lists. For more information, see IPS Policy Configuration.
You also override traffic-blocking actions specified by IPS rules, globally across the appliance or for a
specific vulnerability or IPS rules. For more information, see IPS Rule Action Overrides.
Disabling Automatic Addition of New IPS Rules

You can enable the Auto Add Rules option, which configures the platform to re-evaluate active IPS policies
whenever IPS rules are added to or removed from the platform database. If this option is not enabled, any
IPS rules added to or removed from the platform do not impact the active monitoring interfaces. An IPS-
enabled platform can add or remove IPS rules in the following ways:
l A scheduled or explicit update of security content includes new FireEye-provided IPS rules
l You explicitly import or delete custom IPS rules
For more information, see Managing Auto-Addition of New IPS Rules to Active Interfaces.
Overriding Rules Selected by Active IPS Policies

You can configure the IPS-enabled rules engine to override the blocking actions specified by IPS rules or
signatures. The section IPS Rule Action Overrides describes the following configuration options:
l Options to Disable or Force Blocking for All IPS Rules
l Options to Disable or Force Blocking for a Vulnerability or an IPS Rule
l Options to Suppress a Vulnerability or an IPS Rule
Creating and Uploading Custom IPS Rules Based on Custom Signatures

You can create and upload your own IPS content rules so that the IPS-enabled rules engine can detect
specific intruder signatures present in the data packets in your network traffic. For more information, see IPS
Rules Based on Custom Signatures.
Managing the Volume of IPS Event Notifications

When you first activate IPS features, we recommend that you use the dual delivery mode for IPS event
notification. If you need to reduce the volume of IPS event notifications that you analyze, you can change to
confirmation delivery mode. For more information, see IPS Event Notifications.
Enabling IPS Detection of Reconnaissance Activity

You can enable the platform to detect reconnaissance activity and trigger IPS reconnaissance events when
attack patterns are detected. For more information, see IPS Detection of Reconnaissance Activity.


IPS Information in the Dashboard
This section describes the IPS information that appears in the Dashboard of an IPS-enabled platform.
About the Dashboard of an IPS-Enabled Appliance 52
Dashboard > What's Happening 55
Dashboard > IPS Trend 57

IPS Information in the Dashboard NX Series IPS Feature Guide
About the Dashboard of an IPS-Enabled Appliance

l Overview of the NX Series Dashboard Page
l Guidelines for Using the NX Series Dashboard Page
l Dashboard Panels That Show IPS Data
Overview of the NX Series Dashboard Page

The Dashboard page of the NX Series Web UI provides a high-level view of the threat intelligence gathered by the
appliance. Within each panel on the dashboard, you can click graph elements, graph legend items, and blue text
links to drill down to critical threat information affecting your network.
The following example is a partial view of the Dashboard page for an IPS-enabled platform:
Guidelines for Using the NX Series Dashboard Page

When the Dashboard page appears for the first time, the NX Series Web UI prompts you to select your industry and
geographical region. This information is necessary to populate the Threat Level panel and the Malware Detection
Trend panel. However, neither panel displays data if the platform does not have connectivity with the FireEye
Dynamic Threat Intelligence (DTI) cloud.
Some panels of the dashboard do not appear if the information is not relevant to your configuration.

Release 7.5 About the Dashboard of an IPS-Enabled Appliance
You can control the display of the dashboard or panels by clicking the following icons:
Panel Control Icon Description
In the main view of the Dashboard page, click this icon to select the print-
to-PDF processing time and initiate printing of the current Dashboard
contents.
In the main view of the Dashboard page, click this icon to maximize the
display of a panel.
In the maximized view of a dashboard panel, click this icon to restore the
main (full) view of the Dashboard.
In any dashboard panel, click this icon to reload the data displayed.
In the Threat Level panel or the Malware Detection Trend panel, click this

icon to change the industry and region settings for both panels.
In any dashboard panel that displays these buttons, you can select period
of time for which the panel displays information.
In any dashboard panel that displays these buttons, you can select the
period of time for which the panel displays information.
In the Top Malware By Host and Activity panel, you can filter the data
displayed:
l Hosts—(Default) Display malware counts by host.
l Activities—Display malware counts by threat activities that have

occurred.
In the What's Happening panel and in the Critical Malware Detection
panel, you can use this button to control whether the displayed data
includes or excludes acknowledged alerts.
You can interact with the display of an individual dashboard panel in the following ways:
l Within a list—Click an icon or text link to display the Alerts page, filtered for the selected information.
l Within a chart—Click a line, bar, or slice to display the Alerts page, filtered for the selected information.
l Within a chart legend—Click an icon to refresh the chart with the selected information excluded or included.
Dashboard Panels That Show IPS Data

On an IPS-enabled platform, the following dashboard panels include information about IPS events or IPS alerts:
NX Series Dashboard Panel
Description
That Shows IPS Data
What's Happening Displays the number of IPS alerts detected by the appliance, provided that the
value is not zero. For more information, see Dashboard > What's Happening.
IPS Trend A line graph that shows the number of IPS alerts and IPS critical events
detected by the appliance. For more information, see Dashboard > IPS Trend.

The other dashboard panels do not include information about IPS events or IPS alerts. For more information about
these panels, see the NX Series Threat Management Guide.
NX Series Dashboard Panel
Description
That Does Not Show IPS Data
Threat Level An overall threat level based on the threats detected by your appliance and
FireEye's measurement of threat level in your industry or geographical
location.
Callback Events Callback data listed in order of the most infected subnets in your configuration.
The blue numbered boxes link to the relevant Alerts page.
Critical Malware Detection Malicious infections uniquely detected by FireEye.
Threat Attacks A pie chart of the threat attacks most detected in your configuration. Click a
circle in the legend to show information about a specific threat type.
Malware Detection Trend The malware trend detected by your FireEye appliance, over time, compared
to the malware detected within your industry or geographical location.
Top 25 Infected Subnets Overall infections in order of the number of malware events detected in your
(Cloud and Local) configuration, the amount of unique malware, and the number of infected
subnets. The blue numbered boxes link to the relevant Alerts page.
Cloud Detection Overall infections in order of the number of callback events detected in your
configuration. The blue numbered boxes link to the relevant Alerts page.
Local Detection Overall infections in order of the number of callback events detected in your
configuration.
Top Malware by Host and Activity Color-coded bar graphs of the number of recent infections of various types.
l Click a circle in the legend to show information about that threat type.
l Click Hosts or Activities to view the data by host or according to the

threat activities that have occurred.
l Click Day or 2 weeks to change the timeframe covered.

Daily Monitored Traffic (Mbps) Line graphs of monitored traffic types for the past 24 hours. Move your cursor
over an area of the chart to view details in a tooltip.

Release 7.5 Dashboard > What's Happening
Dashboard > What's Happening
On a standard NX Series platform, the What's Happening panel of the Dashboard page displays the alert totals for
the top three attack categories. On an IPS-enabled platform, the panel also shows the number of IPS alerts. By
default, alert totals exclude acknowledged alerts and cover the past month of IPS-enabled analysis.
The following is an example of the What's Happening panel for an IPS-enabled platform.
The following table describes the attack categories summarized by the What's Happening panel. For each alert
count listed in the panel, you can click a link to display the list of all alerts of that type within the same time frame.
Icon Type of Alerts Counted To Display the Corresponding List of MVX--Verified Alerts

Advanced Persistent Threats Click APT Attacks to open the Alerts > Alerts page filtered on the
following value in the Malware column:
• .APT
Attacks not seen before Click Not Seen Before to open the Alerts > Alerts page filtered on any of
the following values in the Malware column:
• Exploit.Browser
• Malware.ZerodayMatch
• Malware.Binary
Malware objects downloaded Click Malware Objects to open the Alerts > Alerts page filtered on the
following value in the Type column:
• Malware Object
Malicious domain matches Click Malicious domain match to open the Alerts > Alerts page filtered
on the following value in the Type column:
• Domain Match
Clients infected Click Hosts Infected by Web Traffic to open the Alerts > Alerts page
filtered on the following value in the Type column:
• Web Infection
MVX Correlated IPS Events Click MVX Correlated IPS Events to open the IPS Events page filtered
on MVX in the Badges column.
(IPS-enabled platforms only)

Use the following options to select the data displayed:
Button Description
Control whether the number of MVX-correlated IPS events displayed
includes or excludes acknowledged alerts. You can acknowledge
individual or multiple MVX-correlated IPS event entries from the
IPS Events page. You can acknowledge single IPS event entries from the
Alerts > Hosts page.
Select the period of time for which the panel displays information. The
default selection is Month.
Use the following icons to control the display of the What's Happening panel:
In the main view of the Dashboard, click this icon to maximize the display of the
What's Happening panel.
In the maximized view of the What's Happening panel, click this icon to restore the main (full)
view of the Dashboard.
Click to reload the alert counts displayed in the What's Happening panel.
NOTE: If none of the attack categories is represented in your IPS-enabled platform for the acknowledgment and
time frame specified, the panel is empty:

Release 7.5 Dashboard > IPS Trend
Dashboard > IPS Trend
For IPS-enabled platforms only, the IPS Trend panel of the Dashboard page plots the number of IPS alerts and IPS
critical events on a graph.
Plot Point IPS Items Graphed IPS Item Description

MVX Correlated IPS Events Number of IPS events (potential network threats detected using IPS
rules) correlated with client-centric attacks verified by standard NX Series
features.
IPS Critical Events Number of IPS events of severity category Critical (severity levels 7
through 10).
By default, the IPS Trend panel covers the past one month of IPS-enabled analysis. The following example shows
an IPS Trend panel that covers the past one week of analysis.
Use the following icons to control the display of the IPS Trend panel:
In the main view of the Dashboard, click this icon to maximize the display of the
IPS Trend panel.
In the maximized view of the IPS Trend panel, click this icon to restore the main (full)
view of the Dashboard.
Click to reload the alert counts displayed in the IPS Trend panel.
Use these buttons to select period of time for which the panel displays information.
The default selection is Month.


IPS Alerts for MVX-Correlated Events
This section describes IPS information displayed in the Dashboard and in the Alerts and IPS Events tabs.
About IPS Event Correlation and Verification 60
IPS Events Page 62
IPS Events Page Drill-Down View 67
Alerts > Hosts Page 69
Alerts > Alerts Page 74
Alerts > Callback Activity Page 78

IPS Alerts for MVX-Correlated Events NX Series IPS Feature Guide
About IPS Event Correlation and Verification

When monitored traffic matches an IPS rule, the IPS-enabled platform records an IPS event in its database and lists
the event in the IPS Events page. At the same time, the system continues to analyze the data in the session that
matched the rule.
IPS Alerts
First, the platform analyzes the data to determine whether the IPS event is an IPS alert. To make that determination,
the platform uses correlation logic that compares the suspicious traffic flow, the IPS rule that detected the suspicious
traffic flow, and similar MVX-verified malware attacks already seen on the appliance. In the case of a match, the IPS
event is said to be MVX-correlated.
You can identify MVX-correlated events by the presence of badges in the Alerts lists and in the list of IPS events:
l In the Alerts > Hosts and Alerts > Alerts pages, the IPS alert entry shows the following icon in the Badges
column:
l In the IPS Events page, the IPS alert entry shows the following icon in the Badges column:
l Depending on how you have configured IPS event notifications, IPS event notification messages might be
sent.
Non-Malicious Events
If an IPS event does not correlate with an MVX-verified malware attack, the IPS-enabled platform continues to
inspect the data in the session that matched the rule. The MVX engine inspects the data within the same IPS event
vulnerability execution environment as the original session that contained the matched traffic. If the result of MVX
verification shows the IPS event to be non-malicious, the platform categorizes the even as non-attack.
l In the IPS Events page, the IPS event entry shows the following icon in the Badges column:
l Depending on how you have configured IPS event notifications, IPS event notification messages might be
sent.
For information about configuring the platform to send FireEye notifications for IPS events, see IPS Event
Notifications.

Release 7.5 About IPS Event Correlation and Verification
The following example shows an IPS Events page that lists nine entries for MVX-correlated events and two entries
for verified non-malicious events.

IPS Events Page

l About the IPS Events Page
l Information in the IPS Events Page
l Shortcuts From the IPS Events Page
l Controls for the IPS Events Page
About the IPS Events Page

The IPS Events page lists the IPS events (threats detected by IPS rules) and IPS alerts (MVX-correlated IPS
events). For multiple IPS events that share the same victim IP address, attacker IP address, signature ID, and (if
applicable) VLAN ID, the IPS Events page combines the event information into a single entry in the list. You can
expand or collapse a combined entry to show or hide the details of the grouped IPS events. For descriptions of
IPS events and alerts and their difference from standard malware events and alerts, see IPS Events and IPS Alerts.
The following example shows the default display of an IPS Events page.

Release 7.5 IPS Events Page
Use the IPS Events page to monitor the types and rates of network threats that the platform detects through IPS
signature matching. Watch for rising or abnormal statistics, particularly with respect to IPS events for server-
targeting threats (for which the platform does not perform MVX correlation).
Information in the IPS Events Page

The following summary information appears in the right-hand side of the IPS Events page control bar:
Field Name Description
# of rows Total number of rows in the table. Rows displayed is based on Duration and filtering settings.
# IPS Events Rows that represent IPS events not correlated with MVX-verified malware attacks.
# MVX Correlated Rows that represent one or more MVX-correlated IPS events.
Each entry in the IPS Events page displays the following information about an attack detected by an IPS rule.
Column Name Description
Select any entry in the list to open the IPS event acknowledgment options. You can also select all
entries in a page, or you can select all events in the list. See IPS Event Acknowledgment.
Click to expand the view of the IPS event (or IPS event grouping) to show additional details. See
IPS Events Page Drill-Down View.
Time Date and time of the most recent occurrence of the event.
Victim IP IP address of the attack target. If the entry represents multiple IPS events, this field links to the
Alerts > Hosts page, filtered on this IP address. See Shortcuts From the IPS Events Page.
This address corresponds to two host addresses in the drill-down view of this entry: the
Src IP Addr and Src MAC Addr fields.
Attacker IP IP address of the network host that sent the suspicious traffic.
This address corresponds to the Dst MAC Address field in the drill-down view:
CVE-ID If the IPS rule used to detect the event is associated with a security vulnerability description in the
Common Vulnerabilities and Exposures (CVE) database, this field displays the CVE identification
number. Otherwise, this field is empty.
To display a detailed description of the CVE, click the linked text.

Severity The icon represents the event severity level. Event severity estimates the likelihood that the
targeted host was compromised by the event. The following types of icons are used:
l A critical severity level (7 - 10) is indicated by a graphic element such as the following:
l A major severity level (4 - 6) is indicated by a graphic element such as the following:
l A minor severity level (1 - 3) is indicated by a graphic element such as the following:
# IPS Events Number of IPS events of this type (same victim, same attacker, and same signature ID).

Rule Name of the IPS rule used to detect the event.
To display a detailed description of the security vulnerability (with the exception of custom IPS
rules), click the linked text.
Category Attack category.
Protocol Presentation-layer protocol used as the attack vector.
Badges Badges in this column indicate IPS analysis of the IPS events represented by the table entry.
The system has correlated one or more of these IPS events with a malware attack verified
by the MVX engine. The badge is a link that opens the Alerts > Hosts page, filtered to
display all alerts—malware alerts or IPS alerts—that target the victim IP address. See
Shortcuts From the IPS Events Page.
The entry represents one or more IPS events that have been verified to be non-malicious.
The badge is not hyperlinked. For more information, see About IPS Event Correlation and
Verification.
Times are displayed in UTC format by default. You can set the time zone in the Settings > Date and Time page.
Shortcuts From the IPS Events Page

Most of the entries in the IPS Events page contains shortcuts to other pages:
CVE-ID
If the IPS rule used to detect the IPS event is associated with a security vulnerability description in the CVE
database, this field displays the CVE identification number.
Rule
To display a detailed description of the security vulnerability (with the exception of custom IPS rules), click
the linked text.
Victim IP
If an entry contains an IPS alert, click the IP address in this field to open the Alerts > Hosts page. The alerts
are filtered on the victim IP address.
Badges
If an entry contains an IPS alert, click the IPS alert badge in this field to open the Alerts > Alerts page. The
alerts are filtered on the victim IP address.

Release 7.5 IPS Events Page
For example, suppose you are analyzing the IPS Events page, and you are focusing on an IPS alert (indicated by
the badge circled in red) for an attack on the host at IP address 192.168.185.186 (circled in blue):
l If you click the victim IP address, the Alerts > Hosts page displays the entry for the attack victim.
l If you click the MVX badge, the Alerts > Alerts page displays entries for the victim and IPS rule.
Controls for the IPS Events Page

By default, the IPS Events page lists IPS events and alerts in reverse chronological order. You can change the sort
key or sort direction of the list by clicking a column heading.
Page
To control the page displayed, use the Prev and Next links.
Default: page 1.
Results per page

To set the number of rows displayed per page, select a value in this field.
Default: 20 rows per page.

Duration
To set the time frame for which the page displays IPS events, select values in the From and Going Back
fields.
Default: The past 24 hours.
Show ACK Events

To show or hide acknowledged IPS event, select or clear the option. For more information, see IPS Event
Acknowledgment.
Default: Disabled.
Show Recon & Brute-Force Events

To show or hide IPS events for reconnaissance activity and brute-force attacks, select or clear the option.
For more information, see Showing IPS Reconnaissance Events (Web UI) and Showing Brute-Force Events
(Web UI).
Default: Disabled.
Sort order
To sort the data, click any linked column heading.
To reverse the sort order, click the column heading again.
Default: Sorted on the Time field in descending order.
Show/Hide Filters
Click the button to show or hide the filter fields for all columns.
To filter the IPS events displayed, typer a match value in a column filter field and press the Enter key.
Default: Disabled.

Release 7.5 IPS Events Page Drill-Down View
IPS Events Page Drill-Down View

To display detailed information about any entry listed in the IPS Events page, you can expand the view of the entry
by clicking the triangle icon in the left-most column of that row.
The following example shows the detailed event information and configuration options that might appear in the drill-
down view of an IPS event:
The following table describes the fields of the drill-down view of an entry in the IPS Events page.
Field Description
Malware Name of the IPS rule that matched the event.
Interface Monitoring interface that received the suspected malicious traffic.
mode Monitoring interface operational mode.
Blocking Action Action taken on the traffic that triggered this event:
• Blocked
• NOT blocked

Field Description
Set Sig Name Blocking Policy Blocking action that the IPS-enabled rules engine should take on traffic that
matches the IPS rule displayed to the right of this drop-down box. This setting
overrides the blocking action specified within the IPS rule itself
• None—No override.
• Block all—For both interfaces, block traffic that matches the IPS rule.
• Block A—For interface A, block traffic that matches the IPS rule.
• Block B—For interface B, block traffic that matches the IPS rule.
• Unblock all—For both interfaces, allow traffic that matches the IPS rule.
• Unblock A—For interface A, allow traffic that matches the IPS rule.
• Unblock B—For interface B, allow traffic that matches the IPS rule.
For information about the three Block options, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about the three
Unblock options, see Options to Suppress a Vulnerability or an IPS Rule.
Set Sig ID Blocking Policy Blocking action that the IPS-enabled rules engine should take on traffic that
matches the signature whose ID is displayed to the right of this drop-down box.
This setting overrides the blocking action specified within the IPS rule itself.
• None—No override.
• Block all—For both interfaces, block traffic that matches the signature.
• Block A—For interface A, block traffic that matches the signature.
• Block B—For interface B, block traffic that matches the signature.
• Unblock all—For both interfaces, allow traffic that matches the signature.
• Unblock A—For interface A, allow traffic that matches the signature.
• Unblock B—For interface B, allow traffic that matches the signature.
For information about the three Block options, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about the three
Unblock options, see Options to Suppress a Vulnerability or an IPS Rule.
Orig. Traffic Capture Links to two forms of the packet capture (pcap) that triggered the IPS event:
• Raw pcap
• ASCII text version of the pcap
IP Protocol IP protocol used to transport the threat.
Attacked Port Port number associated with the victim IP address.
Src IP Victim IP address. Same as the Victim IP field in the main view.
Src MAC Address MAC address of the victim machine.
Dst MAC Address MAC address of the attacking machine.
IPS Details
First Seen Time when the attack was first detected (within the specified period of time).
Last Seen Time when the attack was last detected (within the specified period of time).
Categories Attack category and (if applicable) attack subcategory.
References Vulnerability database entries referenced by the IPS rule.
Protocol Presentation-layer protocol used as the attack vector.
Network Communication
Raw Command Text dump of the packet payload.

Release 7.5 Alerts > Hosts Page
Alerts > Hosts Page
l About the Alerts > Hosts Page
l Information in the Main View
l Information in a Victim Drill-Down View
About the Alerts > Hosts Page

On all NX Series appliances the Alerts page offers three views for list the alerts and callback activity associated
with malware alerts. On an IPS-enabled platform, the lists of alerts include both standard alerts (MVX-verified
malware events) and IPS alerts (MVX-correlated IPS events).
The Alerts > Hosts page lists all malware alerts and IPS alerts, grouped by victim IP address and attack rule name.
Multiple alerts associated with the same victim and signature rule are combined in a single entry in the list. The
Total field displays the number of alerts represented by an entry.
The following example shows the default display of an Alerts > Hosts page.

Information in the Main View

The Alerts > Hosts page lists MVX-verified events that occurred within the selected time frame, consolidated by
victim IP address, and sorted in reverse chronological order. On an IPS-enabled platform, the list includes IPS
events and can optionally include acknowledged IPS alerts.
The following table describes the fields in this view alerts grouped by victim.
Click to expand the alert entry to include detailed information about this alert or alert grouping.
Host IP address of the infected host.
Total Total number of malware alerts (infections and callbacks) and IPS alerts for this infected host. If
you want to go to a view of the Alerts > Alerts page that has been filtered to show list the
individual alerts for the infected host, click the linked text.
Infections Number of infections for this host.
Callbacks Number of malware callback infections for this host, including signature matches and
communications with the botnet server.
Blocked Number of events that were blocked by appliance inline blocking.
Last Malware Last type of malware or attack involved in this infected host. To display a detailed description of
this type of attack, click the linked text. Detailed descriptions are not available for attacks detected
by custom IPS rules.
Last seen at Date and time of the most recent attack on the host.
Host Name Last host name associated with the network host that sent the attack, if known.
Last ack at Date and time of the most recent acknowledgment of this alert.

Badges On an IPS-enabled platform, this column displays badges that indicate analysis of alerts
represented by the entry:
The entry represents one or more IPS alerts. For more information, see tthe following
topics:
l IPS Events and IPS Alerts
l IPS Events Tab
l Event and Alert Management.
The entry represents one or more non-IPS alerts in which data theft occurred. If you want
to go to a view of the Alerts > Hosts page that has been filtered to show list the individual
alerts for the infected host, click the badge. For more information, see the NX Series
On any NX Series appliance enabled for Advanced Threat Analysis (ATI), Threat Info
badges can appear in this column. The color of the badge indicates the level of risk that
the threat poses to your network:
A red badge indicates an ATI alert for a threat that poses a high risk.
An orange badge indicates an ATI alert for a threat that poses a medium level of risk.
An amber badge indicates an ATI alert for a threat that poses a low risk to your network.
For managed NX Series appliances, ATI badges and ATI information are visible from the
CM Series Web UI only. For more information about ATI, see the NX Series Threat Management
Guide.
For an ATI alert, the threat level measures the level of risk posed by the attack against the
targeted organization. This score is based on the malware's behavioral capabilities and intent,
threat actor profiles, and other FireEye intelligence as available.
The ATI threat level determination for an ATI alert is different from the threat severity for an alert.
The severity estimates the likelihood that the targeted host has been compromised by an event.
For example, established command and control (CnC) channels result in highest severity, while
host connection to a compromised site is low severity because it does not indicate whether the
host was breached.
You can filter the list on a single column. Click Show / Hide Filters to show or hide filter options for each column.
l To filter the list on one or more types of badges, open the Select Badge(s) list, select the types of badges you
want to include, then click Apply.
l For all other columns, type the text you want to match and then press Enter.

Information in a Victim Drill-Down View

To display detailed information about any entry listed in the Alerts > Hosts page, you can expand the view of the
entry by clicking the triangle icon in the left-most column of that row. The drill-down view displays the following
information about the infected host (attack victim):
Field Description
Malicious Capabilities Observed in the VM

Data Theft Number of items that were stolen or targeted for theft.
Malicious Behavior Type of malware activity that is observed.
OS Change Summary Operating system changes that are made by the malware.
Malware Detected
Malware Type of malware involved in the infection.
Severity Severity level of the event.
Total Total number of alerts involving the specified malware family. Click the link to display a
list of individual alerts on this host that are related to the same malware family.
Infections Number of infections that are confirmed on the MVX engine.
Callbacks Number of events that involved communication with a remote command and control
(CnC) server.
Blocked Number of events that were blocked by appliance inline blocking.
Botnets Number of events involving botnets.
Last CnC Server Remote CnC server.
Last Location CnC server location, if known.
First Seen First time that an infection event for this malware family was recorded for this host.
Last Seen Last time that an infection event for this malware family was recorded for this host.
Ports Used Ports used in the attack.
Protocols Protocols used in the attack.
Infection URLs (the first 10 URLs that infected the victim)

Click the arrow to the left of a URL to display the URLs to which the user was directed as
a result of the initial infection. The original (first) URL that was visited is shown in bold.
Initial Infection URL Original (first) URL visited by the victim.
# Visits Number of times the infected host has visited the same infection URL
Total URLs Total number of URLs to which the user was redirected.
First URL at Time at which the first URL was reached.
Last URL at Time at which the last URL was reached.
Malware Binaries (the first 10 URLs that infected the victim)

Md5sum MD5 checksum result. Expand for protocol headers.

Field Description
Filetype Type of file analyzed from the traffic stream. File types include the following:
l DLL (Dynamic Link Library)

l Archived files (ZIP, RAR, TNEF, and 7-ZIP)
l XFF (X-Forwarding)
l XOR (eXclusive-OR encoded) obfuscated Web objects
l TCP Reset and Out-of-Band Blocking
For more information, see the NX Series Threat Management Guide.

Protocol Protocol involved.
Encoding Encoding used.
Last analysis time Most recent time when the checksum was performed.
# Occurrences Number of checksum activities.
Acknowledge the infections and callbacks above for the host at ip-address
Click to expose the notes text box and the Acknowledge button for this alert. For more
information about acknowledging an IPS alert, see the NX Series Threat Management
Guide.

Alerts > Alerts Page
l About the Alerts > Alerts Page
l Information in an Attack Drill-Down View
About the Alerts > Alerts Page

On an IPS-enabled platform, the Alerts pages list alerts—both MVX-verified malware events and MVX-correlated
IPS events—and callback activity associated with malware alerts. The Alerts > Alerts page lists all malware alerts
and IPS alerts, grouped by attack rule name only. Multiple alerts associated with the same signature rule are
combined in a single entry in the list.
The following example shows the default display of an Alerts > Alerts page.

Release 7.5 Alerts > Alerts Page

The Alerts > Alerts page lists MVX-verified events that occurred within the selected time frame, consolidated by
attack rule name only, and sorted in reverse chronological order. On an IPS-enabled platform, the list includes IPS
events and can optionally include acknowledged IPS alerts.
The following table describes the fields in this view of alerts grouped by attack
Click to expand the alert entry to include detailed information about the alert or alert grouping.
Type Attack detection type:
l Domain Match—Domain matching on DNS requests.

l Infection Match—Pattern matching from a full or partial URL.
l Malware Callback—Communication with a botnet server.
l Malware Object—Local MVX engine rule matches a URL, an MD5 checksum, or both.
l Web Infection—Local MVX engine rule matches a URL.
ID System-internal identification number for the alert. To display detailed information about this
alert, click the linked text.
FT Type of file analyzed from the traffic stream. File types include the following:
l DLL (Dynamic Link Library)

l Archived files (ZIP, RAR, TNEF, and 7-ZIP)
l XFF (X-Forwarding)
l XOR (eXclusive-OR encoded) obfuscated Web objects
l TCP Reset and Out-of-Band Blocking
For more information, see the NX Series Threat Management Guide.

Malware Name of malware or attack.
Time Date and time of the most recent occurrence of the attack.
Source IP IP address of the victim that received the attack.
This address corresponds to the Attacked Port and Src IP fields in the drill-down view.
Target IP IP address of the attacker.
URL/MD5sum URLor MD5 checksum that triggered the Malware Object or Web Infection alert.
Location Location in which the server is located, if known. This column is displayed only if geo-location
data is loaded.

Badges On an IPS-enabled platform, this column displays badges that indicate analysis of alerts
represented by the entry:
The entry represents one or more IPS alerts. For more information, see tthe following
topics:
l IPS Events and IPS Alerts
l IPS Events Tab
l Event and Alert Management.
The entry represents one or more non-IPS alerts in which data theft occurred. In the
Alerts > Alerts page, Data Theft badges are not hyperlinked. For more information, see
the NX Series Threat Management Guide.
On any NX Series appliance enabled for Advanced Threat Analysis (ATI), Threat Info
badges can appear in this column. The color of the badge indicates the level of risk that
the threat poses to your network:
A red badge indicates an ATI alert for a threat that poses a high risk.
An orange badge indicates an ATI alert for a threat that poses a medium level of risk.
An amber badge indicates an ATI alert for a threat that poses a low risk to your network.
For managed NX Series appliances, ATI badges and ATI information are visible from the
CM Series Web UI only. For more information about ATI, see the NX Series Threat Management
Guide.
For an ATI alert, the threat level measures the level of risk posed by the attack against the
targeted organization. This score is based on the malware's behavioral capabilities and intent,
threat actor profiles, and other FireEye intelligence as available.
The ATI threat level determination for an ATI alert is different from the threat severity for an alert.
The severity estimates the likelihood that the targeted host has been compromised by an event.
For example, established command and control (CnC) channels result in highest severity, while
host connection to a compromised site is low severity because it does not indicate whether the
host was breached.
You can filter the list on a single column. Click Show / Hide Filters to show or hide filter options for each column.
l To filter the list on one or more types of badges, open the Select Badge(s) list, select the types of badges you
want to include, then click Apply.
l For all other columns, type the text you want to match and then press Enter.

Release 7.5 Alerts > Alerts Page
Information in an Attack Drill-Down View

For any entry in the Alerts > Alerts page, click the arrow to expand the view and display the following types of
attack information, based on event type. For more information, see the NX Series Threat Management Guide.
l Analysis Details
l Attempted Infection Communication
l Bot Communication Details
l Callback Communication from Infected Host
l Callback Communication Observed from the MVX Engine
l Malware Detected
l Malware Binaries
l OS Change Details

Alerts > Callback Activity Page
l About the Alerts > Callback Activity Page
l Information in a Callback Activity Drill-Down View
About the Alerts > Callback Activity Page

On an IPS-enabled platform, the Alerts page lists alerts—both MVX-verified malware events and MVX-correlated
IPS events—and callback activity associated with malware alerts. The Alerts > Callback Actvity page lists all
command and control (CnC) servers contacted by infected hosts. Multiple callback to the same CnC server are
combined in a single entry in the list.
The following example shows the default display of an Alerts > Callback Activity page. The default display lists
entries in reverse chronological order, shows 20 results per page, covers the previous 24 hours of IPS processing,
and is not filtered on any data column.

Each row of results in the Alerts > Callback Activity page displays the following information about a suspicious
callback event:
Click to expand the row to display additional results.

Release 7.5 Alerts > Callback Activity Page
C&C Server Host name or IP address of the botnet CnC server that directs the callback activity.
Location Geographical location of the botnet C&C server, if known. This information appears only if geo-
location data is loaded.
Events Number of callback events seen for this C&C server.
Hosts Number of hosts on the monitored network that have been verified as botnet zombies under the
control of the CnC server.
Last Seen at Date and time the most recent callback event. Times are displayed in UTC format by default. You
can set the time zone in the Settings > Date and Time page.
Information in a Callback Activity Drill-Down View

Click the arrow to see the drill-down view of an entry in the Alerts > Callback Activity page. The drill-down view
displays the following information about the callback event. For more information, see the NX Series Threat
Management Guide.
Field Description
Service Port(s) System port number used by the malware to connect to the C&C server.
IP Protocol(s) Types of IP traffic for which a FireEye C&C rule matched traffic: TCP, UDP, or HTTP.
First Seen Time when the callback activity was first detected (within the period of time displayed in the
Alerts page).
VM-verified Hosts Number of infected hosts that initiated MVX-verified outbound communications to a C&C
server associated with the callback event.
Callback Hosts Number of infected hosts that attempted to contact the C&C server.
ipAddress (count) IP addresses of infected hosts that attempted to contact the C&C server. The number of
callback attempts by the infected host is shown enclosed in parentheses.
l Click the IP address to open the Alerts > Hosts page, filtered for the victim IP address in
the Host column.
l Click the number to open the IPS Events page, filtered for the victim IP address in the
Source IP column.


IPS Detection of Reconnaissance Activity
These topics cover IPS advanced engine processing that detects reconnaissance activity.
About IPS Detection of Reconnaissance Activity 82
Showing IPS Reconnaissance Events (Web UI) 83
Reconnaissance Event Entries in the IPS Events Page 85
IPS Reconnaissance Event Details for Ping Sweeps 87
IPS Reconnaissance Event Details for Port Scans 88
Enabling IPS Detection of Reconnaissance Activity (CLI) 90
Configuring the Detection Thresholds for Reconnaissance Events (CLI) 91

IPS Detection of Reconnaissance Activity NX Series IPS Feature Guide
About IPS Detection of Reconnaissance Activity

Network reconnaissance is the unauthorized discovery of the victim's network topology and the active services
within the network. Intruders use the information to identify vulnerabilities to be exploited in future attacks. Typically,
intruders run ping sweeps across the subnets in the target network to find live IP addresses. Next, port scans of the
host IP addresses discover open ports. Intruders query the ports to determine the operating systems and
applications running on the target hosts.
To detect reconnaissance activity, a platform engine detects repeated connections and queries to or from the same
host. The platform engine tracks and analyzes the sources, destinations, and amount of each suspicious traffic flow.
Through analysis of the suspicious traffic and hosts, the engine can separate reconnaissance attacks from normal
network traffic. When a reconnaissance attack is detected, the system triggers an IPS ping sweep event or an IPS
port scan event
When IPS detection of reconnaissance activity is enabled, the platform detects reconnaissance activity that targets
ports, hosts, and networks.
Ping sweeps
When the IPS-enabled engine identifies certain ICMP echo requests and replies, it tracks the source IP
addresses (the attackers) and destination IP addresses (the victims). The platform triggers an IPS ping
sweep event when the number of ICMP messages in a session exceeds a configurable threshold within a
rolling 60-second window. Ping sweep detection is supported on IPv4 and IPv6 networks.
Port scans
When the IPS-enabled engine identifies certain TCP or UDP connection flows, it tracks the source IP
address (the attacker) and its last five destination IP addresses (victims). The engine triggers an IPS port
scan event when the number of TCP or UDP messages exceeds a configurable threshold within a rolling
60-second window. Port scan detection is supported on IPv4 and IPv6 networks.
The rules detect the following types of port scans:
l TCP SYN
l TCP SYN+ACK
l TCP Connect
l TCP NULL
l TCP FIN
l TCP XMAS
l UDP
Frequent connections to a service port on a single victim IP address do not trigger IPS reconnaissance
events. Attackers typically do not scan the same port on the same IP address many times. Automatic
suppression of events for this type of activity prevents false positive from triggering on valid network traffic,
such as DNS packets and NETBIOS Name Service packets.
NOTE: Reconnaissance detection consumes additional system resources. Depending on your traffic load and IPS
policies, operating the platform in reconnaissance detection mode can slow IPS processing. For that reason, IPS
detection of reconnaissance activity is disabled by default.
IPS reconnaissance events do not trigger FireEye event notifications and cannot be acknowledged.

Release 7.5 Showing IPS Reconnaissance Events (Web UI)
Showing IPS Reconnaissance Events (Web UI)

On the IPS Events page you can show or hide reconnaissance events and brute-force events. IPS brute-force and
reconnaissance events are hidden by default. To show reconnaissance events only, filter the list on the threat
category.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Analyst or Admin.
Procedure
To show reconnaissance events in the IPS Events page:

1. Open the IPS Events page.
2. Select the time frame you want to view by using the two Duration fields in the control bar.
3. Select Show Recon & Brute-Force Events on the right side of the control bar. The list expands to include IPS
reconnaissance events and brute-force events.
4. Click Show/Hide Filters.
5. In the text box below the Category heading, type reconnaissance.

6. Press Enter.
The list displays reconnaissance events only.
TIP: You can filter the list further so that it displays only ping sweep events, only TCP reconnaissance events, or
only UDP reconnaissance events. Filter the Protocol field on icmp, tcp, or udp.

Release 7.5 Reconnaissance Event Entries in the IPS Events Page
Reconnaissance Event Entries in the IPS Events Page

IPS reconnaissance event entries are listed in the IPS Events page only. You can identify IPS reconnaissance
events by the Category value of reconnaissance.
The following example shows the IPS Events page filtered to show IPS reconnaissance events only. For more
information, see Showing Reconnaissance Events (Web UI).
Understanding IPS Reconnaissance Event Entries

Each reconnaissance event entry represents a group of one or more individual reconnaissance events that share
the same victim or attacker IP address and reconnaissance subcategory. It is helpful to think of a reconnaissance
event entry in terms of the number of victims and attackers it represents.
One-to-Many
If the entry represents a single attacker conducting the same reconnaissance on multiple victims, the
Victim IP field displays a green plus icon ( ) next to the IP address of the most recent victim. Click the
green plus icon (or the triangle in column 2) to expand the entry. The drill-down view displays the
IP addresses of the last five victims of the attack but the IP count and port range of the most recent victim
only.

Many-to-One
If the entry represents multiple attackers conducting the same reconnaissance on a single victim, the
Attacker IP field displays a green plus icon ( ) next to the IP address of the most recent attacker. Click the
green plus icon (or the usual triangle in column 2) to expand the entry. The drill-down view displays the IP
addresses of the last five attackers but the IP count and port range of the most recent attacker only.
One-to-One
If the entry represents one victim and one attacker, no green plus icon appears. The drill-down view does
not list additional victims or attackers, though the number of attacks may be quite high.
How to Find Statistics for Individual Hosts Within an Aggregate Entry

For any IPS reconnaissance event entry that represents either a many-to-one attack or a one-to-many attack, you
might notice what appear to be extra one-to-one entries. The one-to-one entries seem to duplicate the information
already aggregated into the multi-attacker or multi-victim event entry.The one-to-one entries are included to make
available per-victim details or per-attacker details.
For example, suppose the IPS Events list includes an entry that represents one attacker and ten victims (a 1 : 10
entry) of TCP port scans. When the entry is collapsed, you can see the IP address of the most recent victim and the
total number of attacks (in the # IPS Events field). When you expand the entry, you can see the IP addresses of four
more recent victims. Other statistics in the drill-down view, such as Total Connection Count and Victim IP Count, are
aggregates of all ten victims. Elsewhere in the IPS Events list, you will also see ten one-to-one entries that you
might think are already accounted for in the 1 : 10 entry. However, these entries contain individual statistics for each
victim.

Release 7.5 IPS Reconnaissance Event Details for Ping Sweeps
IPS Reconnaissance Event Details for Ping Sweeps

To display detailed information about a group of IPS ping sweep events listed in the IPS Events page, click the
triangle ( ) in the second column.
The following example shows the drill-down view of a one-to-many ping sweep event entry.
The following table describes the ping sweep-specific fields in the drill-down view of an IPS ping sweep event entry.
Field Description
IP Protocol ICMP
Victim IP IP address of the victim.
Recon Events - Ping Sweep

Error / Response Count Number of ICMP sessions monitored for all events in the entry.
Victim IPs IP addresses of the most recent victims (up to 5 addresses).
Total Victim IP Count Number of victims identified.
NOTE: This value might be an estimate.
Total Attacker IP Count Number of attackers identified.
Attacker IPs IP addresses of the most recent attackers (up to 5 addresses).
NOTE: For most IPS ping sweep events, certain statistics are estimated values rather than exact counts. The
following values are provided as reference information only:
l Victim IP Count
l Attacker IP Count
Analysis of ping sweep activity is a resource-intensive process. When it is necessary to conserve resources, the
analysis process does not record all IP addresses involved in the ping sweep activity. In this case, the process must
estimate the count of IP addresses or port numbers. To estimate the count, the process compares the current IP
address or port count with the most recent IP addresses or port counts in cache memory.

IPS Reconnaissance Event Details for Port Scans

To display detailed information about a group of IPS port scan events listed in the IPS Events page, click the
The following example shows the drill-down view of a one-to-many port scan event entry.
The following table describes the port scan-specific fields in the drill-down view of an IPS port scan event entry.
Field Description
IP Protocol TCP or UDP
Victim Port Port number last attacked on the most recent victim.
Victim IP IP address of the most recent victim.
Recon Events - Port Scan

Total Connection Count per Event Number of TCP or UDP connections monitored for all events in the entry.
Victim IP Count Number of victims identified.
Victim IP Range Lowest and highest victim IP addresses.
Victim Port Count Number of victim ports identified.
Victim Port Range Lowest and highest victim port numbers.
Attacker IP Count Number of attackers identified.
Attacker IP Range Lowest and highest attacker IP addresses.
NOTE: For most IPS port scan events, certain statistics are estimated values rather than exact counts. The following
values are provided as reference information only:
l Victim IP Count
l Victim Port Count

Release 7.5 IPS Reconnaissance Event Details for Port Scans
l Attacker IP Count
Analysis of port scan activity is a resource-intensive process. When it is necessary to conserve resources, the
analysis process does not record all IP addresses or port numbers involved in the port scan activity. In rhis case, the
process must estimate the count of IP addresses or port numbers. To estimate the count, the process compares the
current IP address or port count with the most recent IP addresses or port counts in cache memory.

Enabling IPS Detection of Reconnaissance Activity (CLI)

IPS detection of reconnaissance activity is disabled by default. If you enable this feature, the platform triggers IPS
events when reconnaissance activity is detected.
NOTE: Reconnaissance detection consumes additional system resources. Depending on your traffic load and IPS
policies, operating the platform in reconnaissance detection mode can slow IPS processing.
The platform uses default threshold values for ping sweep detection and port scan detection. You can configure
higher detection thresholds to reduce false positive IPS events. See Configuring the Detection Thresholds for
Reconnaissance Events (CLI).
Prerequisites
l Log in to the CLI of the IPS-enabled appliance as Operator or Admin.
Procedure
To enable or disable IPS detection of reconnaissance activity:

hostname > enable

hostname (config) #
2. Check the current status of the feature. In the following example, the feature is not yet enabled.
hostname (config) # show ips reconnaissance

IPS reconnaissance is disabled
3. Enable or disable the feature. In the following example, the command enables the feature.
hostname (config) # ips reconnaissance enable
4. Confirm your changes. The following example displays the default settings.

Ping sweep threshold : 20
Port scan threshold : 200
Brute force threshold : 5
5. Save your changes.
hostname (config) # write memory

Saving configuration file ... Done!

Release 7.5 Configuring the Detection Thresholds for Reconnaissance Events (CLI)
Configuring the Detection Thresholds for Reconnaissance Events (CLI)

When the IPS-enabled engine detects a certain number of failed network connections to or from the same
IP address occurring within a rolling 60-second window, a reconnaissance attack is suspected. Based on this and
other criteria, the engine determines whether the suspicious activity constitutes a reconnaissance event.
The system initializes with default threshold values for ping sweep detection and port scan detection. You can
configure higher thresholds to reduce false positive IPS events.
Prerequisites
l Log in to the IPS-enabled appliance as Operator or Admin.
l Enable IPS detection of reconnaissance activity. See Enabling IPS Detection of Reconnaissance Activity (CLI).
Procedure
To configure IPS detection thresholds for reconnaissance activity:

hostname > enable

hostname (config) #
2. Check the current status of the feature. In the following example, the feature is enabled with default values.

3. Configure a new ping sweep threshold value. In the following example, the threshold is raised to 35.
hostname (config) # ips ping-sweep threshold 35
4. Configure a new port scan threshold value. In the following example, the threshold is raised to 300.
hostname (config) # ips port-scan threshold 300

5. Confirm your changes.



IPS Detection of Brute-Force Attacks
These topics cover IPS detection of brute-force attacks.
About IPS Detection of Brute-Force Attacks 94
Showing Brute-Force Events (Web UI) 95
Brute-Force Event Entries in the IPS Events Page 97
Brute-Force Event Details 99
Enabling Detailed Inspection Mode (CLI) 100
Configuring the Detection Threshold for Brute-Force Attacks (CLI) 101
Disabling Detection of Brute-Force Attacks (Web UI) 102
Suppressing an IPS Brute-Force Rule (Web UI) 104

IPS Detection of Brute-Force Attacks NX Series IPS Feature Guide
About IPS Detection of Brute-Force Attacks

A brute-force attack is a trial-and-error method used to obtain unauthorized access to resources. An IPS-enabled
platform detects repeated failed login attempts as well as common password-stealing and password-guessing
mechanisms, such as dictionary attack. By analyzing the pattern and volume of activities and hosts, the IPS-
enabled rules engine can distinguish between brute force attacks and valid network traffic.The platform triggers a
brute-force event when the number of failed login attempts to or from the same IP address reaches a certain
threshold within a 60-second rolling window. You can configure the number of failed login attempts that triggers a
brute-force event. For details, see Configuring the Detection Threshold for Brute-Force Attacks (CLI).
Brute-force detection is enabled if an active IPS policy selects one or more IPS brute-force rules.
IPS brute-force events do not trigger FireEye event notifications and cannot be acknowledged.
Protocol Ports Supported

The IPS-enabled rules engine detects brute-force attacks by applications that use ports for the following protocols.
The list is dynamic, and FireEye controls the list through periodic updates of IPS security content.
l IPv4 FTP
l IPv4 Mysql
l IPv4 Postgress
l IPv4 rsh
l IPv4 SMB
Additional Protocol Ports Supported in Detailed Inspection Mode

To protect additional protocol ports from brute-force attacks, you can enable the IPS rules engine to operate in
detailed inspection mode. In this mode, the rules engine performs a more detailed inspection of packets than it
does when operating in default mode. The list of protocol ports that require detailed inspection mode is dynamic,
and FireEye controls the list through periodic updates of IPS security content.
At the time of this release, detailed inspection mode enables the platform to detect brute-force attacks by
applications that use ports for the following protocols:
l IPv4 Telnet
l IPv4 VNC
l IPv4 rlogin
l IPv6 Telnet
l IPv6 FTP
IMPORTANT! IPS detailed packet inspection may slow IPS processing.

Release 7.5 Showing Brute-Force Events (Web UI)
Showing Brute-Force Events (Web UI)

On the IPS Events page you can show or hide reconnaissance events and brute-force events. IPS reconnaissance
events and brute-force events are hidden by default. To show brute-force events only, filter the list on the threat
category brute_force.
Prerequisites
Procedure
To show brute-force events in the IPS Events page:

2. Select the time frame you want to view by using the two Duration fields in the control bar.
3. Select Show Recon Brute-Force Events on the right side of the control bar. The list expands to include IPS
reconnaissance events and brute-force events.
4. Click Show / Hide Filters.
5. In the text box below the Category heading, type brute_force.

6. Press Enter.
The list displays brute-force events only.

Release 7.5 Brute-Force Event Entries in the IPS Events Page
Brute-Force Event Entries in the IPS Events Page

IPS brute-force events are listed in the IPS Events page only. You can identify IPS brute-force event entries by the
Category value of brute_force.
The following example shows the IPS Events page filtered to show IPS brute-force events only. For more
information, see Showing Brute-Force Events (Web UI).
Understanding IPS Brute-Force Entries

Each brute-force event entry represents a group of one or more individual brute-force events that share the same
victim or attacker IP address and brute-force attack subcategory. It is helpful to think of a brute-force event entry in
terms of the number of victims and attackers it represents
One-to-Many
If the entry represents a single attacker conducting the same attack on multiple victims, the Victim IP field
displays a green plus icon ( ) next to the IP address of the most recent victim. Click the green plus icon (or
the triangle in column 2) to expand the entry. The drill-down view displays the IP addresses of the last five
victims of the attack but the IP count and port range of the most recent victim only.
Many-to-One
If the entry represents multiple attackers conducting the same attack on a single victim, the Attacker IP field
displays a green plus icon ( ) next to the IP address of the most recent attacker. Click the green plus icon
(or the triangle in column 2) to expand the entry. The drill-down view displays the IP addresses of the last
five attackers but the IP count and port range of the most recent attacker only.
One-to-One
If the entry represents one victim and one attacker, no green plus icon appears. The drill-down view does
not list additional victims or attackers, though the number of attacks may be quite high.

How to Find Statistics for Individual Hosts Within an Aggregate Entry

For any IPS brute-force event entry that represents either a many-to-one attack or a one-to-many attack, you might
notice what appear to be extra one-to-one entries. The one-to-one entries seem to duplicate the information already
aggregated into the multi-attacker or multi-victim event entry.The one-to-one entries are included to make available
per-victim or per-attacker details.
For example, suppose the IPS Events list includes an entry that represents ten attackers and one victim (a 10: 1
entry) of Telnet brute-force attacks. When the entry is collapsed, you can see the IP address of the most recent
attacker and the total number of attacks (in the # IPS Events field). When you expand the entry, you can see the IP
addresses of four more recent attackers. Other statistics in the drill-down view, such as Total Connection Count and
Victim IP Count, are aggregates of all ten attackers. Elsewhere in the IPS Events list, you will also see ten one-to-
one entries that you might think are already accounted for in the 10: 1 entry. However, these entries contain
individual statistics for each attacker.

Release 7.5 Brute-Force Event Details
Brute-Force Event Details

To display detailed information about a group of IPS brute-force events listed in the IPS Events page, click the
The following example shows the drill-down view of a one-to-many Telnet brute-force event entry.
The following table describes the brute force-specific fields in the drill-down view of an IPS brute-force event entry.
Field Description
IP Protocol TCP or UDP
Victim Port Port number last attacked on the most recent victim.
Victim IP IP address of the victim.
Brute Force Events

Number of failed login Number of failed login attempts detected for all events in the entry.
Total Victim IP Count Number of victims identified.
Total Attacker IP Count Number of attackers identified.
NOTE: For most brute-force events, some statistics are estimated values rather than exact counts. The following
values are provided as reference information only:
l Victim IP Count
l Attacker IP Count
Brute-force analysis is a resource-intensive process. When it is necessary to conserve resources, the analysis
process does not record all IP addresses involved in the attack. In this case, the process must estimate the count of
IP addresses or port numbers. To estimate the count, the process compares the current IP address or port count
with the most recent IP addresses or port counts in cache memory.

Enabling Detailed Inspection Mode (CLI)

You can enable the IPS-enabled rules engine to perform detailed packet inspection. The rules engine must run in
this mode to protect certain protocol ports from brute-force attacks. The list of protocol ports is dynamic, and FireEye
controls the list through periodic updates of IPS security content. IPS detailed packet inspection is useful for
inspecting traffic flows to email protocols, detecting reconnaissance activity, and detecting brute-force attacks.
Prerequisites
Procedure
To enable detailed packet inspection for brute-force attacks:

hostname > enable

hostname (config) #
2. Enable detailed packet inspection for brute-force attacks.
hostname (config) # ips detail-filter


Release 7.5 Configuring the Detection Threshold for Brute-Force Attacks (CLI)
Configuring the Detection Threshold for Brute-Force Attacks (CLI)

When the IPS-enabled rules engine detects a certain number of failed login attempts to or from the same IP address
occurring within a rolling 60-second window, a brute-force attack is suspected. Based on this and other criteria, the
rules engine determines whether the suspicious activity constitutes a brute-force event.
The system initializes with a default threshold value for detecting brute-force events. You can configure a higher
threshold to reduce false positive IPS events.
Prerequisites
Procedure
To configure the detection threshold for brute-force attacks:

hostname > enable

hostname (config) #
2. Check the current value of the threshold. In the following example, the feature is enabled with default values.

3. Configure a new brute-force threshold value. In the following example, the threshold is raised to 10.
hostname (config) # ips brute-force threshold 10



Disabling Detection of Brute-Force Attacks (Web UI)

IPS detection of brute-force attacks is enabled by default. If you want to disable brute-force detection, the feature is
not disabled globally. Instead, you can disable the brute-force detection rules for an IPS policy. Edit the custom IPS
policy and disable all IPS rules that detect brute-force attacks.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Operator or Admin.
l Choose a custom IPS policy to use. If you need to configure a new policy for this purpose, use one of the
following topics:
l Creating a Custom IPS Policy (CLI)
l Cloning an IPS Policy
l Editing an IPS Policy
l (Recommended) If the policy you want to edit is applied to appliance monitoring interfaces, remove the policy
from the interfaces.
Procedure
To disable detection of brute-force attacks:

1. Open the Settings > IPS page.
In the following example, FireEye_Default is applied to monitoring interface A.
2. Click Edit for the custom policy you want to edit, or click Clone and Edit to edit a clone of a default policy.

Release 7.5 Disabling Detection of Brute-Force Attacks (Web UI)
3. In the Search Rules text box, type brute.
4. Click Search Rules.
5. Use the checkboxes ( ) in the Enabled column to specify which IPS brute-force rules are enforced.
l Clear all options to disable the rules.
l Select all options to enable the rules.
l Select only the options for IPS brute-force rules you want to apply.
6. Click Save Custom Policy.
7. If the New Policy Name text box appears, enter a name for the new policy and then click Save.
8. Select the monitoring interface to which you want to apply the policy.
9. Click Apply Policy.
10. Click Done.

Suppressing an IPS Brute-Force Rule (Web UI)

You can suppress an IPS brute-force rule.
Prerequisites
Procedure
To suppress an IPS rule for brute-force attacks:

2. Locate the brute-force event entry type to suppress. See Showing Brute-Force Events (Web UI).
3. Make note of the name of the IPS rule that detected these brute-force events. The rule name is displayed in the
Rule field.
4. Click the gold triangle ( ) in the second column.
5. In Blocking Action section, locate the drop-down menu to the left of the name of the IPS brute-force rule you
want to suppress.
6. Select Suppress.
7. Click Commit.

IPS Event and Alert Management
This section describes operations you can perform on IPS events or IPS alerts.
IPS Event Notifications 106
IPS Event Acknowledgment 108

IPS Event and Alert Management NX Series IPS Feature Guide
IPS Event Notifications
In addition to displaying IPS events and IPS alerts in the IPS Events page of the Web UI, you can configure the
platform to send FireEye notifications for IPS events. IPS event notifications contain the following information:
l Date and time of the event

l IPS rule name
l Common Vulnerabilities and Exposures (CVE) ID (if the IPS rule is associated with a CVE vulnerability)
l Client or server attack target
l Blocking action taken
Event Notification Methods and IPS Event Severity Levels

You can enable IPS event notification using any of the FireEye notification services that are enabled and configured
for the base NX Series platform. The platform sends IPS alert notifications to remote syslog servers for all severity
levels. For all other event notification methods, the system sends alert notifications for critical IPS events or for IPS
alerts (MVX-correlated IPS events).
FireEye Event Notification Method Criteria for IPS Event Notification

rsyslog—Log notification messages to remote syslog servers. Minor severity (1–3),
Major severity (4–6),
Critical severity (7–10)
email—Send notification email messages using SMTP. Critical severity or MVX-correlated
http—Post notification messages to Web servers using HTTP. Critical severity or MVX-correlated
snmp—Send traps to SNMP servers. Critical severity or MVX-correlated
Configuration details are provided in the Setting Up IPS section of this guide. See Configuring How IPS Event
Delivery Modes for IPS Event Notifications

If IPS event notifications are configured, the system uses one of the following delivery modes:
l confirmation—Send notification only if an IPS event is verified to be either an IPS alert or not an attack.
By default, the system is configured to use instant delivery mode, which is useful in an organization that archives
notifications and then filters and analyzes the information later. When you first activate IPS features, we recommend
that you use dual mode so that you see both detection and confirmation of IPS events. If your organization does not
archive the volume of notifications generated in this mode, you can decrease the volume of notifications by using
confirmation mode.
Configuration details are provided in the Setting Up IPS section of this guide. See Testing IPS Event Notifications
(Web UI).

Release 7.5 IPS Event Notifications
Test-Fire Events for IPS Event Notification Testing

You can test your configuration of IPS event notifications by using the test-fire feature for FireEye event notifications.
The platform generates an IPS event of severity level 8, which should trigger event notifications for all notification
methods configured on the platform.
l After you initiate an IPS test-fire event, the event appears in the IPS Events page for approximately 5 minutes
before it disappears from the page display and the events database. IPS test-fire events are listed with the rule
name IPS-TEST-FIRE: Malicious PDF Downloaded.
l If a configured notification method (email,HTTP, rsyslog, or SNMP) fails, correct the notification settings, and
then repeat the test.
Testing details are provided in the Setting Up IPS section of this guide. See Configuring When IPS Event

IPS Event Acknowledgment
l About IPS Event Acknowledgment
l Acknowledging All Retrieved IPS Events (Web UI)
l Acknowledging All IPS Events in a Page (Web UI)
l Acknowledging Individual IPS Events in a Page (Web UI)
l Showing or Hiding Acknowledged IPS Events (Web UI)
About IPS Event Acknowledgment

You can acknowledge IPS event entries so that they do not appear in the default viewing mode of the IPS Events
page.
Acknowledged IPS events are not reflected in the statistics that appear on the right side of the control bar:
l # of rows—Number of entries in the IPS Events list.

l # IPS Events—Number of individual IPS events or alerts represented by the entries.
l # MVX Correlated—Number of individual IPS events that are MVX-correlated alerts.
Acknowledged IPS events are not reflected in the What's Happening panel of the Dashboard. For more
information, see Dashboard > What's Happening.
NOTE: You cannot undo the acknowledgment of an IPS event entry.
To include all acknowledged event entries again, select the Show ACK Events option near the center of the control
bar. In the second column, a green triangle ( ) indicates that the entry represents a group of acknowledged IPS
events.
To view the details for a group of acknowledged IPS events, click the green triangle ( ) in the second column.
NOTE: You cannot acknowledge IPS brute-force events.or reconnaissance events.
If you are managing your IPS-enabled appliance from a CM Series appliance, you can acknowledge IPS events
locally at the NX Series appliance or remotely from the CM Series appliance. If you acknowledge IPS events locally,
the updated acknowledgment information is aggregated at the CM Series appliance. However, if you acknowledge
IPS events remotely, the updated acknowledgment information is aggregated at the CM Series appliance but is not
pushed to the NX Series appliance you updated.
Acknowledging All Retrieved IPS Events (Web UI)

You can acknowledge all IPS event and alert entries retrieved for display in the IPS Events page, including entries
not visible on the current page.
Prerequisites
l Log in to the IPS-enabled appliance as Admin.

Release 7.5 IPS Event Acknowledgment
Procedure
2. (Optional) To change the entries retrieved, use any of the following options in the control bar:
l Results per page

l Duration (Consists of the From field and the Going Back field.)
l Show Recon & Brute-Force Events
3. (Optional) To filter the entries retrieved, use any of the following Show / Hide Filters options in the heading
row. For a description of each field, see IPS Events Page.
l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
4. Select the checkbox ( ) in the leftmost column of the list heading row.
All entries visible on the page are selected.
If you want to unselect all entries visible on the current page, clear the checkbox in the heading row.

5. Click Select All Acknowledgeable Events.
All entries retrieved (including entries not visible on the current page) are selected.
If you want to unselect all entries not visible in the current page, click Clear All.
If you want to unselect all entries visible on the current page, clear the checkbox in the leftmost column of the
list heading row.
6. To acknowledge all selected entries, click Acknowledge.
The list refreshes. If Show Ack Events (located near the center of the control bar) is not selected, the
acknowledged entries no longer appear anywhere in the IPS Events pages.
Acknowledging All IPS Events in a Page (Web UI)

You can acknowledge all IPS event and alert entries visible on the current view of the IPS Events page.
Prerequisites
Procedure
l Results per page


l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
4. Go to the page of entries you want to acknowledge.
All entries visible on the current page are selected.
Acknowledging Individual IPS Events in a Page (Web UI)

You can acknowledge individual IPS event entries in the currently displayed page of the list.
You cannot undo the acknowledgment of an IPS event entry. For more information, see About IPS Event
Acknowledgment.
Prerequisites

Procedure
l Results per page

l Victim IP
l Attacker IP
l CVE-ID
l Severity
l # IPS Events
l Rule
l Category
l Protocol
l Badges
4. Go to the page of entries you want to acknowledge.
All entries visible on the current page are selected

6. Clear selections until only the entries you want to acknowledge remain selected.
Showing Acknowledged IPS Events (Web UI)

You can show or hide acknowledged IPS events and alerts on the IPS Events page. Acknowledged IPS events are
hidden by default. When you include acknowledged IPS events, a green triangle ( ) in the second column in place
of the gold triangle ( ) to indicates that the entry represents a group of acknowledged IPS events.

Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, or Admin.
Procedure
To show acknowledged IPS events and alerts:

2. Select Show ACK Events near the center of the control bar.
The list refreshes to include acknowledged IPS events. In the second column, a green triangle ( ) indicates
that the entry represents a group of acknowledged IPS events.

3. To view the details for a group of acknowledged IPS events, click the green triangle ( ) in the second column.
4. To collapse the details, click the green triangle again.


IPS Policies
This section describes IPS policies and their attributes.
About IPS Policies 118
Attributes of IPS Policies 120
Settings > IPS Page 124
Settings > IPS > Policy Editor Page 126
Displaying the Attributes of an IPS Policy (CLI) 129
Displaying Details About IPS Policies Applied to Monitoring Interfaces (CLI) 130

IPS Policies NX Series IPS Feature Guide
About IPS Policies
l Overview of IPS Policies
l Default IPS Policies
l Custom IPS Policies
Overview of IPS Policies

An IPS policy is a named set of criteria for selecting IPS rules from the database of an IPS-enabled platform. The
platform includes a set of default IPS policies, and you can configure custom IPS policies.
l You activate an IPS policy by applying it to monitoring interfaces on your appliance. If your appliance has more
than one monitoring interface, you can apply an IPS policy to each interface separately.
l While an IPS policy is active, the monitoring interface to which the policy is applied is also said to be active.
When you apply an IPS policy to a monitoring interface, the IPS-enabled rules engine uses the policy-selected IPS
rules to analyze the network traffic traversing the interface. When the rules engine matches a traffic flow to an active
IPS rule, the platform generates an IPS event. If a client-targeted IPS event is found to correlate with MVX-verified
malware attacks detected by standard NX Series features, the platform generates an IPS alert for the IPS event.
If no IPS policies are active on an IPS-enabled platform, the appliance uses only standard NX Series content rules
to analyze traffic passing through the monitoring interfaces. Threat protection for that traffic is limited to detection of
HTTP-based malware attacks directed at client machines.
Default IPS Policies

An IPS-enabled system provides default policies that cover all basic use cases. You cannot modify or delete these
policies. Default IPS policies specify criteria for selecting IPS rules that detect threats that target a specific type of
host (client machine, host machine, or both) and that fall within a specific range of attack severity levels (on a scale
from 1 through 10).
The following table lists the default IPS policies and each policy's the rule-selection attributes.
Values of Rule-Matching Attributes
Default IPS Policy Description
attack-target min-severity max-severity
Comprehensive Selects both client-centric and server-centric client, server 1 10
rules, regardless of the attack severity level.
Default_Client_Protection Selects client-centric rules with an attack client 7 10

severity level of 7 or higher.
Default_Server_Protection Selects server-centric rules with an attack server 7 10

severity level of 7 or higher.
FireEye_Default Selects both client-centric and server-centric client, server 7 10

rules with an attack severity of 7 or higher.
The default IPS policies are typically sufficient for your initial baselining. If you want to refine the IPS rule-selection
criteria, you can use custom IPS policies.

Release 7.5 About IPS Policies
Custom IPS Policies

Depending on the vulnerabilities of your network and the types of network threats received, certain IPS rules or
types of rules might not be critical to the security of your environment. To reduce the incidence of events generated
by noisy IPS rules, you can configure custom policies that fine-tune the rule selection criteria.
You must specify values for the attack target type and range of attack severity level. You can configure optional
criteria based on attack category, attack subcategory, and protocol used as the attack vector. You can configure
optional rule exclusion and rule inclusions based on signature ID.

Attributes of IPS Policies

An IPS policy is composed of three classes of attributes,
l Policy State Attributes
l Rule Match Attributes
l Rule Exclusion and Inclusion Attributes (Custom IPS Policies Only)
Policy State Attributes

State attributes describe the current state of a default or custom IPS policy:
l active—Indicates whether the IPS policy is active on one or more monitoring interfaces.
l writeable—Indicates whether the IPS policy is configurable. Only custom IPS policies are configurable.
l modified_date—Date and time at which the IPS policy was last modified.
l version—IPS policy format internal version number.
Policy state attributes are inherent to every IPS policy, and they are maintained by the system. Policy state attributes
are not used to select IPS rules, and they are not directly configurable. For more information about policy state
attributes, see the show ips policies CLI command description.
Rule Match Attributes

When you apply an IPS policy to a monitoring interface, the system selects from its database the IPS rules whose
attributes match those specified by the policy. For more information, see Editing the Rule Match Attributes of an IPS
Policy (CLI).
Required Rule Match Attributes

The system requires that IPS policies include the following rule match attributes. Default IPS policies contain fixed
combinations of the required rule match attributes only. You can create custom IPS policies that specify any valid
settings for these attributes.
attack-target
The policy matches vulnerabilities or IPS rules oriented toward client systems, server systems, or both:
l client—Matches rules oriented toward client systems.
l server—Matches rules oriented toward server systems.
min-severity
The policy matches vulnerabilities or IPS rules that cover attacks of the specified severity level or greater.
Range: 1 through 10.
max-severity
The policy matches vulnerabilities or IPS rules that cover attacks of the specified severity level or less.
Range: 1 through 10.

Release 7.5 Attributes of IPS Policies
Optional Rule Match Attributes

Custom IPS policies can include optional rule match attributes.
category
The policy matches vulnerabilities or IPS rules that cover attacks of the specified attack category:
l brute_force
l command_execution
l cross-site_scripting
l denial_of_service
l directory_traversal
l exploit
l policy_bypass
l reconnaissance
l other
subcategory
If a category match attribute is specified, you can narrow the category match to rules that cover the specified
type of attack subcategory.
brute_force subcategories:
l telnet-bf
l ftp-bf
l vnc-bf
l mysql-bf
l smb-bf
l rsh-bf
l postgresql-bf
l rlogin-bf
command_execution subcategories:
l input_validation_error
cross-site_scripting subcategories:
l other
denial_of_service subcategories:
l resource_exhaustion
l other
directory_traversal subcategories:
l information_disclosure

exploit subcategories:
l code_execution
l command_execution
l command_injection
l design_weakness
l information_leakage
l other
policy_bypass subcategories:
l authentication_weakness
reconnaissance subcategories:
l other
other subcategories:
l pingsweep
l tcp_portscan
l udp_portscan
protocol
The policy matches vulnerabilities or IPS rules related to the specified network protocols. For protocols that
use encryption, the IPS-enabled rules engine inspects the initial negotiation messages only. At the time of
this software release, IPS rules detect threats that exploit the following protocols:
AgentX, Arkeia Network Backup Client, Autonomy Connected Backup, Avaya WinPDM,
BakBone NetVault, BigAnt Server, Blue Coat BCAAA, CA ARCserve, CA eTrust, CA License,
CA Products, CA Products Discovery Service, Cisco UCM, Citrix, CUPS, CVS, DCE-RPC, DHCP,
Digium Asterisk, DNS, EMC, eSignal, Ethereal, Flexera FlexNet manager, FTP,
Fujitsu SystemcastWizard, GAIM, Ganglia Meta Daemon, GDS DB, GE Proficy, GIMP, GIOP,
HP Data Protector, HP Intelligent Mgmt Center, HP LeftHand Virtual SAN, HP Mercury,
HP OpenView, HP Operations Agent, HP StorageWorks, HTTP, http, IAX2, IBM DB2, IBM Director,
IBM SolidDB, IBM Tivoli, ICQ, IEC 61131, IMAP, Intellicom NetBiter Config, IPSwitch WS_
FTP, IRC, ISAKMP, iSCSI, KADM5, Kerberos, KPASSWD, LANDesk Management Suite, LDAP, LLMNR, LPD,
McAfee ePO, Microsoft TMG, MMS, MS Host Integration Server, MSN Messenger, NCP, NDMP,
NetBIOS, NFS, NMAP, NNTP, Novell Netware, Novell ZENworks, NTP, Oracle WebLogic, POP3,
Portmap, Quest Software Big Brother, RADIUS, RAW, RDP, RIM BlackBerry Server, RMI, RPC, RSH,
RTMP, RTSP, sadmind, SADMIND, SAP MaxDB, SAP NetWeaver, SCADA, Siemens SIMATIC WinCC, SIP,
SKINNY, SMS, SMTP, SNMP, SOCKS, SpamAssassin, SQL, Squid Proxy, SSH, Symantec, TDS, Telnet, TFTP,
Timbuktu, TLS, TNS, TrendMicro, Trillian IM, Unisys BIS, VMware, VNC, WCCP, WHO, WINS,
Yahoo Messenger, and Zend Technologies Zend Server.
NOTE: This list is dynamic and subject to expansion as the FireEye Research Labs team discovers new
vulnerabilities and responds by updating threat detection algorithms and delivering new IPS rules.

Release 7.5 Attributes of IPS Policies
Rule Exclusion and Inclusion Attributes

Custom IPS policies can include rule exclusion and inclusion attributes. Include these attributes if you want the
policy to exclude or include individual IPS rules when selecting rules from its database. Rule exclusion and
inclusion attributes override the rule sections of rule match attributes.
exclude
Exclude the IPS rule that contains the specified signature ID.This attribute overrides the match attributes of
the policy.
include
Include the IPS rule that contains the specified signature ID.
For more information, see Editing the Rule Inclusion and Exclusion Attributes of IPS Policy (CLI) and Excluding
Rules or Overriding the Actions of Rules Selected by an IPS Policy (Web UI).

Settings > IPS Page
l About the Settings > IPS Page
l Table of Policies and Interfaces
l Other Fields and Options
About the Settings > IPS Page

In the Web UI of an IPS-enabled platform, you can use the Settings > IPS page to perform the following operations:
l Import or export custom IPS rules
l Manage IPS policies and monitoring interfaces
l Enable or disable the Auto Add Rules feature
l Enable or disable detection of IPS reconnaissance or brute-force attacks
Table of Policies and Interfaces

For each IPS policy defined on the platform, the table displays the following information:
Policy Name
Names of the default IPS policies and custom IPS policies you have defined.

Release 7.5 Settings > IPS Page
Auto Add Rules

Status of the IPS rules automatic addition feature. This feature applies to active IPS policies only.
Active on Interface
The monitoring interfaces on which the policy is active.
Rules Enabled
Total number of IPS rules selected by the policy.
Actions
Actions you can take on any IPS policy:
l Apply Policy—(If policy is inactive) Apply to a monitoring interface.
l Apply Policy to another Interface—(If policy is already active) Apply to a monitoring interface.
l Remove Policy from Interface—Remove from the monitoring interfaces.
Actions you can take on default IPS policies only:

l Clone and Edit—Create a custom IPS policy based on a clone of this default IPS policy.
Actions you can take on custom IPS policies only:

l Clone—Clone a custom policy, edit the attributes, save it as a new policy, and apply it to an interface.
l Edit—Edit the attributes of a custom IPS policy and optionally apply it to a monitoring interface
l Clone and Edit—Clone a default policy, edit the attributes, save it as a new policy, and apply it to an
interface.
l Delete—Delete custom policy.
For information about Web UI page used to edit IPS policies, see Settings > IPS > Policy Editor Page.
Other Fields and Options

Import Custom Rules
Click to import, download, or delete custom IPS rules. For more information, see IPS Rules Based on
Custom Signatures.
Remove Policies from All Interfaces

Click to remove all IPS policies from monitoring interfaces. For more information, see Removing All IPS
Policies from Monitoring Interfaces.
Auto Add Rules Status

To toggle the status (ON or OFF) of automatic addition of new IPS rules to active interfaces, click Change.
See Managing Auto-Addition of New IPS Rules to Active Interfaces.
Recon Status
To toggle the status (ON or OFF) of IPS detection of reconnaissance activity, click Change. For more
information, see IPS Detection of Reconnaissance Activity.

Settings > IPS > Policy Editor Page
l About the Settings > IPS > Policy Editor Page
l Display Fields in the Policy Editor Page
l Policy Editor Table
l Other Fields and Options
About the Settings > IPS > Policy Editor Page

You can use the Settings > IPS > Policy Editor page to edit a custom IPS policy. You open this page by clicking
one of the following IPS policy action links in the Settings > IPS page:
l Clone or Clone and Edit—For a custom or default policy, click this link to create a clone, edit the clone, save
the clone as a custom policy, and optionally apply the new policy to monitoring interfaces.
l Edit—For a custom IPS policy, click this link to edit the policy and then optionally apply the updated policy to
monitoring interfaces.
The following example shows the Policy Editor page for a clone of the FireEye_Default policy:

Release 7.5 Settings > IPS > Policy Editor Page
You can perform the following operations in the Policy Editor page:
l Filter the IPS rules displayed.
l Enable or disable individual IPS rules matched by the policy.
l Enable or disable forced blocking for an IPS rule matched by the policy.
l Save your changes and optionally apply the policy to monitoring interfaces.
Theses operations are described in Editing an IPS Policy. The remainder of this topic provides an overview of the
elements in the Policy Editor page.
Display Fields in the Policy Editor Page

policyName
If you are editing a custom policy, the policy name appears at the top of the page.
x enabled | y blocked
Displays summary counts of the rules selected by the policy:
l x—Number of active rules.
l y—Number of active rules that block malicious traffic (by rule definition or policy override).
Current match rules

Displays the match criteria configured for the policy:
l Severity range—Minimum and maximum attack severity levels covered by the vulnerabilities or IPS
rules matched by the policy.
l Attack target list—Protection orientation of the matched rules: client, server, or both.
Policy Editor Table

The table has a row for every IPS rule selected by the IPS policy match criteria (severity range and attack target
types).
Enabled
This option is selected if the rule is enabled for the IPS policy you are viewing.
Rule Name
Name of an IPS rule in the appliance's IPS rules database
Custom Rule
l yes—The rule is a custom IPS rule.

l no—The rule is a default IPS rule.
Category
Threat category detected by the rule. For more information about this optional rule-match attribute, see
Attributes of IPS Policies.

Severity
Threat severity level covered by the rule. For more information about this required rule-match attribute, see
Direction
Orientation of threats detected by the rule:
l to_client
l from_server
l both
CVE (Reference ID)
Identification number of the Common Vulnerabilities and Exposures (CVE) database entry that describes
the vulnerability covered by the rule.
Protocol
Network protocol used by the threat detected by the rule. For more information about this optional rule-
match attribute, see Attributes of IPS Policies.
Block
This option is selected if the rule is forced to block matched traffic for the IPS policy you are viewing.
Other Fields and Options

Search Rules
Filters the list of IPS rules for entries that match the text string you specify. Searches the Rule Name and
CVE fields
Save Custom Policy

Saves your configuration changes.

Release 7.5 Displaying the Attributes of an IPS Policy (CLI)
Displaying the Attributes of an IPS Policy (CLI)

At the CLI of an IPS-enabled platform, you can display the attributes of a default or custom IPS policy by using the
show ips policies command. The command output displays policy state attributes, rule selection attributes, rule
exclusion attributes, and rule inclusion attributes.
Prerequisites
l Log in to the CLI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.
Procedure
1. Enter CLI enable mode.
hostname > enable

hostname #
2. Display the attributes of an IPS policy.
The following example displays the attributes of the custom IPS policy named myCustom1.
hostname # show ips policies myCustom1

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/25 10:24:48
version : 9
Match attributes of policy :

attack-target : client
min-severity : 5
max-severity : 10
Inclusion list for policy :

85301782
Exception list for policy :

8530001,8530050
Fingerprint of policy :
2014/09/25 10:24:48 | 287fd1bda05326809e195cccf5e9798c

Displaying Details About IPS Policies Applied to Monitoring Interfaces

(CLI)
To display details about monitoring interfaces associated with IPS policies, use the show ips interfaces command
in enable mode. For each active monitoring interface, the command output displays the name of the IPS policy
applied and the number of active IPS rules.
Prerequisites
l Log in to the Web UI of the IPS-enabled platform as Operator or Admin.
Procedure
To stop applying policy-selected IPS rules to the traffic at a monitoring interface:

hostname > enable

hostname (config) #
2. Display the appliance interfaces and the current application of IPS policies to monitoring interfaces.
In the following example, the appliance has two monitoring interfaces and two default IPS policies are active
on the interfaces.

Interface : A
Rule count : 6882
Interface : B
Policy applied : myCustom1
Rule count : 1002

IPS Policy Configuration
This section describes how to create, display, update, and delete IPS policies and their attributes.
Creating a Custom IPS Policy (CLI) 132
Cloning an IPS Policy 133
Editing an IPS Policy 136
Deleting an IPS Policy 146

IPS Policy Configuration NX Series IPS Feature Guide
Creating a Custom IPS Policy (CLI)

You can create a custom IPS policy by specifying the name of the new policy.
Prerequisites
l Log in to the CLI of the IPS-enabled platform as Operator or Admin.
Procedure
To create a custom IPS policy:

hostname > enable

hostname (config) #
2. Create a custom IPS policy.
The following example creates a custom policy named myCustom1.
hostname (config) # ips policy myCustom1
3. Display the rule-matching attributes of the new IPS policy.
The following example shows that the newly created custom policy has the same match attributes as the
Comprehensive default IPS policy, which does not specify rule exclusion or inclusion attributes. For more
information, see Attributes of IPS Policies.
hostname (config) # show ips policies myCustom1

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/26 09:51/36
version : 1

attack-target : server
min-severity : 1
max-severity : 10
Fingerprint of policy :x
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
4. (Optional) To modify the rule-matching attributes of the new IPS policy, see Editing the Rule Match Attributes of
an IPS Policy (CLI).
5. (Optional) To modify the rule exclusion and inclusion attributes of the new IPS policy, see Editing the Rule
Inclusion and Exclusion Attributes of an IPS Policy (CLI).

Release 7.5 Cloning an IPS Policy
Cloning an IPS Policy

You can create a custom IPS policy by cloning an existing IPS policy. The new policy inherits the match attributes
and (if the original policy is a custom policy) any rule-exclusion and rule-inclusion attributes. You can clone an IPS
policy that is active or inactive, but the new policy is inactive until you apply it to a monitoring interface.
You can clone an IPS policy using either the Web UI or the CLI of an IPS-enabled NX Series appliance:
l Cloning an IPS Policy (Web UI)
l Cloning an IPS Policy (CLI)
Cloning an IPS Policy (Web UI)

To use the Web UI to clone a default or custom IPS policy, use the Settings > IPS page.
Prerequisites
NOTE: If you are managing the IPS-enabled platform from a CM Series appliance, an Operator has view
access only.
Procedure
To create a clone of an IPS policy:


2. In the row for the IPS policy you want to apply, click the Apply Policy link (if the policy is not currently active) or
the Apply Policy to Another Interface link (if the policy is already active on an interface).
You can apply the policy to one or more interfaces, depending on the number of monitoring ports on your
NX Series appliance. The following example shows an Apply Policy dialog box for an appliance that has two
interfaces.
3. Select the interface to which you want to apply the policy. The following guidelines apply to this step:
l If the IPS policy is already active, the dialog box shows the interface to which it is already applied.
l You can apply only one IPS policy per interface.
l If you apply an IPS policy to an interface that already has a policy, the system automatically removes the
previous policy from the interface and applies the newly specified policy.
l If your environment uses asymmetric routing, apply the same IPS policy to both monitoring interfaces. If
request and response packets traverse separate links to the two monitoring interfaces, the platform
applies the same IPS rules to the upstream and downstream traffic.
4. To apply the selected IP policy now, click Apply Policy, and then click Done.
The table shows the current status of the IPS policies defined on the appliance.
Cloning an IPS Policy (CLI)

This topic describes how to clone a default or custom IPS policy using the CLI.
Prerequisites
l Log in to the CLI of the IPS-enabled appliance CLI as Operator or Admin.

Release 7.5 Cloning an IPS Policy
Procedure
To create a clone of an IPS policy:

hostname > enable

hostname (config) #
2. Create a clone of an IPS policy.
The following example creates a clone of the FireEye_Default default policy and names the clone
myCustom1.
hostname (config) # ips policy FireEye_Default clone myCustom1
3. Display the attributes of the new IPS policy.
The following example shows that the newly created custom policy has the same match attributes as the
Comprehensive default IPS policy.

Policy attributes
active : no
writable : yes
modified_date : 2014/09/26 08:55:55
version : 1

min-severity: 0
max-severity : 10
2014/09/26 08:55:55 | 791c1c0bcd3b604630616acac14a96b1
4. (Optional) If you want to modify the rule-matching attributes of the new policy, see Editing the Rule Match
Attributes of an IPS Policy (CLI).
5. (Optional) If you want to modify the rule exclusion or inclusion attributes of the new policy, see Editing the Rule
Inclusion and Exclusion Attributes of an IPS Policy (CLI).

Editing an IPS Policy
You can edit certain attributes of a custom IPS policy. For a description of all attributes of an IPS policy, see
Using the Web UI, you can disable and re-enable IPS rules matched by the policy. You can also override the
blocking action specified by a rule matched by the policy. Using the CLI, you can edit the rule match, rule inclusion,
and rule exclusion attributes of a policy.
l Editing the Rule Match Attributes of an IPS Policy (CLI)
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (CLI)
l Filtering the IPS Rules Listed in the IPS Policy Editor (Web UI)
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
l Overriding the Actions of Rules Selected by an IPS Policy (Web UI)
NOTE: You cannot edit a default IPS policy, but you can edit a clone of a default IPS policy.
Editing the Rule Match Attributes of an IPS Policy (CLI)

You can add, change, or remove the match attributes of a custom IPS policy only. For a description of all attributes
of an IPS policy, see Attributes of IPS Policies.
Prerequisites
access only.

Release 7.5 Editing an IPS Policy
Procedure
To modify the match attributes of a custom IPS policy:

hostname > enable

hostname (config) #
2. Display the match attributes of the custom IPS policy you want to modify.
In the following example, the custom IPS policy named myCustom1 is a clone of the default IPS policy named
Comprehensive and does not currently specify either of any optional match attributes.

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/26 09:51/36
version : 1

min-severity : 1
max-severity : 10
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
3. Change the match attributes of the custom IPS policy.
In the following example, one match attribute (attack-target client) is removed from the policy, one match
attribute (min-severity) is overwritten with a new value, and an optional match attribute is added.
hostname (config) # no ips policy myCustom1 match attack-target client

hostname (config) # ips policy myCustom1 match min-severity 3
hostname (config) # ips policy myCustom1 match protocol SNMP

4. Verify your changes, and note that the policy fingerprint is also changed.

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/26 09:51/36
version : 1

protocol : SNMP
min-severity : 3
max-severity : 10
2014/09/26 11:29:05 | a3c225e74dc2904e2a1109d707f3e963
Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (CLI)

You can add, change, or remove the rule-exclusion and rule-inclusion attributes of a custom IPS policy only. For a
description of all attributes of an IPS policy, see Attributes of IPS Policies.
Prerequisites
l Know the signature ID of the IPS rule that you want to reference. You obtain rule signature IDs from a FireEye
customer support representative, or in the drill-down view of an entry in the IPS Events page. For more
information, see IPS Events Page Drill-Down View.

Procedure
To edit the rule-exclusion or rule-inclusion attributes of a custom IPS policy:

hostname > enable

hostname (config) #
2. Display the attributes of the custom IPS policy you want to modify.
In the following example, no rule-exclusion or rule-inclusion attributes are defined.

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/26 09:51/36
version : 1

min-severity : 1
max-severity : 10
2014/09/26 09:51:36 | 791c1c0bcd3b604630616acac14a96b1
3. Configure rule-exclusion or rule-inclusion attributes of the IPS policy.
The following example adds one rule-exclusion attribute and two rule-inclusion attributes to the custom IPS
policy myCustom3.
hostname (config) # ips policy myCustom1 rules exclude 85300001

hostname (config) # ips policy myCustom1 rules include 85300002
hostname (config) # ips policy myCustom1 rules include 85300003


Policy attributes :
active : no
writable : yes
modified_date : 2014/09/26 11:40:21
version : 4

attack-target : SNMP
min-severity : 3
max-severity : 10

85300002,85300003

85300001
2014/09/26 11:40:21 | 30b14d7ea2ddcae7ccdc6b41ff2c6110
Filtering the Rules Listed in the IPS Policy Editor (Web UI)

From the Web UI, you can filter the IPS rules listed in the Settings > IPS > Policy Editor page.
Prerequisites

Procedure
To filter the IPS rules listed in the Policy Editor page:

1. Go to the Settings > IPS page.
2. For the IPS policy you want to view and configure, open the Policy Editor page:
l For a default policy, click Clone and Edit in the Actions column.
l For a custom policy, click either Clone or Edit in the Actions column.
The page lists all IPS rules in the appliance database. You can filter the list on the Rule Name and CVE ID
fields. You can sort the list on the other columns of the table. For more detailed information, see
Settings > IPS > Policy Editor Page.
3. In the text box next to the Search Rules button, type the text string to be matched against the Rule Name and
CVE ID fields.
l The search is not case-sensitive.
l The search finds partial-word matches.
Examples of search strings: Apple Adobe, Microsoft, CVE-2014-05, 8OSVDB-8, Secunia-SA58.
4. Click Search Rules. The Policy Editor page displays the rules that match the search string.
If you need to clear the filter, clear the search string text box and then click Search Rules.

5. Using the filtered list of IPS rules, you can edit the configuration settings in the Enabled column and in the
Block column:
l Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
l Overriding the Actions of Rules Selected by an IPS Policy (Web UI)
Editing the Rule Inclusion and Exclusion Attributes of an IPS Policy (Web UI)
From the Web UI, you can edit the rule inclusion and exclusion attributes of a custom IPS policy.
Prerequisites
NOTE: An Operator managing the IPS-enabled platform from a CM Series appliance has view access only.

Procedure
To edit the rule-exclusion or rule-inclusion attributes of a custom IPS policy:

The page lists all IPS rules in the appliance database that are selected y the IPS policy.
3. (Optional) Filter the IPS rules on the Rule Name or CVE ID fields. For details, see Filtering the Rules Listed in
the IPS Policy Editor (Web UI).
4. (Optional) Sort the list on the other columns of the table. For more detailed information, see
5. Edit the rule inclusion and exclusion attributes of this policy:
l To add a rule to the rule inclusion attribute of the policy, select the Enabled option.
l To add a rule to the rule exclusion attribute of the policy, clear the Enabled option.
7. If you are editing a default IPS policy, specify a name for the custom IPS policy you want to create with your
changes. Do not specify the name of an existing IPS policy.

8. If you want to apply the changed or new policy to monitoring interfaces, select the interface or interfaces and
then click Apply Policy. Otherwise, click No, I will do it later.
Overriding the Actions of Rules Selected by an IPS Policy (Web UI)

From the Web UI, you can override the actions for individual IPS rules selected by a custom IPS policy.
NOTE: You cannot override rule actions for a default IPS policy, but you can edit a clone of a default IPS policy.
Prerequisites
NOTE: An )perator managing the IPS-enabled platform from a CM Series appliance has view access only.
Procedure
To override the actions of rules selected by a custom IPS policy:

The page lists all IPS rules in the appliance database that are selected by the IPS policy.

3. (Optional) Filter the IPS rules on the Rule Name or CVE ID fields. For details, see Filtering the Rules Listed in
the IPS Policy Editor (Web UI).
4. (Optional) Sort the IPS rules on the other columns of the table. For more detailed information, see
5. Configure the action performed by matched rules that are enabled for this policy:
l To allow an enabled rule to perform the action specified in the rule definition, leave the Block option
unselected.
l To force an enabled rule to block traffic when matched for this policy, select the Block option.
NOTE: The settings you configure in the Block column are specific to this IPS policy only. The settings do not
impact the individual IPS rule definitions.
7. If you are editing a default IPS policy, specify a name for the custom IPS policy you want to create with your
changes. Do not specify the name of an existing IPS policy.
8. If you want to apply the changed or new policy to monitoring interfaces, select the interface or interfaces and
then click Apply Policy. Otherwise, click No, I will do it later.

Deleting an IPS Policy

You can delete a custom IPS policy definition from an IPS-enabled platform, provided that the policy is not active.
l Deleting a Custom IPS Policy (Web UI)
l Deleting a Custom IPS Policy (CLI)
Deleting a Custom IPS Policy (Web UI)

You can use the Settings > IPS page to delete a custom IPS policy definition from an IPS-enabled platform.
Prerequisites
access only.
l Make sure that the IPS policy is not applied to any monitoring interfaces.
l Use the Settings > IPS page to check whether the policy is active.
l If the policy you want to delete is active, click the Remove Policy from Interface link to remove the policy
from an interface.

Release 7.5 Deleting an IPS Policy
Procedure
To delete a custom IPS policy definition from the platform:

1. In the Settings > IPS page, locate the custom IPS policy definition you want to delete.
2. Click the Delete link, and then click OK.
3. Verify that the entry for that policy no longer appears in the table.
Deleting a Custom IPS Policy (CLI)

You can use CLI commands to delete a custom IPS policy definition from an IPS-enabled platform.
Prerequisites
l Make sure that the IPS policy is not applied to any monitoring interfaces.
l Use the show ips policies command to check whether the policy is active.
l If the policy you want to delete is active, use the show ips interfaces command to display the interface to
which the policy is applied, and then use the no ips apply command to remove the policy from an
interface.

Procedure
To delete a custom IPS policy definition from the platform:

hostname > enable

hostname (config) #
2. List the IPS policies defined on the platform.
NOTE: You cannot delete an IPS policy while it is applied to an interface.
hostname # show ips policies

FireEye_Default
active : yes
version : 2
Comprehensive
active : no
version : 2
Default_Server_Protection
active : no
version : 2
Default_Client_Protection
active : no
version : 2
myCustom1
active : no
version : 1
No. of included rules: 1
No. of excluded rules: 2
myCustom2
active : no
version : 1
myCustom3
active : no
version : 1
3. Delete any custom IPS policy definitions from the platform.
hostname (config) # no ips policy myCustom1

hostname # show ips policies ?

<cr>
<Policy name>
FireEye_Default
Comprehensive

IPS Policy Application at Monitoring Interfaces
This section describes how to use IPS policies to select the IPS rules used at appliance monitoring interfaces.
Applying an IPS Policy to Monitoring Interfaces 150
Removing All IPS Policies from Monitoring Interfaces 153
Removing a Single IPS Policy from Monitoring Interfaces 156
Managing Auto-Addition of New IPS Rules to Active Interfaces 159

IPS Policy Application at Monitoring Interfaces NX Series IPS Feature Guide
Applying an IPS Policy to Monitoring Interfaces

To select the IPS rules that your platform uses to analyze traffic at a monitoring interface, you apply an IPS policy to
the interface. The rules engine detects IPS events by evaluating the selected rules against the monitored traffic.
You can apply IPS policies to monitoring interfaces by using either the Web UI or the CLI.
l Applying an IPS Policy to Monitoring Interfaces (Web UI)
l Applying an IPS Pollicy to Monitoring Interfaces (CLI)
Applying an IPS Policy to Monitoring Interfaces (Web UI)

To use the Web UI to apply an IPS policy to a monitoring interface, use the Settings > IPS page.
Prerequisites
l (Optional) If you need more specific rule-selection criteria than are provided by the default IPS policies,
configure custom IPS policies. For more information, see IPS Policy Configuration.
Procedure
To apply policy-selected IPS rules to the traffic at a monitoring interface:

1. Open the Settings > IPS page. For a description of the fields and options in this page, see Settings > IPS Page.

Release 7.5 Applying an IPS Policy to Monitoring Interfaces
2. 1. In the row for the IPS policy you want to apply, click the Apply Policy link (if the policy is not currently
active) or the Apply Policy to Another Interface link (if the policy is already active on an interface).
You can apply the policy to one or more interfaces, depending on the number of monitoring ports on your
NX Series appliance. The following example shows an Apply Policy dialog box for an appliance that has
two interfaces.
2. Select the interface to which you want to apply the policy. The following guidelines apply to this step:
l If the IPS policy is already active, the dialog box shows the interface to which it is already applied.
l You can apply only one IPS policy per interface.
l If you apply an IPS policy to an interface that already has a policy, the system automatically removes
the previous policy from the interface and applies the newly specified policy.
l If your environment uses asymmetric routing, apply the same IPS policy to both monitoring interfaces.
If request and response packets traverse separate links to the two monitoring interfaces, the platform
applies the same IPS rules to the upstream and downstream traffic.
3. To apply the selected IP policy now, click Apply Policy, and then click Done.
The table shows the current status of the IPS policies defined on the appliance.
Applying an IPS Policy to Monitoring Interfaces (CLI)

To use the CLI to apply an IPS policy to a monitoring interface, use the ips apply command.
Prerequisites
l (Optional) If you need more specific rule-selection criteria than is provided by the default IPS policies,
configure custom IPS policies. For more information, see IPS Policy Configuration.

Procedure
To apply policy-selected IPS rules to the traffic at a monitoring interface:

hostname > enable

hostname (config) #
In the following example, the appliance has two monitoring interfaces. A default IPS policy is active on one
interface, and no IPS policy is active on the other interface.

Interface : A
Rule count : 0
Interface : B
Rule count : 0
3. Apply an IPS policy to a monitoring interface.
The following example applies the IPS custom policy named myCustom1 to both monitoring interfaces,
replacing the FireEye_Default on interface A.
hostname (config) # ips apply myCustom1 interface A

hostname (config) # ips apply myCustom1 interface B

Interface : A
Rule count : 1002
Interface : B
Rule count : 1002

Release 7.5 Removing All IPS Policies from Monitoring Interfaces
Removing All IPS Policies from Monitoring Interfaces

You can use either the Web UI or the CLI to remove all IPS policies from appliance monitoring interfaces.
l Removing IPS Policies from All Monitoring Interfaces (Web UI)
l Removing IPS Policies from All Monitoring Interfaces (CLI)
To delete a custom IPS policy definition from an IPS-enabled platform, see Deleting a Custom IPS Policy.
Removing All IPS Policies from Monitoring Interfaces (Web UI)

You can remove IPS policies from all interfaces in a single step instead of removing policies individually from each
interface. When no IPS policies are applied, the platform functions as a standard NX Series appliance that detects
and, if deployed and configured inline, can block client-centric HTTP-based malware.
Prerequisites
Procedure
To stop applying policy-selected IPS rules to the traffic at all monitoring interfaces:
In the following example, the default IPS policy FireEye_Default is applied to monitoring interface A.

2. To remove IPS policies from all monitoring interfaces, click Remove Policies from All Interfaces and then
click Yes.
When no IPS policies are applied, the appliance functions as a standard NX Series appliance.
l The platform continues to detect malware. Additional MVX-verified malware (malware alerts) continue to
appear in the Alerts > Hosts and the Alerts > Alerts pages.
l The platform no longer detects IPS events. No additional MVX-correlated IPS events (IPS alerts) appear in
the Alerts > Hosts, Alerts > Alerts, or IPS Events pages.
Removing All IPS Policies from Monitoring Interfaces (CLI)

You can remove IPS policies from all interfaces in a single step instead of removing policies individually from each
interface. Without IPS policies applied to monitoring interfaces, the platform functions as a standard NX Series
appliance that detects and, if deployed and configured inline, can block client-centric HTTP-based malware.
Prerequisites
Procedure
To stop applying policy-selected IPS rules to the traffic at all monitoring interfaces:
hostname > enable

hostname (config) #
on the interfaces.

Interface : A
Policy applied : FireEye_Default
Rule count : 2640
Interface : B
Rule count : 6882
3. Remove all IPS policies from all monitoring interfaces.
hostname (config) # no ips apply all

Release 7.5 Removing All IPS Policies from Monitoring Interfaces
4. Confirm your configuration changes.

Interface : A
Rule count : 0
Interface : B
Rule count : 0
Without IPS policies applied to monitoring interfaces, the platform functions as a standard NX Series
appliance:
l The platform continues to detect malware. Additional MVX-verified malware (malware alerts) continue to
appear in the Alerts > Hosts and the Alerts > Alerts pages.
l The platform no longer detects IPS events. No additional MVX-correlated IPS events (IPS alerts) appear in
the Alerts > Hosts, Alerts > Alerts, or IPS Events pages.

Removing a Single IPS Policy from Monitoring Interfaces

You can use either the Web UI or the CLI to remove a single IPS policies from appliance monitoring interfaces.
l Removing an IPS Policy from a Monitoring Interface (Web UI)
l Removing an IPS Policy from a Monitoring Interface (CLI)
To delete a custom IPS policy definition from an IPS-enabled platform, see Deleting a Custom IPS Policy.
Removing a Single IPS Policy from Monitoring Interfaces (Web UI)

To stop applying IPS rules to a monitoring interface, remove the active IPS policy from the interface. When no IPS
policy is applied, traffic that passes through the interface is analyzed using standard NX Series content rules only.
The appliance detects and, if deployed and configured inline, can block client-centric HTTP-based malware only.
Prerequisites
Procedure
To remove an IPS policy from a monitoring interface:

In the following example, an IPS policy is applied to monitoring interface A.

Release 7.5 Removing a Single IPS Policy from Monitoring Interfaces
2. In the row for the IPS policy you want to remove, click Remove Policy from Interface in the Action column.
In the following example, the default IPS policy named Comprehensive is selected for removal.
3. Select the interface from which you want to remove the policy, click Remove Policy, and then click Done.
The table in the Settings > IPS page shows that the IPS policy is removed from the interface.
Traffic that passes through the interface is analyzed using standard NX Series content rules only.
Removing a Single IPS Policy from Monitoring Interfaces (CLI)

To stop applying IPS rules to a monitoring interface, remove the active IPS policy from the interface. Without an IPS
policy applied, traffic that passes through the interface is analyzed using standard NX Series content rules only.
When using standard NX Series content rules alone, the platform detects and, if deployed and configured inline,
can block client-centric HTTP-based malware only.
Prerequisites

Procedure
To stop applying policy-selected IPS rules to the traffic at a monitoring interface:

hostname > enable

hostname (config) #
2. Display the appliance interfaces and the current application of IPS policies to monitoring interfaces.
on the interfaces.
hostname (config) # show ips interfaces active

A : FireEye_Default
B : myCustom1
3. To remove an IPS policy from a monitoring interface, enter no ips apply policyName and include the
interface interfaceName parameter to specify the interface from which the policy is to be removed.
In the following example, the IPS custom policy named myCustom1 is removed from interface B.
hostname (config) # no ips apply myCustom1 interface B
4. Verify the updated application of IPS policies to monitoring interfaces.
In the following example, the IPS custom policy named myCustom1 is removed from interface B.
hostname (config) # show ips interfaces active

A : FireEye_Default
B : empty
Traffic that passes through interface B is analyzed using standard NX Series content rules only.

Release 7.5 Managing Auto-Addition of New IPS Rules to Active Interfaces
Managing Auto-Addition of New IPS Rules to Active Interfaces

You can use either the Web UI or the CLI to manage automatic addition of new IPS rules to active monitoring
interfaces:
l About Auto-Addition of New IPS Rules to Active Interfaces
l Enabling or Disabling Auto-Addition of New IPS Rules to Active Interfaces (Web UI)
l Enabling or Disabling Auto-Addition of New IPS Rules to Active Interfaces (CLI)
About Auto-Addition of New IPS Rules to Active Interfaces

When IPS policies are active, the IPS-enabled rules engine uses the policy-selected IPS content rules to analyze
traffic. The Auto Add Rules option determines whether the rules engine re-evaluates active policies when the
database of IPS rules is updated.
l The Auto Add Rules option is enabled by default. If your platform receives new IPS security content rules, the
system re-evaluates active IPS policies against the updated database of IPS rules.
l If your platform receives new IPS security content rules while Auto Add Rules is disabled, the system does not
re-evaluate active IPS policies against the updated database of IPS rules. In this case, you can force the
platform to re-evaluate an active policy. By removing the policy from an interface and then reapplying the
policy to the interface.
l You enable or disable the Auto Add Rules option globally (for all monitoring interfaces on the platform). You
cannot apply the option on a per-port, per-interface, or per-policy basis.
An IPS-enabled platform's rules database can receive new IPS rules from two different sources:
l A scheduled or explicit update of security content includes new FireEye-provided IPS rules
l You explicitly import or delete custom IPS rules
If your IPS-enabled platform is subscribed to the FireEye Dynamic Threat Intelligence (DTI) cloud, you can schedule
daily or hourly downloads of new security content rules available from the DTI cloud, or you can download new
security content rules when you choose. FireEye recommends that you configure your appliance to check for
security content updates either daily or hourly. For more information, see the NX Series System Administration
Guide.
An operator can add, modify, or delete custom IPS rules in the platform database. For more information, see
Importing Custom IPS Rules (Web UI).
Enabling or Disabling Auto-Addition of New IPS Rules to Active Interfaces

(Web UI)
This topic describes how to disable or re-enable automatic addition of new IPS rules to active interfaces using the
Web UI. The Auto Add Rules option is enabled by default. If your platform receives new IPS security content rules,
the system re-evaluates active IPS policies against the updated database of IPS rules. For more information, see
About Auto-Addition of New IPS Rules to Active Interfaces.
Prerequisites

Procedure
To disable or re-enable automatic addition of new rules to active IPS policies:

In the following example, the Auto Add Rules Status is ON.
l For the only active policy (FireEye_Default) the Auto Add Rules column displays Yes because the feature
is enabled.
l The Auto Add Rules column always displays No for inactive policies.

Release 7.5 Managing Auto-Addition of New IPS Rules to Active Interfaces
2. To toggle the setting of the Auto Add Rules feature, click Change.
If any IPS policies are active, the Auto Add Rules column values change for those policies.
l When Auto Add Rules is ON, the Auto Add Rules column displays "Yes" for the active policies. When
security content updates load new IPS rules, the appliance automatically re-evaluates active IPS policies
and—if any new rules match the policy match attributes—the new rules are included at the associated
interface.
l When Auto Add Rules is OFF, the Auto Add Rules column displays No for the active policies. When
security content updates load new IPS rules, the appliance does not automatically re-evaluate active IPS
policies. You can force the platform to re-evaluate active policies by removing the policies from monitoring
interfaces and then re-applying the policies to the interfaces.
In the following example, the Auto Add Rules option (displayed and configured below the table) is disabled
(OFF). The default IPS policy FireEye_Default is active on monitoring interface A, and the Auto Add Rules
column for that policy displays No.
Enabling or Disabling Auto-Addition of New IPS Rules to Active Interfaces (CLI)

This topic describes how to disable or re-enable automatic addition of new IPS rules to active interfaces using the
CLI. The Auto Add Rules option is enabled by default. If your platform receives new IPS security content rules, the
system re-evaluates active IPS policies against the updated database of IPS rules. For more information, see About
Auto-Addition of New IPS Rules to Active Interfaces.
Prerequisites

Procedure
To disable or re-enable automatic addition of new rules to active IPS policies:

hostname > enable

hostname (config) #
2. Display the status of the automatic IPS rule addition feature for active IPS policies. In the following example,
the Auto-update rules for an active policy field shows that the Auto Add Rules option is enabled.
hostname (config) # show ips status
License status : enabled
Auto-update rules for an active policy : enabled
IPS blockmode : disabled

IPS blockmode last modified: 2014/10/20 20:59:14
IPS configuration status :

Fully applied to system : yes
3. (Optional) Toggle the setting of the feature.
l If the feature is enabled (if the Auto-update rules for an active policy field displays enabled), you can
disable the feature.
hostname (config) # no ips auto-update enable
l If the feature is disabled (if the Auto-update rules for an active policy field displays disabled), you can
re-enable the feature.
hostname (config) # ips auto-update enable
4. Verify the configuration change. In the following example, the Auto-update rules for an active policy field
shows that the Auto Add Rules option is disabled.
hostname (config) # show ips status
Auto-update rules for an active policy : disabled



IPS Rule Action Overrides
This section describes how to configure the IPS-enabled rules engine to override the blocking actions specified by
IPS rules or signatures.
Options to Disable or Force Blocking for All IPS Rules 164
Options to Disable or Force Blocking for a Vulnerability or an IPS Rule 170
Options to Suppress a Vulnerability or an IPS Rule 176
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI) 182

IPS Rule Action Overrides NX Series IPS Feature Guide
Options to Disable or Force Blocking for All IPS Rules

These topics describe how to disable blocking action or force blocking action for all IPS rules:
l About IPS Blockmode
l Forcing All Matched IPS Rules to Allow Traffic (CLI)
l Forcing All Matched IPS Rules to Block Traffic (CLI)
l Re-Enabling the Blocking Actions of All IPS Rules (CLI)
About IPS Blockmode
IPS blockmode is a platform-wide policy to allow, deny, or force blocking of traffic matched by IPS rules. IPS
blockmode is enabled by default. Only IPS rules with the blocking action block can drop matched traffic. The other
states for IPS blockmode (disabled and all) enable you to override the blocking actions of all IPS rules.
The following list describes the IPS blockmode settings:
Enabled
When an IPS rule matches a traffic flow, the platform blocks or allows the traffic as specified by the block
action of the rule. If the matched IPS rule specifies the block action value blockable, the system handles the
matched traffic as if the block action value were noblock, except that you can override the blockable action
on a per-rule basis only. See Options to Disable or Force Blocking for a Vulnerability or an IPS Rule.
IPS blockmode is enabled by default.
Disabled
All matched IPS rules act as detection-only rules, even rules that specify blocking.
Disabling of IPS blockmode is useful when you first enable IPS features on an existing deployment of an
NX Series appliance.
IMPORTANT! When IPS blockmode is disabled, IPS rules cannot block malicious activity.
All
All matched IPS rules act as blocking rules, regardless of the block action specified by the rule.
Forced blocking is useful if you are testing the accuracy of every rule in an IPS policy by running the policy
against known test traffic.
When an IPS rule matches a traffic flow, the system generates an IPS event and sends IPS event notifications (if
notifications are configured). The action taken on the traffic flow is determined by two factors:
l The IPS blockmode setting on the appliance.

l The blocking action specified by the matched IPS rule.
The following table describes the action taken on matched traffic based on the two determining factors.
IPS Blockmode Action Specified by the Matched IPS Rule
State block no block blockable
Enabled Block Allow Allow
Disabled Allow Allow Allow
All Block Block Block

Release 7.5 Options to Disable or Force Blocking for All IPS Rules
The following caveats apply to IPS blockmode:
l The CLI configuration ips blockmode disabled, which disables blocking for all IPS rules, takes precedence
over rule overrides specified for a vulnerability or IPS rule.
l The CLI configuration ips blockmode all, which forces blocking for all IPS rules, takes precedence over rule
overrides specified for a vulnerability or IPS rule. On such a system, traffic that matches an IPS rule that is
suppressed or suppressed and disabled is not suppressed and is blocked.
Forcing All Matched IPS Rules to Allow Traffic (CLI)

On an IPS-enabled platform, IPS blockmode is enabled by default.
If you want all IPS rules pass matched traffic, disable IPS blockmode. The appliance operates with standard
malware rules in blocking mode (as specified in the malware rule definitions) but with IPS rules in detection-only
mode, even for IPS rules that specify blocking. This configuration option is relevant only when the platform is
deployed inline and the monitoring interface is configured for inline blocking.
IMPORTANT! When IPS blockmode is disabled, IPS rules with blocking action set to block are not allowed to block
malicious activity detected in the matched traffic.
Prerequisites
l Log in to the Web UI of the IPS-enabled platform as Admin.
Procedure
To disable the blocking actions specified by matched IPS rules:

hostname > enable

hostname (config) #
2. Display the status of IPS global settings.
In the following example, the platform blocks or allows matched traffic as specified by the block action of the
rule (for interfaces configured for inline blocking). This is the default state.
hostname # show ips status
IPS blockmode : enabled



3. Configure the platform to pass all matched packets, even if the matched IPS rule specifies blocking.
hostname (config) # ips blockmode disabled
4. Verify that you have disabled the blocking actions specified by matched IPS rules.
License status : all


Forcing All Matched IPS Rules to Block Traffic (CLI)

You can force all matched IPS rules to block traffic. In this mode, all matched IPS rules act as blocking rules,
regardless of the block action specified by the rule. This configuration option is relevant only when the platform is
deployed inline and the monitoring interface is configured for inline blocking.
Prerequisites
l Log in to the CLI of the IPS-enabled appliance as Admin.

Procedure
To force all matched IPS rules to block traffic:

hostname > enable

hostname (config) #
In the following example, the platform has previously been configured to force all IPS rules to pass matched
traffic.


3. Configure the platform to force all IPS rules to block matched traffic.
4. Verify that you have globally re-enabled the blocking actions specified by matched IPS rules.
IPS blockmode : all



Re-Enabling the Blocking Actions of All IPS Rules (CLI)

If you have disabled IPS blockmode or if you have set IPS blockmode to forced blocking, you can re-enable IPS
blockmode so that the system resumes blocking malicious activity as specified by the active IPS rules. This
configuration option is relevant only when the platform is deployed inline and the monitoring interface is configured
for inline blocking.
Prerequisites
l Log in to the CLI of the IPS-enabled appliance as Admin.
Procedure
To re-enable the blocking actions specified by matched IPS rules:

hostname > enable

hostname (config) #
In the following example, the platform has previously been configured to disable blocking actions specified by
matched IPS rules.
License status : disabled


3. Configure the platform to block or allow matched traffic as specified by the block action of the rule. Only traffic
matched by IPS rules that specify the blocking action block will be blocked.

4. Verify that you have re-enabled IPS blockmode.
IPS blockmode : enabled



Options to Disable or Force Blocking for a Vulnerability or an IPS Rule

These topics describe how to force blocking action by a particular vulnerability or IPS rule.
l About Disabled or Forced Blocking for a Vulnerability or an IPS Rule
l Web UI Procedures:
o Disabling or Forcing Blocking for a Vulnerability or an IPS Rule (Web UI)
o Restoring the Blocking Action for a Vulnerability or an IPS Rule (Web UI)
l CLI Procedures:
o Disabling or Forcing Blocking for a Vulnerability or an IPS Rule (CLI)
o Restoring the Blocking Action for a Vulnerability or an IPS Rule (CLI)
About Disabled or Forced Blocking for a Vulnerability or an IPS Rule

You can configure an IPS-enabled platform to disable or force blocking of traffic matched by a single IPS rule.
Where multiple IPS rules address aspects of the same network vulnerability, you can disable or force blocking for
all IPS rules that reference that vulnerability.
For interfaces configured for inline blocking, you can configure the IPS-enabled platform to disable or force blocking
of traffic matched by a particular IPS rule. This configuration overrides the blocking action specified within the IPS
rule itself. You can configure the override to apply to one or all monitoring interfaces on the appliance.
You can disable or force blocking at either of two levels:
l IPS rule—To disable or force blocking for an individual IPS rule, specify the eight-digit signature ID for that rule.
l Vulnerability—Where multiple IPS rules address aspects of the same network vulnerability, you can disable or
force blocking for all of those IPS rules by specifying the signature name for that vulnerability.
Although a blocking policy based on a signature ID can be more specific than a blocking policy based on a
signature name, you cannot determine when this is the case. Therefore, we recommend you specify a signature ID
rather than a signature name when you want to disable or force blocking for an IPS rule.
You can use the signature ID to configure a custom IPS policy that explicitly includes or excludes any IPS rule that
references a specific signature ID. For more information, see Attributes of IPS Policies (rule exclusion and inclusion
attributes) and Modifying a Custom IPS Policy.
NOTE: This configuration applies to interfaces configured for inline blocking only. Furthermore, this configuration
has no effect unless the action option of the IPS rule is defined as blockable, as opposed to noblock.

Release 7.5 Options to Disable or Force Blocking for a Vulnerability or an IPS Rule
Disabling or Forcing Blocking for a Vulnerability or an IPS Rule (Web UI)

To use the Web UI to configure an IPS-enabled platform to allow or block traffic that matches a particular IPS rule,
overriding blocking action specified by the IPS rule, use the IPS Events page.
NOTE: This configuration applies to interfaces configured for inline blocking only. Furthermore, this configuration
has no effect unless the action option of the IPS rule is defined as blockable, as opposed to noblock.
To display or undo disabled or forced blocking for IPS rules, use the Settings > Inline Policy Exceptions page.
Prerequisites
Procedure
To disable or force blocking for a vulnerability or an individual IPS rule on an interface:

1. Identify the IPS rule (or rules) for which to disable or force blocking of matched traffic.
a. In the IPS Events page, identify the IPS event or IPS alert associated with the IPS rule whose action you
want to override.
b. Click the triangle in the left column of that row to open the drill-down view.
c. Decide whether you want to override the rule action at a per-rule level or at a per-vulnerability level.
l To force blocking of traffic that matches an individual IPS rule, you will use the drop-down lists in the
row labeled Set Sig ID Blocking Policy.
l To force blocking of traffic that matches all IPS rules that address the same vulnerability, you will use
the drop-down lists in the row labeled Set Sig Name Blocking Policy.
To understand the difference between applying the override at the rule level or at the vulnerability level,
see About Disabled or Forced Blocking for a Vulnerability or an IPS Rule.
2. Choose the monitoring interface on which to apply this override: A, B, C, D, or ALL.
3. Choose the override mode:
l Block—Force blocking of traffic that matches the vulnerability or rule on the specified interface.
l Unblock—Disable blocking of traffic that matches the vulnerability or rule on the interface.
4. Click Commit.
5. To verify your changes, go to the Settings > Inline Policy Exceptions page. For more information, see
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI).

Restoring the Blocking Action for a Vulnerability or an IPS Rule (Web UI)

If an IPS-enabled platform is configured to disable or force blocking of traffic that matches a particular vulnerability
or IPS rule, overriding the blocking action specified by the rule, you can restore the blocking action for that rule. To
restore the blocking action for a vulnerability or IPS rule, use the Settings > Inline Policy Exceptions page.
For more information, see About Forced Blocking for a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To disable forced blocking for a vulnerability or an individual IPS rule on an interface:

1. Open the Settings > Inline Policy Exceptions page.
2. In the Malware column, locate the entry that lists the IPS rule (identified by a signature ID) or vulnerability
(identified by a signature name) for which you want to disable forced blocking.
3. Select the checkbox ( ) in the Delete column.
4. Click Update.

Disabling or Forcing Blocking for a Vulnerability or an IPS Rule (CLI)

To use the CLI to disable or force blocking for a vulnerability or an IPS rule, use the policymgr signature command.
To display disabled or forced blocking for a vulnerability or IPS rule, use the show policymgr signatures command
in enable mode.
NOTE: This configuration applies to interfaces configured for inline deployment only. Furthermore, this
configuration has no effect unless the action option of the IPS rule is defined as blockable, as opposed to simply
noblock (the default value).
For more information, see About Disabled or Forced Blocking for a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To disable or force blocking for a vulnerability or an IPS rule on an interface:

hostname > enable

hostname (config) #
2. Disable or force blocking for a vulnerability or rule on a specific interface.
l To specify a vulnerability, use the name keyword and specify the rule name, enclosed in double quotation
marks. To specify an individual rule, use the id keyword and specify the eight-digit rule identifier.
NOTE: When you display details about blocking or suppression configured for a vulnerability or IPS rule,
the CLI command output truncates rule names to 32 characters.
l To disable blocking, specify the do-not-block exception mode. To force blocking, specify the block
exception mode.
l To specify the interface for which the exception applies, use the on keyword and specify A, B, C, D, or
ALL.
The following example configures forced blocking for traffic that matches all "Exploit Kit Landing Page" rules on
all interfaces. This command applies to interfaces deployed inline and configured for inline blocking.
hostname (config) # policymgr signature name "Exploit Kit Landing Page" block on ALL
3. Update the policy configuration.
hostname (config) # policymgr refresh-policy

Restoring the Blocking Action for a Vulnerability or an IPS Rule (CLI)

To use the CLI to restore the blocking action for a vulnerability or an IPS rule, use the no policymgr signature
command. This operation is the undo function for disabled or forced blocking for a vulnerability or an IPS rule. For
more information, see About Disabled or Forced Blocking for a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To restore the blocking action for a vulnerability or an IPS rule on an interface:

hostname > enable

hostname (config) #
2. Undo disabled blocking or forced blocking of the vulnerability or rule on an interface.
l To undo disabled blocking, specify the do-not-block exception mode. To undo forced blocking, specify
the block exception mode.
l To limit the undo operation to a specific interface, use the on keyword and specify A, B, C, or D. If you do
not specify an interface, the system restores the blocking action for the vulnerability or IPS rule on all
interfaces configured for inline blocking and also removes the corresponding signature entry from the
table in the show policymgr signaWeb UI Settings > Policy Exceptions page.
Both of the following forms of the no policymgr signature command disable forced blocking for traffic that
matches all "Exploit Kit Landing Page" rules on interfaces configured for inline blocking:
l The following command allows the corresponding signature entry to remain in the table, but resets the
Interface and Policy fields reset to None.
hostname (config) # no policymgr signature name "Exploit Kit Landing Page" block
on ALL
l The following command removes the corresponding signature entry from the table.
hostname (config) # no policymgr signature name "Exploit Kit Landing Page"

Before entering no policymgr signature name "Exploit Kit Landing Page" and refreshing the policy manager,
the show command output included an entry for the Exploit Kit Landing Page vulnerability:
hostname (config) # show policymgr signatures

Interface A
opmode: block
policy: mixed
tolerance: 1
ACTION TABLE
SIGNATURE INTF BLOCKED SUPPRESSED
85301908 A no yes
Exploit Kit Landing Page A yes no
RECONNAISSANCE - TCP PORTSCAN ALL no yes
After you enter no policymgr signature name "Exploit Kit Landing Page" and refresh the policy manager, no
override is applied to the Exploit Kit Landing Page vulnerability on interface A.
hostname (config) # show policymgr signatures

Interface A
opmode: block
policy: mixed
tolerance: 1
ACTION TABLE
85301908 A no yes
RECONNAISSANCE - TCP PORTSCAN ALL no yes

Options to Suppress a Vulnerability or an IPS Rule

These topics describe how to suppress blocking, notifications, and events for a particular vulnerability or IPS rule.
l About Suppression of a Vulnerability or an IPS Rule
l Web UI procedures:
o Suppressing a Vulnerability or an IPS Rule (Web UI)
o Disabling Suppression of a Vulnerability or an IPS Rule (Web UI)
l CLI procedures:
o Suppressing a Vulnerability or an IPS Rule (CLI)
o Disabling Suppression of a Vulnerability or an IPS Rule (CLI)
About Suppression of a Vulnerability or an IPS Rule

You can configure an IPS-enabled platform to suppress a single IPS rule. Where multiple IPS rules address aspects
of the same network vulnerability, you can suppress all IPS rules that reference that vulnerability. When a traffic flow
matches a suppressed IPS rule, no notifications are generated and no events are logged in the database.
You can configure an IPS-enabled platform to suppress an IPS rule at one or all monitoring interfaces on the
appliance. Traffic that matches a suppressed IPS rule is handled according to the blocking action specified in the
rule definition. For interfaces configured for inline blocking, you can choose to suppress an IPS rule and at the
same time disable the blocking action specified in the rule definition.
You can suppress IPS rules at either of two levels:
l To suppress an individual IPS rule, specify the signature ID for that rule.
l To suppress all IPS rules that reference a particular vulnerability, specify the signature name for that
vulnerability.
Although a suppression policy based on a signature ID can be more specific than a suppression policy based on a
signature name, you cannot determine when this is the case. Therefore, we recommend you specify a signature ID
rather than a signature name when you want to suppress an IPS rule.
You can use the signature ID to configure a custom IPS policy that explicitly includes or excludes any IPS rule that
references a specific signature ID. For more information, see Attributes of IPS Policies (rule exclusion and inclusion
attributes) and Modifying a Custom IPS Policy.
The following caveats apply to the suppression of a vulnerability or an IPS rule:
l Suppression of reconnaissance activity (ping sweeps or port scans) or brute-force attacks must be configured
for all monitoring interfaces. It cannot be configured for individual interfaces.
l The CLI configuration ips blockmode all, which forces blocking for all IPS rules, takes precedence over rule
overrides specified for a vulnerability or IPS rule. On such a system, traffic that matches an IPS rule that is
suppressed or suppressed and disabled is not suppressed and is blocked.
Use suppression to disable IPS rules that, on your network, are noisy and generate false positives.

Release 7.5 Options to Suppress a Vulnerability or an IPS Rule
Suppressing a Vulnerability or an IPS Rule (Web UI)

To use the Web UI to configure an IPS-enabled platform to suppress a particular IPS rule, use the IPS Events page.
When traffic matches a suppressed IPS rule, no notifications are generated and no events are logged in the
database. Matched traffic is handled according to the blocking action specified in the rule definition. If the appliance
is configured for inline blocking, you can specify suppression but allow blocking as specified by the rule. To display
or undo IPS rule suppression, use the Settings > Inline Policy Exceptions page.
For more information, see About Suppression of a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To suppress a vulnerability or an individual IPS rule on an interface:

1. Identify the vulnerability or IPS rule (or rules) to be suppressed.
a. In the IPS Events page, identify the IPS event or IPS alert associated with the IPS rule you wantto
suppress.
b. Click the triangle in the left column of that row to open the drill-down view.
c. Decide whether to suppress at the IPS rule level or at a per-vulnerability level.
l To suppress an individual IPS rule, you will use the drop-down lists in the row labeled
Set Sig ID Blocking Policy.
l To suppress all IPS rules that address the same vulnerability, you will use the drop-down lists in the
row labeled Set Sig Name Blocking Policy.
2. Choose the monitoring interfaces: A, B, C, D, or All Interfaces.
NOTE: If you are suppressing an IPS rule that detects reconnaissance activity (ping sweeps or port scans) or
brute-force attacks, you must apply the configuration to all monitoring interfaces. The Web UI does not allow
you to suppress IPS reconnaissance rules or IPS brute-force rules for individual interfaces.
3. Choose the override mode:
l Suppress—Suppress the vulnerability or IPS rule on the specified interface. Matched traffic is handled
according to the blocking action specified in the rule definition.
l Suppress & Unblock—Suppress the vulnerability or IPS rule and also disable the blocking action
specified in the rule definition. This mode is not available unless the appliance is deployed inline and the
interface is configured for inline blocking mode.
4. Click Commit.
5. To verify your changes, go to the Settings > Inline Policy Exceptions page. For more information, see
Displaying Overrides to Vulnerabilities or IPS Rules (Web UI).

Disabling Suppression of a Vulnerability or an IPS Rule (Web UI)

If an IPS-enabled platform is configured to suppress a particular IPS rule, you can remove suppression. For more
information, see About Suppression of a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To disable suppression of a vulnerability or an individual IPS rule on a specific interface:

2. In the Malware column, locate the entry that lists the IPS rule (identified by a signature ID) or vulnerability
(identified by a signature name) for which you want to disable suppression.
3. Select the checkbox ( ) in the Delete column.
4. Click Update.

Suppressing a Vulnerability or an IPS Rule (CLI)

To use the CLI to suppress a vulnerability or an IPS rule, use the policymgr signature command. When traffic
matches a suppressed IPS rule, no notifications are generated and no events are logged in the database. Matched
traffic is handled according to the blocking action specified in the rule definition. If the appliance is configured for
inline blocking, you can specify suppression but allow blocking as specified by the rule. To display IPS rule
suppression, use the show policymgr signatures CLI command in enable mode.
For more information, see About Suppression of a Vulnerability or an IPS Rule.
Prerequisites
Procedure
To suppress a vulnerability or an IPS rule on an interface:

hostname > enable

hostname (config) #
2. Suppress a vulnerability or rule on a specific interface.
l To suppress the vulnerability or IPS rule, specify the suppress exception mode. When traffic matches a
suppressed vulnerability or IPS rule, the system does not generate notifications and does not log events
in the database. Blocking action is performed as specified by the blocking action in the rule definition.
To suppress the vulnerability or IPS rule and also disable the blocking action specified in the rule
definition, specify the suppress-unblock exception mode. The suppress-unblock mode is valid only for
interfaces configured for inline blocking.
l To specify the interface for which the exception applies, use the on keyword and specify A, B, C, D, or
ALL.
NOTE: If you are suppressing an IPS rule that detects reconnaissance activity (ping sweeps or port scans)
or brute-force attacks, you must apply the configuration to all monitoring interfaces. You cannot suppress
IPS reconnaissance rules or IPS brute-force rules for individual interfaces.
The following example suppresses the individual rule with identifier 85308152 when active on interface B.
hostname (config) # policymgr signature id 85308152 suppress on B

hostname # show policymgr signatures

Interface : A
opmode: block
policy: mixed
tolerance: 1
Interface : B
opmode: tap
policy: mixed
tolerance: 1
ACTION TABLE
85308152 B -- yes
Disabling Suppression of a Vulnerability or an IPS Rule (CLI)

To use the CLI to disable suppression of a vulnerability or an IPS rule, use the no policymgr signature command.
You must specify the interface on which you want to disable suppression of the vulnerability or rule.
Prerequisites

Procedure
To suppress a vulnerability or an IPS rule on a specific interface:

hostname > enable

hostname (config) #
2. Disable suppression of a vulnerability or rule on a specific interface.
l To undo suppression, specify the suppress exception mode. To undo suppression with blocking allowed,
specify the suppress-unblock exception mode.
l To specify the interface on which to disable suppression of the vulnerability or rule, use the on keyword
and specify A, B, C, D, or ALL.
The following example disables suppression of the individual rule with identifier 85308152 when active on
interface A.
hostname (config) # no policymgr signature id 85308152 suppress on A

Displaying Overrides to Vulnerabilities or IPS Rules (Web UI)

On an IPS-enabled platform, use the Settings > Inline Policy Exceptions page to display or undo overrides to
vulnerabilities or individual IPS rules.
Prerequisites
l Log in to the Web UI of the IPS-enabled platform as Monitor, Operator, or Admin.
Procedure
To display overrides to vulnerabilities or individual IPS rules:

The following example shows two overrides to vulnerabilities and one override to an individual IPS rule.
The page lists IPS rule overrides and other policy exceptions in the following columns:
Malware
Name of the vulnerability or signature ID of an individual IPS rule.
Interface
Monitoring interface on which the IPS rule override or other policy exception applies: A, B, C, D, or ALL.
Policy
Override action applied. For information about Block and Unblock, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about Suppress and Suppress&Unblock,
see Options to Suppress a Vulnerability or an IPS Rule.
Delete
Selects the override to be deleted.

Release 7.5 Displaying Overrides to Vulnerabilities or IPS Rules (Web UI)
2. (Optional) If the list is long, you can filter it on the Malware column.
a. Type the string to be matched Into the Name Filter text box
b. Press the Enter key.
3. (Optional) You can sort the list on the Malware column,


IPS Rules Based on Custom Signatures
This section describes how to create custom IPS rules that you can import to your IPS-enabled platform.
Overview of Custom IPS Rules 186
Syntax for Custom IPS Rules 187
Importing Custom IPS Rules (Web UI) 193
Downloading Custom IPS Rules (Web UI) 195
Deleting All Custom IPS Rules (Web UI) 197

IPS Rules Based on Custom Signatures NX Series IPS Feature Guide
Overview of Custom IPS Rules

l IPS Rules Tailored to Your Environment
l Identification of Events and Alerts for Custom IPS Rules
IPS Rules Tailored to Your Environment

IPS-enabled platforms use IPS content rules for signature-based detection of client-centric and server-centric
attacks over multiple protocols. You can create and upload your own IPS content rules that can detect specific
intruder signatures found in the data packets in your network traffic.
Custom IPS rules can include descriptions of malware families based on textual or binary patterns contained in
samples of identified families. The custom IPS rule descriptions consist of a set of strings and a Boolean expression
that determines the rule’s logic.
Like IPS events (potential network threats) detected using FireEye-provided or locally generated IPS rules,
IPS events detected using custom IPS rules are confirmed by automatic correlation with client-centric attacks
already verified by the signature-less NX Series rules engines that use the Multi-Vector Execution (MVX) engine on
the appliance.
Identification of Events and Alerts for Custom IPS Rules

When an FireEye IPS rule or a custom IPS rule triggers, the signature name displays in the Rule column of the
IPS Events page or in the Last Malware column of the Alerts > Hosts page. Unlike rule names for FireEye-
provided or locally generated IPS rule names, however, custom IPS rule names displayed in the IPS Events page
or in the Alerts > Hosts page are not hyperlinked to IPS rule description pages.

Release 7.5 Syntax for Custom IPS Rules
Syntax for Custom IPS Rules

l Structure of a Custom IPS Rules File
l Structure of a Custom IPS Rule
l Example of a Custom IPS Rule
l Custom IPS Rule Header
l Custom IPS Rule Body
l Custom IPS Rule Options
Structure of a Custom IPS Rules File
The IPS-enabled rules engine supports Snort 2.9 rule format, with certain FireEye-specific requirements and
options defined in this section. You can import custom IPS rules into an IPS-enabled platform by uploading an
ASCII file that contains one or more custom IPS rules. Within the file, rules are delimited by a pair of CR-LF
characters.
Structure of a Custom IPS Rule
A custom IPS rule consists of two main components: a rule header followed by a rule body:
rule-header (rule-body)
The rule body is enclosed in parentheses [ ( ) ] and consists of required and optional rule options. Individual rule
options are terminated by a semicolon ( ; ).
NOTE: IPS rules must conform to Snort 2.9 rule syntax.
Example of a Custom IPS Rule
The following is an example of a custom IPS rule. Line breaks are inserted for readability only:
alert tcp any any -> any any (

sid:85000001; rev:1;
msg:"Mozilla Products Malformed GIF Buffer Overflow";
flow:to_server;
content:"test"; nocase;
reference:cve,cve-2012-0671; reference:osvdb,81942;
reference:secunia,sa47447;
reference:url,http://www.fireeye.com;
protocol:"http";
attack-target:"client";
category:"exploit";
sub_category:"code_execution";
severity:6;
action:"noblock";)

Custom IPS Rule Header
Description
Specifies the action to perform, the protocol to which the rule applies, and the source and destination addresses
and ports.
Syntax
rule-action protocol src-ip src-port direction dst-ip dst-port
Parameters
rule-action
Action to be taken on a packet that matches the rule conditions:
• alert—Send an alert message.
NOTE: If you upload a custom IPS rule with a header that specifies an action other than alert (such as drop,
log, or reject), the behavior of the IPS-enabled rules engine regarding that rule is undefined.
protocol
Type of packet to be analyzed:
• icmp—Internet Control Message Protocol
• ip—Internet Protocol
• tcp—Transmission Control Protocol
• udp—User Datagram Protocol
src-ip
Source IP address match criteria:
• address—Match the single specified numeric address.
• address-A:address-B—Match the range of IP addresses.
• address-A:—Match IP addresses above address-A.
• :address-B—Match IP addresses below address-B.
• any—Match any IP address.
src-port
Source port number match criteria:
• port—Match the specified source port number.
• !port—Do not match the specified source port number.
• port-A:port-B—Match source port numbers within the range.
• !port-A:port-B—Do not match source port numbers within the range.
• any—Match any port number.
directional-op
Direction of traffic to be matched:
• –>—Match unidirectional traffic from source machine to destination machine only.
• <>—Match bidirectional traffic.

dst-ip
Destination IP address match criteria:
• address—Match the single specified numeric address.
• address-A:address-B—Match the range of IP addresses.
•address-A:—Match IP addresses above address-A.
• :address-B—Match IP addresses below address-B.
• any—Match any IP address.
dst-port
Destination port number match criteria:
• port—Match the specified destination port number.
• !port—Do not match the specified destination port number.
• port-A:port-B—Match destination port numbers within the range.
• !port-A:port-B—Do not match destination port numbers within the range.
• any—Match any port number.
Custom IPS Rule Body
Description
The rule body consists of required and optional rule options that follow the same syntax rules as Snort 2.9 rules.
Syntax
(ips-rule-option; [ips-rule-option;])
Custom IPS Rule Options
l Required Snort 2.9 Rule Options
l Recommended FireEye-Specific Rule Options
l Recommended Snort 2.9 Rule Options
Required Snort 2.9 Rule Options
A custom IPS rule must include the following Snort 2.9 rule options:
sid:signature-ID; [rev:revision;]
Uniquely identifies a custom IPS rule:
• signature-ID—Numeric ID from 85000000 through 85099999. No default value.
• revision—(Optional) As required to uniquely identify the signature. If not specified, default value is 1.
If a custom IPS rule body does not specify this option, the rule is rejected.
IMPORTANT! Except to re-create a particular custom IPS rule, do not re-use the signature-ID of a previously
imported IPS rule, even if you deleted the previous rule and verified that the rule no longer generates
IPS events. The platform user interface can display misleading IPS event information if you import a custom
IPS rule that re-uses the signature-ID of a different IPS rule that you previously imported, applied to a
monitoring interface, and subsequently deleted.

msg:"message-text";
Message to be used with logging or alerts for this rule. Up to 255 ASCII characters enclosed in double
quotes. Valid characters are alphanumeric characters, spaces, a period (.), hyphen (-), or an underscore (_).
No default value. Use the backslash (\) as an escape character as needed to avoid confusing the rule
parser.
IMPORTANT! Messages that begin with "FE" are reserved messages. Using "FE" as the first two characters
of the message string can cause unintended results.
Recommended FireEye-Specific Rule Options
The following FireEye-specific options for custom IPS rules are not required but are recommended.
NOTE: The IPS-enabled rules engine uses default values for any FireEye-specific rule options that are not specified
in the rule body.
action:block-action;
Blocking action that the IPS rules engine is to take, in addition to generating an IPS event:
• block—Drop the current packet and all subsequent packets in the flow.
• noblock—(Default) Allow the current packet and all subsequent packets in the flow to pass.
• blockable—Same as noblock, but enables you to force blocking on a per-rule basis.
See Options to Disable or Force Blocking for a Vulnerability or an IPS Rule.
attack-target:target;
Match traffic flows that target the specified host type. You can specify more than one attack target option.
• client—(Default) Match flows that target a client.
• server—Match flows that target a server.
All IPS policies specify one or more attack target attributes.
protocol:protocol;
Name of the presentation-layer protocol associated with the rule. Up to 32 characters long.
• text-string—Match flows that use the specified protocol as the attack vector. Example: http
• unknown—(Default)
To enable the rule to be selected by a custom IPS policy that specifies one or more protocol match
attributes, include one or more instances of this rule option.
severity:level;
Severity of the vulnerability that the rule detects. Numeric value from 1 to 10. Default value is 10.
category:category-name; [sub_category:target;]
Category of the vulnerability that the rule detects.
Subcategory of the vulnerability category specified.
For more information, see Attributes of IPS Policies.

Recommended Snort 2.9 Rule Options
The following Snort 2.9 rule options are not required in IPS custom rules but are recommended.
content:[!]"content-string"; [nocase;]
Search packet payload for an exact match of a string and trigger a response based on that data. The search
string can contain mixed text and binary data. Binary data is represented as hexadecimal numbers enclosed
within pipe characters (|). No default value. A custom IPS rule can specify multiple content options.
• !—(Optional) Match on packets that do not contain the specified content.
• nocase—(Optional) When searching for the specified pattern, ignore case.
flow:[ (established | not_established | stateless) ]
[, (to_client | to_server | from_client | from_server) ]
[, (no_stream | only_stream) ]
[, (no_frag | only_frag) ];
Used in conjunction with TCP stream reassembly to apply rules only to certain directions of the traffic flow:
• to_client—Trigger on server responses from A to B.
• to_server—Trigger on client requests from A to B.
• from_client—Trigger on client requests from A to B.
• from_server—Trigger on server responses from A to B.
• established—Trigger on established TCP connections only.
• not_estabished—Trigger only when no TCP connection is established.
• stateless—Trigger regardless of the state of the stream processor.
• no_stream—Do not trigger on rebuilt stream packets.
• only_stream—Trigger on rebuilt stream packets only.
• no_frag—Do not trigger on rebuilt frag packets.
• only_frag—Trigger on rebuilt frag packets only.
reference:id-system,id-vulnerability; [reference:id-system,id-vulnerability;]
One or more informational references to vulnerabilities described in external attack identification systems.
Referenced vulnerabilities provide additional information about the IPS event generated.
• id-system—Snort rule keyword that identifies the external attack identification system.
• id-vulnerability—Identifier for the vulnerability defined in the attack identification system database.
The following table lists the URL prefixes for the attack identification systems supported for Snort 2.9 rules:
id-system URL Prefix
bugtraq http://www.securityfocus.com/bid/
cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
mcafee http://vil.nai.com/vil/content/v_
msb http://technet.microsoft.com/en-us/security/bulletin/
nessus http://cgi.nessus.org/plugins/dump.php3?id=
osvdb http://osvdb.org/show/osvdb/
secunia http://secunia.com/community/advisories/
url http://
author:"authorName";
Identifies the author of the rule. Default value of authorName is "" (empty string).
Example: author:"John Q. Doe";

release_date:date;
Identifies the date the rule was released, specified in mm-dd-yyyy format. Default value is today's date.
modify_date:date;
Identifies the date the rule was modified, specified in mm-dd-yyyy format. Default value is today's date.

Release 7.5 Importing Custom IPS Rules (Web UI)
Importing Custom IPS Rules (Web UI)

You import custom IPS rules to your IPS-enabled platform from a single ASCII text file. If you import custom IPS
rules to an IPS-enabled platform that already contains custom IPS rules, the platform automatically and silently
deletes the all current custom IPS rules before uploading the contents of the file you specify. If the Auto Add Rules
option is enabled when you import custom IPS rules, the platform re-evaluates active IPS policies against the
updated database of IPS rules. For more information, see Overview of Custom IPS Rules and Managing Auto-
Addition of New IPS Rules to Active Interfaces.
Best Practice: You can export a copy of all of the custom IPS rules from your IPS-enabled platform to an ASCII file
named ips_custom_user_rules.txt. You can add, modify, or delete rules and then import the updated file to the
platform, replacing all of the previously imported custom IPS rules.
Prerequisites
l Create an ASCII text file that contains custom IPS rules. The file must be accessible from the local desktop from
which you access the Web UI of the IPS-enabled platform. For information about the format of a custom IPS
rules file, see Syntax for Custom IPS Rules.
l Log in to the Web UI as Operator or Admin.
Procedure
To import custom IPS rules from a file accessible from the local desktop:
2. Click Import Custom Rules to open the IPS Custom Rules panel.
In the following example, custom IPS rules have not yet been imported.
3. Click Browse, locate the text file that contains the custom IPS rules you want to import, and then click Open.

4. (Optional) Enter a comment in the Description field.
In the following example, the filename my_custom_ips_rules has been selected.
5. Click Update to import the custom IPS rules.
l If the following message appears, the platform was unable to validate the file and therefore did not import
the rules file. For details, click Download Error Log to download the ips_custom_user_error.txt file.
l If the following message appears, the platform successfully imported the rules and the Web UI displays
the file conten below the message.
In the following example, the platform successfully imported four custom IPS rules.

Release 7.5 Downloading Custom IPS Rules (Web UI)
Downloading Custom IPS Rules (Web UI)

You can export a copy of all of the custom IPS rules from your IPS-enabled platform to an ASCII file named ips_
custom_user_rules.txt. You can add, modify, or delete rules and then import the updated file to the platform,
replacing all of the previously imported custom IPS rules.
Prerequisites
Procedure
To download custom IPS rules from an IPS-enabled platform:


In the following example, custom IPS rules have been imported previously.
3. Download a text file that contains all custom IPS rules in the database.
a. Click Download File. A dialog box prompts you to open or save the ASCII text file named ips_custom_
user_rules.txt.
b. Specify that you want to open the file in the text editor of your choice or that you want to save the file.
c. Click OK to proceed with your choice and close the dialog box.
The following example shows custom IPS rules downloaded from an IPS-enabled platform and opened in a
text editor:
You can add, modify, or delete individual rules in the file and then import the contents of the updated file back
to the platform.

Release 7.5 Deleting All Custom IPS Rules (Web UI)
Deleting All Custom IPS Rules (Web UI)

You can delete all custom IPS rules from your IPS-enabled platform.
Prerequisites
Procedure
To delete all custom IPS rules from an IPS-enabled platform:


In the following example, custom IPS rules have been imported previously.
3. Click Delete File, then click OK to confirm.

IPS Reports
You can access IPS-specific information from the following reports.
IPS Executive Summary 200
IPS Policy Configuration Summary 204
IPS Policy Configuration Details 207
IPS Top N Attacks 211
IPS Top N Attackers 214
IPS Top N Victims 217
IPS Top N MVX-Correlated 220

IPS Reports NX Series IPS Feature Guide
IPS Executive Summary

l Report Overview
l Prerequisites
l Generating a Report (Web UI)
l Scheduling a Report (Web UI)
Report Overview
The IPS Executive Summary report provides a high-level view of IPS statistics for the specified reporting period.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_
executive_summary_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your
appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report consists of several sections: a summary of IPS events, IPS Top 10 lists, a percentage breakdown of IPS
critical and major events (severity levels 4 - 10) by threat category, and a trend chart of IPS critical and major alerts.
Events Summary
This section of the report summarizes IPS event counts for the specified reporting period:
l MVX Correlated IPS—Total number of IPS alerts. The platform generates an IPS alert for a traffic flow that
matches one or more IPS rules and has also been correlated with one or more zero-day attacks confirmed
separately by the MVX engine. For details, see the Top 10 MVX-Correlated IPS Events section of this report.
l IPS Critical—Number of IPS events of threat severity level 7 - 10, as shown in the Alerts pages and the
IPS Events page by an icon such as the following:
l IPS Major—Number of IPS events of threat severity level 4 - 6, as shown in the Alerts pages and the
l IPS Minor—Number of IPS events of threat severity level 1 - 3, as shown in the Alerts pages and the
l # of Attackers—Number of unique attackers associated with IPS events.
l # of Victim Hosts—Number of unique victims associated with IPS events.
Top 10 Attacks by Rules
This section of the report lists the ten most-triggered IPS rules for the specified reporting period.
l Rule Description—Name of the IPS rule that detected an event.
l Attack Count—Number of events detected by the rule.

Release 7.5 IPS Executive Summary
NOTE: If you need a report that lists a specific number of most-triggered IPS rules, you can generate an IPS Top N
Attacks report and specify any value for N, from 1 through 100.
Top 10 MVX-Correlated IPS Events
This section of the report lists the ten most-triggered IPS rules that detected events that correlate with MVX-verified
malware events during the specified reporting period.
l IPS Rule Description—Name of an IPS rule that detected an MVX-correlated event.
l # of MVX Correlated IPS Events—Number of MVX-correlated events detected by the rule.
NOTE: If you need a report that lists a specific number of most-triggered IPS rules that detected MVX-correlated
events, you can generate an IPS Top MVX-Correlated report and specify any value for N, from 1 through 100. That
report provides the top MVX-correlated IPS events, the top perpetrators of MVX-correlated IPS events, and the top
victims of MVX-correlated IPS events,
Top 10 Attackers
This section of the report lists the ten most-active attackers found by IPS rules during the specified reporting period.
l Attacker—IP address of an attacker host found by IPS rules.
l # of Victims—Number of victim hosts associated with the attacker host.
NOTE: If you need a report that lists a specific number of most-active attackers found by IPS rules, you can generate
an IPS Top N Attackers report and specify any value for N, from 1 through 100.
Top 10 Victims
This section of the report lists the ten most-attacked victims found by IPS rules during the specified reporting period.
l Victim—IP address of a victim host found by IPS rules.
l # of Rules Matched—Number of IPS rules that matched attacks on the victim.
NOTE: If you need a report that lists a specific number of most-attacked victims found by IPS rules, you can
generate an IPS Top N Victims report and specify any value for N, from 1 through 100.
Top Attacks by Category
This section of the report shows the percentage breakdown of critical and major events (severity levels 4 - 10) by
category during the specified reporting period. The PDF formatted report displays a color-coded pie chart of the
percentage breakdown for the attack categories. The CSV formatted report lists both the percentage and event
count for each attack category
IPS Alert Trend Analysis
This section of the report displays a chart that tracks the number of infections associated with critical IPS events
(severity levels 7 - 10) and major IPS events (severity levels 4 -6) detected during the specified reporting period.
Prerequisites
l Log in to the Web UI of the IPS-enabled appliance as Monitor, Analyst, Operator, or Admin.

Generating a Report (Web UI)
To generate an IPS Executive Summary report:

1. Open the Reports >Reports page.
2. In the Report Type field, select IPS Executive Summary.
3. In the Report Format field, select the report output format.
l pdf—Write the report to an Adobe PDF file.
l csv—Write the report to a CSV file.
4. In the Time frame field, select the period of time that the report is to cover.
l past day—Report covers analysis performed during the past 24 hours.
l past week—Report covers analysis performed during the past 7 days.
l past month—Report covers analysis performed during the past 1 month.
l between—Report covers analysis performed between the specified From date and time and the specified
To date and time.
5. Click Generate Report. The page confirms receipt of your request.
When the report is complete, a link to the report file appears below the Generate Reports label.
Scheduling a Report (Web UI)
To schedule an IPS Executive Summary report:

1. Open the Reports > Schedule page.
2. In the Scheduled field, select the report frequency:
l hourly
l daily
l weekly
l monthly
3. In the Time fields, specify the report time.
4. If you selected a weekly report, specify the report day of the week in the WeekDay field.
5. If you selected a monthly report, specify the report day of the month in the MonthDay field.
6. In the Delivery field, select the report delivery method:
l email—Deliver the report as a file attached to email. For information about configuring email notification,
see the NX Series Threat Management Guide.
l file—Deliver the report as a file linked from the Web UI.
7. In the Report Type field, select IPS Executive Summary.

Release 7.5 IPS Executive Summary
l past day—Report covers analysis performed during the past 24 hours.
l past week—Report covers analysis performed during the past 7 days.
l past month—Report covers analysis performed during the past 1 month.
l between—Report covers analysis performed between the specified From date and time and the specified
To date and time.
10. Click Schedule Report. The scheduled report is added to the top of the scheduling list.

IPS Policy Configuration Summary

l Report Overview
l Prerequisites
Report Overview
The IPS Policy Configuration Summary report provides a high-level view of active IPS policies.
policy_configuration_summary_hostName_dateCreated_timeCreated, where hostName is the host name
assigned to your appliance, and dateCreated and timeCreated identify the date and time the report was created.
The report contains the following sections for each active monitoring interface:
Identification of Active IPS Policies by Monitoring Interface
At the top of the report, two colored boxes identify the active IPS policies by monitoring interface.
In the following example, the platform has one monitoring interface and the default IPS policy Comprehensive is
active on the interface:
In the following example, the platform has two monitoring interfaces and the custom IPS policies a_policy and b_
policy are active on the interfaces:
Count of Active and Excluded Rules Per Active Monitoring Interface
The first interface-specific section of the report displays two colored boxes:
l Active Rules—The number of active IPS rules for the active monitoring interface.
l Rules Excluded—The number of IPS rules explicitly excluded by an attribute of the IPS policy applied to the
monitoring interface. Note: You can configure rule-exclusion and rule-inclusion attributes for custom IPS
policies only.
In the following example, the IPS policy applied to the monitoring interface matches 1199 IPS rules in the appliance
database. If the IPS policy is configured with IPS rule exclusion attributes, none of those attributes affect the
matched IPS rules, because the number of Rules Excluded is 0.

Release 7.5 IPS Policy Configuration Summary
Summary of Active Rules Per Active Monitoring Interface
For each active monitoring interface, the second section of the report breaks down the active rules (but not the
excluded rules) into the following statistics:
Protocol
Number of IPS rules that cover vulnerabilities in each protocol, such as HTTP, NetBIOS, POP3, DNS, DHCP,
and Telnet. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criterion.
ttack target
Number of IPS rules that cover vulnerabilities related to each target host type, such as client, server, or client
or server. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
Threat category
Number of IPS rules that cover vulnerabilities within each supported threat category, such as denial_of_
service, exploit, and other. For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
Number of IPS rules by threat severity level

Number of IPS rules that cover vulnerabilities within each supported threat severity range: Critical (7 - 10);
Major (4 - 6); Minor (1 - 3). For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
IPS policy match attributes

Lists each match attribute specified in the IPS policy. For more information, see the Rule Match Attributes
section in Attributes of IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol or the threat category as a rule-
selection criterion.
In the following example, a custom IPS policy specifies match criteria for the exploit threat category, for the
HTTP protocol, for both the client and server as attack targets, and minimum and maximum severity levels
1 and 10.
Prerequisites

To generate an IPS Policy Configuration Summary report:

1. Open the Reports > Reports page.
2. In the Report Type field, select IPS Policy Configuration Summary,
To schedule an IPS Policy Configuration Summary report:

l hourly
l daily
l weekly
l monthly
7. In the Report Type field, select IPS Policy Configuration Summary,
9. Click Schedule Report. The page confirms receipt of your request.

Release 7.5 IPS Policy Configuration Details
IPS Policy Configuration Details

l Report Overview
l Prerequisites
Report Overview
The IPS Policy Configuration Details report provides a high-level view of active IPS policies, followed by a list of
IPS rules activated by the policies.
policy_configuration_detail_hostName_dateCreated_timeCreated, where hostName is the host name assigned to
your appliance, and dateCreated and timeCreated identify the date and time the report was created.
Identification of Active IPS Policies by Monitoring Interface
At the top of the report, two colored boxes identify the active IPS policies by monitoring interface.
In the following example, the platform has one monitoring interface and the default IPS policy Comprehensive is
active on the interface:
In the following example, the platform has two monitoring interfaces and the custom IPS policies a_policy and b_
policy are active on the interfaces:
Count of Active and Excluded Rules Per Active Monitoring Interface
The first interface-specific section of the report displays two colored boxes:
l Active Rules—The number of active IPS rules for the active monitoring interface.
l Rules Excluded—The number of IPS rules explicitly excluded by an attribute of the IPS policy applied to the
monitoring interface. Note: You can configure rule-exclusion and rule-inclusion attributes for custom IPS
policies only.
In the following example, the IPS policy applied to the monitoring interface matches 1199 IPS rules in the appliance
database. If the IPS policy is configured with IPS rule exclusion attributes, none of those attributes affect the
matched IPS rules, because the number of Rules Excluded is 0.

Summary of Active Rules Per Active Monitoring Interface
For each active interface, the second section breaks down the active rules (but not the excluded rules) into the
following statistics:
Protocol
Number of IPS rules that cover vulnerabilities in each protocol, such as HTTP, NetBIOS, POP3, DNS, DHCP,
and Telnet. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
Attack target
Number of IPS rules that cover vulnerabilities related to each target host type, such as client, server, or client
or server. For more information, see the Rule Match Attributes section in Attributes of IPS Policies.
Threat category
Number of IPS rules that cover vulnerabilities within each supported threat category, such as denial_of_
service, exploit, or other. For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol as a rule-selection criteria.
Number of IPS rules by threat severity level

Number of IPS rules that cover vulnerabilities within each supported threat severity range: Critical (7 - 10),
Major (4 - 6), or Minor (1 - 3). For more information, see the Rule Match Attributes section in Attributes of
IPS Policies.
IPS policy match attributes

Lists each match attribute specified in the IPS policy. For more information, see the Rule Match Attributes
section in Attributes of IPS Policies.
NOTE: Default IPS policies do not use the name of the exploited protocol or the threat category as a rule-
selection criterion.
In the following example, a custom IPS policy specifies match criteria for the exploit threat category, for the
HTTP protocol, for both the client and server as attack targets, and minimum and maximum severity levels
1 and 10.
List of Active Rules Per Monitoring Interface
For each active interface, the third section lists all active rules, including the following information:
l Rule name
l Threat severity category (minor, major, or critical)

Release 7.5 IPS Policy Configuration Details
l Attack target
l CVE ID (if the IPS rule references a vulnerability in the CVE database)
l Attack category
l Protocol
l Does it block? (Yes or No)
Prerequisites
To generate an IPS Policy Configuration Details report:

2. In the Report Type field, select IPS Policy Configuration Details,
When the report is complete, a link to the report file displays below the Generate Reports label.
To schedule an IPS Policy Configuration Details report:

l hourly
l daily
l weekly
l monthly

7. In the Report Type field, select IPS Policy Configuration Details,
When the report is complete, a link to the report file displays below the Generate Reports label.

Release 7.5 IPS Top N Attacks
IPS Top N Attacks

l Report Overview
l Prerequisites
Report Overview
The Top N Attacks report lists the specified number (1 through 100) of most-triggered IPS rules during the
specified reporting period:
l Rule Description—Name of the IPS rule that detected an event.
l Attack Count—Number of events detected by the rule.
You can request the report to be output as a PDF file or as a CSV file. The format of the report file name is ips_top_
n_attack_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
and dateCreated and timeCreated identify the date and time the report was created.
NOTE: If you need a report that lists IPS rules that triggered MVX-correlated IPS events, you can generate an IPS
Top N MVX Correlated report and view the report section titled Top <n> Attacks.
Prerequisites
To generate a report of the IPS Top N Attacks:

2. In the Report Type field, select Top N Attacks.
4. In the Top field, select the number of attacks to be reported. Valid range is 1 - 100.
5. In the Interface field, select the monitoring interfaces to be reported.

l past day—The past 24 hours.
l past week—The past 7 days.
l past month—The past 1 month.
l between—Between the From and To dates and times you specify.
To schedule a report of the IPS Top N Attacks:

l hourly
l daily
l weekly
l monthly
7. In the Report Type field, select Top N Attacks.

Release 7.5 IPS Top N Attacks

IPS Top N Attackers

l Report Overview
l Prerequisites
Report Overview
The Top N Attackers report lists the specified number (1 through 100) of most-active attackers found by IPS rules
during the specified reporting period:
l Attacker—IP address of an attacker host found by IPS rules.
l # of Victims—Number of victim hosts associated with the attacker host.
n_attacker_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
NOTE: If you need a report that lists attacker hosts that sent MVX-correlated attacks detected by IPS rules, you can
generate an IPS Top N MVX Correlated report and view the report section titled Top <n> Attackers.
Prerequisites
To generate a report of the IPS Top N Attackers

2. In the Report Type field, select Top N Attackers.

Release 7.5 IPS Top N Attackers
To schedule a report of the IPS Top N Attackers:

l hourly
l daily
l weekly
l monthly
7. In the Report Type field, select Top N Attackers.


Release 7.5 IPS Top N Victims
IPS Top N Victims

l Report Overview
l Prerequisites
Report Overview
The Top N Victims report lists the specified number (1 through 100) of most-attacked victims found by IPS rules
during the specified reporting period:
l Victim—IP address of a victim host found by IPS rules.
l # of Rules Matched—Number of IPS rules that matched attacks on the victim.
n_victim_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your appliance,
NOTE: If you need a report that lists victim hosts of MVX-correlated attacks detected by IPS rules, you can generate
an IPS Top N MVX Correlated report and view the report section titled Top <n> Victims.
Prerequisites
To generate a report of the IPS Top N Victims:

2. In the Report Type field, select IPS Top N Victims.

To schedule a report of the IPS Top N Victims:

l hourly
l daily
l weekly
l monthly
7. In the Report Type field, select IPS Top N Victims.

Release 7.5 IPS Top N Victims

IPS Top N MVX-Correlated

l Report Overview
l Prerequisites
Report Overview
For each monitoring interface you specify, the IPS Top N MVX-Correlated report contains information about MVX-
correlated attacks detected using IPS rules.
n_mvx_correlated_hostName_dateCreated_timeCreated, where hostName is the host name assigned to your
appliance, and dateCreated and timeCreated identify the date and time the report was created.
Top N Attacks
This section of the report identifies the top N IPS rules that detected attacks during the specified reporting period,
including the number of associated attacks.
Report Field Name Report Field Description
# List item number.
Rule Description Descriptive name of an IPS rule used to detect MVX-correlated attacks.
# of Times Verified Number of MVX-correlated attacks detected by the IPS rule during the specified reporting
period.
Top N Attackers
This section of the report identifies the IP addresses of the top N attackers responsible for the most attacks during
the specified reporting period.
# List item number.
Attacker IP address of attacker responsible for an MVX-correlated IPS event.
# of Victims Number of victims of the MVX-correlated attacks detected by IPS rules and sent by this
attacker during the specified reporting period.

Release 7.5 IPS Top N MVX-Correlated
Top N Victims
This section of the report identifies the top N victims of the most attacks detected by IPS rules during the specified
reporting period.
# List item number.
Victim IP address of a victim of an attack detected using an IPS rule.
# of Rules Matched Number of IPS rules used to detect attacks on the victim during the specified reporting
period.
Prerequisites
To generate an IPS Top N MVX-Correlated report:

2. In the Report Type field, select IPS Top N MVX Correlated.

To schedule an IPS Top N MVX-Correlated report:

l hourly
l daily
l weekly
l monthly
7. In the Report Type field, select IPS Top N MVX Correlated.

Appendix: CLI Support for IPS Features
This section lists FireEye CLI commands that support IPS features on an NX Series platform.
email notify event (Option for IPS) 224
fenotify alert ips-event 226
fenotify preferences ips-delivery-mode 228
ips apply 229
ips auto-update enable 231
ips blockmode 232
ips detail-filter 235
ips policy 237
ips policy clone 238
ips policy match 239
ips policy rules 243
ips reconnaissance enable 245
ips reconnaissance threshold 246
policymgr signature 248
show fenotify alerts (Output for IPS) 251
show fenotify preferences 253
show ips interfaces 255
show ips policies 256
show ips reconnaissance 259
show ips status 261
show policymgr signatures 264

Appendix: CLI Support for IPS Features NX Series IPS Feature Guide
email notify event (Option for IPS)

To enable email notifications for inline packet inspection process state changes, use the
email notify event ips-event command in configuration mode and specify the inline-engine-down and
inline-engine-up options.
Syntax
[no] email notify event (inline-engine-down | inline-engine-up)
User Role
Operator or Admin role
Release Information
Command introduced before NX Series Release 7.1.0.
Support for notification of inline packet inspection process state changes on IPS-enabled platforms introduced in
Release 7.2.0.
Description
On an IPS-enabled platform only, enable or disable notifications for inline packet inspection process state changes.
By default, an IPS-enabled platform is disabled for sending notifications of inline packet inspection process state
changes. For more information, see Configuring Notification of Inline Packet Inspection Process State Changes
(CLI).
For more information about the email CLI command, see the FireEye CLI Command Reference.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM series
platform using the central management platform proxying mechanism.
Parameters
no
(Optional) Use the no form of the command to disable notifications for inline packet inspection process state
changes.
inline-engine-down
If the option is enabled, starting of the inline packet inspection process triggers an email notification.
inline-engine-up
If the option is enabled, stopping of the inline packet inspection process triggers an email notification.
Sample Commands
l email notify event inline-engine-down
l email notify event inline-engine-up

Release 7.5 email notify event (Option for IPS)
l no email notify event inline-engine-down
l no email notify event inline-engine-up
email notify event inline-engine-down
hostname (config) # email notify event inline-engine-down
email notify event inline-engine-up
hostname (config) # email notify event inline-engine-up
no email notify event inline-engine-down
hostname (config) # no email notify event inline-engine-down
no email notify event inline-engine-up
hostname (config) # no email notify event inline-engine-up

fenotify alert ips-event

To enable notifications for IPS events, use the fenotify alerts ips-event command in configuration mode and
specify the notification method.
Syntax
[no] fenotify notifyMethod alert ips-event enable
User Role
Release Information
Support for notification of IPS critical events on IPS-enabled platforms introduced in Release 7.2.0.
Description
On an IPS-enabled platform only, enable or disable notifications for IPS events using the notification method you
specify. By default, an IPS-enabled platform is enabled for sending notifications of IPS critical events by email,
posting to Web servers, logging messages to a remote syslog server, and SNMP traps. For more information, see
IPS Event Notifications.
For more information about the fenotify CLI command, see the FireEye CLI Command Reference.
Parameters
no
(Optional) Use the no form of the command to disable notifications for IPS critical events.
notifyMethod
Method for notification of IPS critical events:
l email—Send notifications by email to one or more addresses using SMTP as configured by using
the fenotify email default, fenotify email enable, and fenotify email service commands.
l http—Post notifications to one or more Web servers as configured by using the
fenotify http default, fenotify http enable, and fenotify http service commands.
l rsyslog—Send notifications to a remote syslog server as configured by using the
fenotify rsyslog default, fenotify rsyslog enable, and fenotify rsyslog service commands.
l snmp—Send traps to one or more SNMP servers as configured by using the
fenotify snmp default, fenotify snmp enable, and fenotify snmp service commands.
alert ips-event enable
Distribute notifications for IPS events.

Release 7.5 fenotify alert ips-event
enable
Apply the specified policy to all monitoring interfaces on the appliance.
Sample Commands
l fenotify rsyslog alert ips-even enable
l fenotify snmp alert ips-event enable
l no fenotify snmp alert ips-event enable
fenotify rsyslog alert ips-event enable
hostname (config) # fenotify rsyslog alert ips-event enable
fenotify snmp alert ips-event enable
hostname (config) # fenotify snmp alert ips-event enable
no fenotify snmp alert ips-event enable
hostname (config) # no fenotify snmp alert ips-event enable

fenotify preferences ips-delivery-mode

To configure when IPS event notifications are delivered, use the fenotify preferences ips-delivery-mode
command in configuration mode. This command applies only to IPS-enabled platforms on which you have enabled
IPS event notifications services and configured IPS event notification methods.
Syntax
fenotify preferences ips-delivery-mode mode
User Role
Release Information
Command introduced in Release 7.5.0 for IPS-enabled NX Series platforms only.
Description
Configures when IPS event notifications are delivered. For more information, see IPS Event Notifications.
Parameters
mode
Specify the delivery mode for IPS event notifications:
l instant—Send only when an IPS event is detected. This is the default value.
l confirmation—Send only when an attack has been confirmed (either positive or negative).
l dual—Send both when an IPS event is detected and when an attack has been confirmed.
By default, the system is configured to use instant delivery mode, which is useful in an organization that
archives notifications and then filters and analyzes the information later. When you first activate IPS features,
we recommend that you use dual mode so that you see both detection and confirmation of IPS events. If
your organization does not archive the volume of notifications generated in this mode, you can decrease the
volume of notifications by using confirmation mode.
Sample Output
fenotify preferences ips
hostname (config) # fenotify preferences ips dual

Release 7.5 ips apply
ips apply
To apply or remove an IPS policy on a monitoring interface, use the ips apply command in configuration mode.
Syntax
[no] ips apply {all | policyName interface interfaceName}
User Role
Release Information
Description
Apply the rule-selection criteria (match attributes, exclusion list, and inclusion list) of the specified IPS policy to the
network traffic passing through the specified monitoring interface. The system automatically sets the value of the
policy's active attribute to yes. If a different IPS policy was already active on the interfaces, the system automatically
removes that policy from the interfaces before applying the new policy.
For more information, see IPS Policy Application at Monitoring Interfaces.
Parameters
no
Use the no form of the command to explicitly remove the specified IPS policy from the specified monitoring
interface or to remove all IPS policies from all interfaces. When the interface is not associated with an IPS
policy, traffic that passes through the interface is analyzed using standard NX Series content rules only.
all
Remove all IPS policies from all monitoring interfaces. Supported for the no form of the command only.
policyName
Name of the IPS policy to apply to monitoring interfaces on the NX Series appliance.
interface interfaceName
Apply the specified policy to the specified monitoring interface:
l A—Monitoring interfaces labeled pether3 and pether4.
l B—Monitoring interfaces labeled pether5 and pether6 (on appliances with two port pairs).

Sample Commands
l ips apply FireEye_Default interface A
l ips apply Default_Server_Protection interface B
l no ips apply Default_Server_Protection interface B
ips apply FireEye_Default interface A
hostname (config) # ips apply FireEye_Default interface A
ips apply Default_Server_Protection interface B
hostname (config) # ips apply Default_Server_Protection interface B
no ips apply Default_Server_Protection interface B
hostname (config) # no ips apply Default_Server_Protection interface B

Release 7.5 ips auto-update enable
ips auto-update enable
To disable or re-enable automatic addition of new IPS rules to active interfaces, use the ips auto-update enable
command in configuration mode.
Syntax
[no] ips auto-update enable
User Role
Admin role
Release Information
Description
Control whether the IPS-enabled rules engine re-evaluates active IPS policies when the database of IPS rules is
updated.
Default
The option is enabled by default. If your platform receives new IPS security content rules, the system re-evaluates
active IPS policies against the updated database of IPS rules.
Parameters
no
Use the no form of this command to disable automatic re-evaluation of active IPS policies when IPS rules
are updated.
Sample Output
l ips auto-update enable
l no ips auto-update enable
ips auto-update enable
hostname (config) # ips auto-update enable
no ips auto-update enable
hostname (config) # no ips auto-update enable

ips blockmode
By default, IPS blockmode is enabled. To disable IPS blockmode, restore IPS blockmode, or force blocking for all
IPS rules, use one of the ips blockmode commands in configuration mode.
Syntax
ips blockmode disabled | no ips blockmode | ips blockmode all
User Role
Admin role
Release Information

The ips blockmode all form of the command was introduced in Release 7.5.0.
Description
On an IPS-enabled platform deployed inline and with a monitoring interface configured for inline deployment,
manage the IPS blockmode setting. To display the current setting, use the show ips status CLI command in enable
mode. For more information, see Options to Disable or Force Blocking for All IPS Rules.
ips blockmode disabled

Disable IPS blockmode. Traffic that matches an active IPS rule is allowed to pass, even for IPS rules that
specify blocking. When IPS blockmode is disabled, the platform operates in detection-only mode for IPS
rules. Matched traffic can still generate IPS events, IPS alerts, and (if configured) IPS event notifications.
no ips blockmode
Re-enable IPS blockmode. Traffic that matches an active IPS rule is blocked or allowed as specified by the
block action of the rule. If the matched IPS rule specifies the block action value blockable, the system
handles the matched traffic as if the block action value were noblock, except that you can override the
blockable action on a per-rule basis only. See Options to Disable or Force Blocking for a Vulnerability or an
IPS Rule.
ips blockmode all

Force all matched IPS rules to block traffic. Traffic that matches an active IPS rule is blocked, even for IPS
rules that specify no blocking. Matched traffic can still generate IPS events and (if configured) IPS event
notifications.
The following table lists each form of the command and its effect on the IPS blockmode state. The last three fields
describe the action taken by the matched rule.
IPS Blockmode Action Specified by the Matched IPS Rule
CLI Configuration Command
State block no block blockable
no ips blockmode enabled Block Allow Allow
ips blockmode disabled disabled Allow Allow Allow
ips blockmode all all Block Block Block

Release 7.5 ips blockmode
To display the status of IPS blocking mode, use the show ips status CLI command in enable mode. For more
information, see Options to Disable or Force Blocking for All IPS Rules.
Default
By default, an IPS-enabled platform operates with IPS blockmode enabled.
Parameters
None.
Sample Output
l ips blockmode disabled
l no ips blockmode
l ips blockmode all
ips blockmode disabled
hostname (config) # ips blockmode disabled
no ips blockmode
ips blockmode all

ips brute-force threshold
To configure the IPS detection threshold for brute-force attacks on an IPS-enabled platform, use the
ips brute-force threshold command in configuration mode.
Syntax
ips brute-force threshold value
User Role
Release Information
Description
Configures the login failure event threshold for triggering a brute-force event. To display the current setting, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of Brute-Force
Attacks.
Parameters
value
The platform triggers an IPS brute-force event when the number of .failed login attempts to or from the same
IP address within a rolling 60-second window exceeds this value. The valid range is 5 through 1000. The
default value is 5.
Sample Output
hostname (config) # ips brute-force threshold 10

Release 7.5 ips detail-filter
ips detail-filter
To enable detailed packet inspection on an IPS-enabled platform, use the ips detail-filter command in
configuration mode.
Syntax
[no] ips detail-filter
User Role
Admin role
Release Information
Description
This command configures the IPS-enabled engine to perform detailed packet inspection for a list of protocol ports.
The list of protocol ports is dynamic, and FireEye controls the list through periodic updates of IPS security content.
IPS detailed packet inspection is useful for inspecting traffic flows to email protocols and detecting brute-force
attacks.
For more information, see About IPS Detection of Brute-Force Attacks.
Default
This feature is disabled by default.
Parameters
no
Use the no form of this command to disable IPS detailed filtering.
Sample Output
l ips detail-filter
l no ips detail-filter
ips detail-filter
hostname (config) # ips detail-filter

no ips detail-filter
hostname (config) # no ips detail-filter

Release 7.5 ips policy
ips policy
To create or delete a custom IPS policy, use the ips policy command in configuration mode.
Syntax
[no] ips policy policyName
User Role
Release Information
Description
Create or delete a new custom IPS policy. The new policy inherits the match attributes of the default IPS policy
named Comprehensive. For more information, see IPS Policy Configuration.
Parameters
no
Use the no form of the command to delete a custom IPS policy. The policy must be inactive.
policyName
Name of the custom IPS policy to create or delete. Custom IPS policy names are case-sensitive and can
consist of alphanumeric characters only.
Sample Output
l ips policy myCustom1
l no ips policy myCustom1
ips policy myCustom1
no ips policy myCustom1

ips policy clone
To clone an IPS policy definition, use the ips policy clone command in configuration mode.
Syntax
ips policy existingPolicyName clone newPolicyName
User Role
Release Information
Description
Clone the specified IPS policy in order to create a new custom IPS policy.
For more information, see IPS Policy Configuration.
Parameters
existingPolicyName
Name of the existing IPS policy to copy. You can clone a default IPS policy or a custom IPS policy.
newPolicyName
Name of the new IPS policy to create. Custom IPS policy names are case-sensitive and can consist of
alphanumeric characters only.
Sample Command
hostname (config) # ips policy FireEye_Default clone myCustom1

Release 7.5 ips policy match
ips policy match
To add, change, or remove rule-selection match attributes on a custom IPS policy, use the ips policy match
command in configuration mode.
Syntax
[no] ips policy policyName match (attack-target hostType | category categoryName [sub_

category subCategoryName] | max-severity maxLevel | min-severity minLevel | protocol protocolName)
User Role
Release Information
Description
For a custom IPS policy only, you can add, change, or remove rule-selection match attributes.
For more information about IPS policies, see IPS Policy Configuration.
Parameters
no
Use the no form of the command to remove an attack-target, category, sub_category, or protocol match
attribute from the policy.
attack-target hostType
(Required) Select rules for the specified type of targeted host:
l client—Matches rules oriented toward client systems.
l server—Matches rules oriented toward server systems.
category categoryName
(Optional) Select rules for the specified type of attack category:
l brute_force
l command_execution
l cross-site_scripting
l denial_of_service
l exploit
l reconnaissance
l unknown
l other

sub_category subCategoryName
(Optional) If a category match attribute is specified, you can narrow the category match to rules that cover
the specified type of attack subcategory.
brute_force subcategories:
l telnet-bf
l ftp-bf
l vnc-bf
l mysql-bf
l smb-bf
l rsh-bf
l postgresql-bf
l rlogin-bf
command_execution subcategories:
cross-site_scripting subcategories:
l other
denial_of_service subcategories:
l resource_exhaustion
l other
directory_traversal subcategories:
exploit subcategories:
l code_execution
l command_execution
l command_injection
l design_weakness
l information_leakage
l other
policy_bypass subcategories:
other subcategories:
l other

Release 7.5 ips policy match
max-severity maxLevel
(Required) Select rules that cover vulnerabilities of the specified severity level or lower, but not below the
level specified by the min-severity minLevel setting. Range: 1 through 10, inclusive.
min-severity minLevel
(Required) Select rules that cover vulnerabilities of the specified severity level or higher, but not exceeding
the level specified by the max-severity maxLevel setting. Range: 1 through 10, inclusive.
protocol protocolName
(Option for custom policies only) Select IPS rules that cover vulnerabilities related to the specified network
protocols. At the time of this software release, IPS rules detect threats that exploit the following protocols:
ABB products, AgentX, Arkeia Network Backup Client, Autonomy Connected Backup,
Avaya WinPDM, BakBone NetVault, BigAnt Server, Blue Coat BCAAA, CA ARCserve, CA eTrust,
CA License, CA Products, CA Products Discovery Service, Cisco UCM, Citrix, CUPS, CVS,
DCE-RPC, DHCP, Digium Asterisk, DNS, EMC, eSignal, Ethereal, Flexera FlexNet manager, FTP,
Fujitsu SystemcastWizard, GAIM, Ganglia Meta Daemon, GDS DB, GE Proficy, GIMP, GIOP,
HP Data Protector, HP Intelligent Mgmt Center, HP LeftHand Virtual SAN, HP Mercury,
HP OpenView, HP Operations Agent, HP StorageWorks, HTTP, http, IAX2, IBM DB2, IBM Director,
IBM SolidDB, IBM Tivoli, ICQ, IEC 61131, IMAP, Intellicom NetBiter Config, IPSwitch WS_
FTP, IRC, ISAKMP, iSCSI, KADM5, Kerberos, KPASSWD, LANDesk Management Suite, LDAP, LLMNR, LPD,
McAfee ePO, Microsoft TMG, MMS, MS Host Integration Server, MSN Messenger, NCP, NDMP,
NetBIOS, NFS, NMAP, NNTP, Novell Netware, Novell ZENworks, NTP, Oracle WebLogic, POP3,
Portmap, Quest Software Big Brother, RADIUS, RAW, RDP, RIM BlackBerry Server, RMI, RPC, RSH,
RTMP, RTSP, sadmind, SADMIND, SAP MaxDB, SAP NetWeaver, SCADA, Siemens SIMATIC WinCC, SIP,
SKINNY, SMS, SMTP, SNMP, SOCKS, SpamAssassin, SQL, Squid Proxy, SSH, Symantec, TDS, Telnet, TFTP,
Timbuktu, TLS, TNS, TrendMicro, Trillian IM, Unisys BIS, VMware, VNC, WCCP, WHO, WINS,
Yahoo Messenger, and Zend Technologies Zend Server.
For protocols that use encryption, the IPS-enabled rules engine inspects the initial negotiation messages
only.
NOTE: This list is dynamic and subject to expansion as the FireEye Research Labs team discovers new
vulnerabilities and responds by updating threat detection algorithms and delivering new IPS rules.
Sample Output
l ips policy myCustom1 match ?
l ips policy myCustom1 match (New Policy)
l no ips policy myCustom1 match category denial_of_service (Inactive Policy)
l no ips policy myCustom2 match category denial_of_service (Active Policy)
l no ips policy myCustom2 match category denial_of_service (Inactive Policy)
ips policy myCustom1 match ?
hostname (config) # ips policy myCustom1 match ?

attack-target Add attack target for policy
category Add match criteria for a policy
max-severity Add max severity for policy
min-severity Add min severity for policy
protocol Add protocol for policy

ips policy myCustom1 match (New Policy)

hostname (config) # ips policy myCustom1 match category denial_of_service
hostname (config) # ips policy myCustom1 match category exploit sub_category code_
execution
hostname (config) # ips policy myCustom1 match protocol dhcp
hostname (config) # ips policy myCustom1 match protocol http
hostname (config) # ips policy myCustom1 match min-severity 8
hostname (config) # show ips policies myCustom1 match

category : denial_of_service
category : exploit
sub_category : code_execution
protocol : dhcp
protocol : http
min-severity : 1
max-severity : 10
no ips policy myCustom1 match category denial_of_service (Inactive Policy)
hostname (config) # no ips policy myCustom1 match category denial_of_service
no ips policy myCustom2 match category denial_of_service (Active Policy)

% Policy is not writable
no ips policy myCustom2 match category denial_of_service (Inactive Policy)
hostname (config) # no ips policy myCustom2 interface B


Release 7.5 ips policy rules
ips policy rules
To include or exclude a specific IPS rule in a custom IPS policy, use the ips policy rules command in configuration
mode.
Syntax
[no] ips policy policyName rules (exclude | include) sigID
User Role
Release Information
Description
Modify the specified IPS policy by specifically including or excluding the specified IPS rule. The policy must be
inactive. For more information about IPS policies, see IPS Policy Configuration.
Parameters
no
Use the no form of the command to remove the specified rule-exclusion or rule-inclusion attribute from the
specified IPS policy. The policy must be inactive.
policyName
Name of the custom IPS policy to modify. The policy must be inactive.
include sigID
Signature ID of the IPS rule to include, provided the rule is in the appliance database.
exclude sigID
Signature ID of the IPS rule to exclude, even if the rule is in the appliance database and a match attribute in
the policy would otherwise select the rule. This attribute overrides attributes specified by the
ips policy match command.
Sample Output
l ips policy myCustom1 rules exclude
l no ips policy myCustom1 rules include

ips policy myCustom1 rules exclude
hostname (config) # ips policy myCustom1 rules exclude 85300508
no ips policy myCustom1 rules include
hostname (config) # no ips policy myCustom1 rules include 85301781

hostname (config) # no ips policy myCustom1 rules include 85301782

Release 7.5 ips reconnaissance enable
ips reconnaissance enable

To enable IPS detection of reconnaissance activity on an IPS-enabled platform, use the
ips reconnaissance enable command in configuration mode.
Syntax
[no] ips reconnaissance enable
User Role
Admin role
Release Information
Description
You can enable the IPS-enabled engine detect reconnaissance activity. To display the status of this feature, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of
Reconnaissance Activity.
Default
IPS detection of reconnaissance activity are disabled by default.
Parameters
no
Use the no form of this command to disable IPS detection of reconnaissance activity.
Sample Output
l ips reconnaissance enable
l no ips reconnaissance enable
ips reconnaissance enable
hostname (config) # ips reconnaissance enable
no ips reconnaissance enable
hostname (config) # no ips reconnaissance enable

ips reconnaissance threshold

To configure the IPS detection thresholds for reconnaissance activity on an IPS-enabled platform, use the
ips reconnaissance threshold commands in configuration mode.
Syntax
ips reconnaissance threshold ( ping-sweep value | port-scan value )
This command is available only when IPS detection of reconnaissance activity are enabled. However, IPS detection
of brute-force attacks is enabled by default.
User Role
Release Information
Description
On a platform enabled for IPS detection of reconnaissance activity, configure the IPS detection thresholds for
triggering ping sweep events and port scan events. To display the current settings, use the
show ips reconnaissance CLI command in enable mode. For more information, see IPS Detection of
Reconnaissance Activity.
Parameters
ping-sweep value
The platform triggers an IPS ping sweep event when the number of ICMP exchanges to or from the same IP
address within a rolling 60-second window exceeds this value. The valid range is 10 through 1000. The
default value is 20.
port-scan value
The platform triggers an IPS port scan event when the number of TCP or UDP exchanges to or from the
same IP address within a rolling 60-second window exceeds this value. The valid range is 10 through 1000.
The default value is 200.
Sample Output
l ips reconnaissance ping-sweep
l ips reconnaissance port-scan
ips reconnaissance ping-sweep
hostname (config) # ips reconnaissance ping-sweep 30

Release 7.5 ips reconnaissance threshold
ips reconnaissance port-scan
hostname (config) # ips reconnaissance port-scan 300

policymgr signature
To override the specified blocking action for a vulnerability or IPS rule, or to suppress a vulnerability or IPS rule, use
the policymgr signature command in configuration mode. This command is available on NX Series appliances.
Syntax
policymgr signature id signatureID [ exceptionMode on interfaceName ]
no policymgr signature id signatureID [ exceptionMode on interfaceName ]
policymgr signature name signatureName [ exceptionMode on interfaceName ]
no policymgr signature name signatureName [ exceptionMode on interfaceName ]
NOTE: To take effect, a policymgr command must be followed by the policymgr refresh-policy command.
User Role
Operator or Admin role.
Release Information
Command introduced before Release 7.5.0.
Command syntax and functionality enhanced in Release 7.5.0 to support disabled or forced blocking for a
vulnerability or IPS rule and to support suppression of a vulnerability or IPS rule.
Description
Disable or force blocking of matched traffic for a vulnerability or IPS rule active on the specified interface; or
suppress a vulnerability or IPS rules on the specified interface.
The following restrictions apply to this command:
l Disabled or forced or blocking is supported for IPS rules with the action option defined as blockable on
monitoring interfaces configured for inline blocking mode.
l Suppression of reconnaissance activity (ping sweeps or port scans) or brute-force attacks must be configured
for all monitoring interfaces. You cannot suppress IPS reconnaissance rules or IPS brute-force rules for
individual monitoring interfaces.
To undo this operation—to restore the blocking action or to disable suppression for a vulnerability or IPS rule—use
the no form of the command.
Use the show policymgr signatures CLI command in enable mode to display policy details about blocking or
suppression applied to vulnerabilities or individual IPS rules active on an IPS-enabled platform.
For information about blocking, see Options to Disable or Force Blocking for a Vulnerability or an IPS Rule. For
information about suppression see Options to Suppress a Vulnerability or an IPS Rule.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM Series

Release 7.5 policymgr signature
Defaults
If you do not specify this command, traffic that matches the vulnerability or IPS rule is blocked as specified in the
rule definition, triggers IPS events, and generates IPS notifications as configured for the event type.
l If you use the command without specifying an exception mode and interface name:
The system configures a default exception policy for the specified vulnerability or IPS rule. On
interfaces configured for inline blocking, traffic that matches the vulnerability or IPS rule is blocked if the
action option in the rule definition is set to blockable.
l If you use the no form of the command without specifying an exception mode and interface name:
The system restores the blocking action or disables suppression for the specified vulnerability or rule
on all interfaces. Unlike using the command and specifying a specific override and ALL interfaces, this
command removes the corresponding signature from the table in the show policymgr signatures CLI
command output and from the table in the Web UI Settings > Inline Policy Exceptions page.
Parameters
signatureID
Specify a signature ID to impact traffic that matches an individual IPS rule.
signatureName
Specify an IPS rule name to impact traffic that matches all IPS rules that address the same vulnerability.
exceptionMode
To disable or force blocking for the vulnerability or rule on the specified interface, specify one of the
following values. These exception modes apply only to rules with the action option set to blockable and are
valid only for interfaces configured for inline blocking. For more information, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule.
l block—Force blocking of traffic that matches the vulnerability or rule on the specified interface.
l do-not-block—Disable blocking of traffic that matches the vulnerability or rule on the interface.
To suppress the vulnerability or rule for traffic matched on the specified interface, specify one of the
following values. For more information, see Options to Suppress a Vulnerability or an IPS Rule.
l suppress—Suppress the vulnerability or IPS rule on the specified interface so that matched traffic
does not trigger IPS events or generate IPS notifications. Matched traffic is handled according to the
blocking action specified in the rule definition.
l suppress-unblock—On interfaces configured for inline blocking, suppress the vulnerability or IPS
rule and also disable the blocking action specified in the rule definition.
The following caveats apply to the suppression of a vulnerability or an IPS rule:

l Suppression of reconnaissance activity (ping sweeps or port scans) or brute-force attacks must be
configured for all monitoring interfaces. It cannot be configured for individual interfaces.
l The CLI configuration ips blockmode disabled disables blocking for all IPS rules and takes
precedence over rule overrides specified for a vulnerability or IPS rule. On such a system, traffic that
matches an IPS rule that is suppressed or suppressed and disabled is not suppressed and is not
blocked.
l The CLI configuration ips blockmode all forces blocking for all IPS rules and takes precedence over
rule overrides specified for a vulnerability or IPS rule. On such a system, traffic that matches an IPS
rule that is suppressed or suppressed and disabled is not suppressed and is blocked.

interfaceName
Specify the NX Series appliance monitoring interface: A, B, C, D, or ALL.
Sample Output
l policymgr signature id (Suppress a Rule on Interface A)
l policymgr signature name (Disable Blocking for a Vulnerabiliy on All Interfaces)
l policymgr signature id (Default Configuration)
policymgr signature id (Suppress a Rule on Interface A)
hostname # policymgr signature id 85308152 suppress on A
show policymgr signature name (Disable Blocking for a Vulnerability on All Interfaces)
hostname # policymgr signature name "Exploit Kit Landing Page" do-not-block on ALL
policymgr signature id (Default Configuration)
hostname # policymgr signature id 85308153

Release 7.5 show fenotify alerts (Output for IPS)
show fenotify alerts (Output for IPS)

To display FireEye event notification alerts, use the show fenotify alerts command in enable mode.
Syntax
show fenotify alerts
User Role
Monitor, Analyst, Operator, or Admin role.
Release Information
Support for notification of IPS events on IPS-enabled platforms introduced in Release 7.2.0.
Description
On IPS-enabled platforms only, the display of FireEye event notification alerts includes IPS events for each
notification method. FireEye threat prevention platforms support notifications by sending email, posting to Web
servers, logging messages to a remote syslog server, and sending SNMP traps. For more information, see IPS
Event Notifications.
For more information about all other forms of the show fenotify CLI command, see the FireEye CLI Command
Reference.
NOTE: You can also run this command remotely from the command line of an integrated FireEye CM Series central
management platform using the CMC proxying mechanism.
Parameters
None.
Output Fields

FireEye Notification Enabled Indicates whether the platform is enabled for FireEye notification alerts.
FireEye Alerts Indicates which events are enabled for notification using each supported
notification protocol.
Digest Notification Indicates whether Daily Digest mode is enabled and, if so, the time at which the
notification is emailed.

Sample Output
The following sample output shows the configuration of FireEye event notification alerts. The platform sends email
notifications for all event types (domain-match, infection-match, ips-event, malware-callback, malware-object, and
web-infection) and send remote syslog notifications for events of type ips-event only.
hostname (config) # show fenotify alerts
FireEye Notification Enabled: yes
FireEye Alerts:
email http rsyslog snmp

--------------------------------
Global yes yes yes yes
---- ---- ---- ----
domain-match no |no yes no no
infection-match no |no yes no no
ips-event yes |yes yes yes yes
malware-callback no |no no no no
malware-object no |no no no no
web-infection no |no no no no
Digest notification:
Time : 12:00
Enabled : yes
The sample output corresponds to the following Settings > Notifications page in the Web UI:

Release 7.5 show fenotify preferences
show fenotify preferences

To display details about alert notification delivery, use the show fenotify preferences command in enable mode.
Syntax
show fenotify preferences
User Role
Release Information
Command output enhanced for IPS-enabled NX Series platforms to include IPS delivery mode in Release 7.5.0.
Description
Displays information about IPS event notification delivery mode, delivery option for HTTP or HTTPS notifications,
and a delivery option for Rsyslog notifications. For more information, see IPS Event Notifications.
Parameters
None
Output Fields
The following table describes the output fields for the command. Fields are listed in the approximate order in which
they appear in the output.

IPS delivery mode Delivery mode for IPS event notifications:
l instant—Send only when an IPS event is detected. This is the default value.
l confirmation—Send only when an attack has been confirmed (either positive or
negative).
l dual—Send both when an IPS event is detected and when an attack has been
confirmed.


HTTP(s) Delivery mode for event messages posted to Web servers using HTTP or HTTPS:
notification
using fenet proxy l yes—System sends HTTP or HTTPS event notifications using an FENET proxy.
l no—System does not send HTTP or HTTPS event notifications using an FENET proxy.
You can use the following CLI commands to configure the system to pst event messages to
Web servers usig HTTP or HTTPS: fenet proxy auth, fenet proxy host, and
fenet proxy user-agent. For more information, see the NX Series Threat Management
Guide.
Rsyslog notification Delivery option to strip off line feedback for event notifications sent to a remote syslog server:
Stripping off line
feedback l yes—System strips off line feedback. This is the default mode.
l no—System does not strip off line feedback.
You can use the following CLI commands to configure the system to send event notifications
to a remote syslog server: fenotify rsyslog default, fenotify rsyslog enable, and
fenotify rsyslog service. For more information, see the NX Series Threat Management
Guide.
Sample Output
show fenotify preferences (Without Blocked or Suppressed Vulnerabilities or Rules)
hostname # show fenotify preferences

Notification customized settings:
IPS delivery mode: instant
HTTP(s) notification using fenet proxy: yes
Rsyslog notification Stripping off line feedback: yes

Release 7.5 show ips interfaces
show ips interfaces

To display details about monitoring interfaces associated with IPS policies, use the show ips interfaces command
in enable mode.
Syntax
show ips interfaces
User Role
Release Information
Description
Display the names of monitoring interfaces on the NX Series appliance or the names of active IPS policies. For
more information, see IPS Policy Application at Monitoring Interfaces.
Parameters
None
Output Fields

Interface Identifier (A or B) of a monitoring interface that is associated with an IPS policy.
Policy applied Name of the IPS policy applied to the monitoring interface.
Rule count Number of IPS rules active on the monitoring interface.
Sample Output

Interface : A
Rule count : 6882
Interface : B
Rule count : 1002

show ips policies

To display rule attributes associated with IPS policies defined on an IPS-enabled NX Series platform, use the
show ips policies command in enable mode.
Syntax
show ips policies [policyName]
User Role
Release Information
Parameters exclude, fingerprint, include, and rules removed in Release 7.5.0.
Description
Display attributes for IPS policies defined on an IPS-enabled appliance. By default, the command output displays
non-match attributes for the specified IPS policy. You can include optional parameters to show match attributes or
the exclusion list or inclusion list of the IPS policy.
For more information, see IPS Policy Configuration.
Parameters
policyName
Name of the IPS policy whose attributes are to be displayed.
Output Fields
The following table describes the output fields for the show ips policies command. Fields are listed in the
approximate order in which they appear in the output.
Field Name Field Description
State Attributes
active Indicates whether the IPS policy is active:
l yes—The policy is attached to one or more interfaces.

l no—The policy is not attached to any interface.
NOTE: You cannot delete a policy while it is active. You cannot or edit a default policy.

Release 7.5 show ips policies

writeable Indicates whether the IPS policy is configurable:
l yes—The policy is configurable. Only custom policies are configurable.

l no—The policy is not configurable. Only default policies are not configurable.
NOTE: You cannot delete or edit a default policy.

modified_date Date and time at which the IPS policy was last modified.
version IPS policy format internal version number.
Match Attributes
attack-target Type of network host machine that the rule covers.
min-severity Attack severity level of the rule is equal to or above this lower limit. Range: 1 – 10.
max-severity Attack severity level of the rule is equal to or below this upper limit. Range: 1 – 10.
category (Option for custom IPS policies) Category of the network attack that the rule covers.
sub_category (Option for custom IPS policies) Subcategory of the network attack that the rule covers.
protocol (Option for custom IPS policies) Network protocol covered by the rule.
Rule-Exclusion and Rule-Inclusion Attributes

Inclusion list (Option for custom IPS policies) List of signature IDs of IPS rules to be explicitly included in the
policy selection.
Exclusion list (Option for custom IPS policies) List of signature ID of IPS rules to be explicitly excluded from the
policy selection.
Fingerprint (Custom IPS policies only) Hexadecimal string that identifies the attributes of a custom IPS policy.
IPS policies have the same fingerprint if the policies share the same match attributes, rule-
exclusion attributes, and rule-inclusion attributes.
Sample Output
l show ips policies ?
l show ips policies
l show ips policies Comprehensive
show ips policies ?
hostname # show ips policies ?

<cr>
<Policy name>
FireEye_Default
Comprehensive
myCustom1
myCustom2
myCustom3

show ips policies
hostname # show ips policies

FireEye_Default
active : yes
version : 2
Comprehensive
active : no
version : 2
active : no
version : 2
active : no
version : 2
myCustom1
active : no
version : 1
myCustom2
active : no
version : 1
myCustom3
active : no
version : 1
show ips policies myCustom1
hostname # show ips policies myCustom1

Policy attributes :
active : no
writable : yes
modified_date : 2014/09/25 10:24:48
version : 9

min-severity : 5
max-severity : 10

85301782

8530001,8530050
2014/09/25 10:24:48 | 287fd1bda05326809e195cccf5e9798c

Release 7.5 show ips reconnaissance
show ips reconnaissance

To display the IPS detection thresholds for reconnaissance activity and brute-force attacks, use the
show ips reconnaissance command in enable mode.
Syntax
show ips reconnaissance
User Role
Release Information
Description
Displays the IPS detection thresholds for reconnaissance activity and brute-force attacks, provided that IPS
detection of reconnaissance activity is enabled.
Parameters
None.
Output Fields

IPS reconnaissance is disabled IPS detection of reconnaissance activity is disabled. No threshold settings are
displayed.
Ping sweep threshold The platform triggers an IPS ping sweep event when the number of ICMP
exchanges to or from the same IP address within a rolling 60-second window
exceeds this value.
Port scan threshold The platform triggers an IPS port scan event when the number of TCP or UDP
exchanges to or from the same IP address within a rolling 60-second window
exceeds this value.
Brute force threshold The platform triggers an IPS brute-force event when the number of .failed login
attempts to or from the same IP address within a rolling 60-second window
exceeds this value.

Sample Output
l show ips reconnaissance (Detection Disabled)
l show ips reconnaissance (Detection Enabled With Default Settings)
show ips reconnaissance (Detection Disabled)
hostname # show ips reconnaissance

IPS reconnaissance is disabled
show ips reconnaissance (Detection Enabled With Default Settings)
hostname # show ips reconnaissance


Release 7.5 show ips status
show ips status

To display the status of IPS global settings, use the show ips status command in enable mode.
Syntax
show ips status
User Role
Release Information
Support for IPS blockmode all was introduced in Release 7.5.0.
Description
Display the platform-wide status of blocking for IPS rules, the status of the IPS policy manager daemon, and the
status of the IPS license.
If an IPS policy manager (ips) command fails to respond, the IPS policy manager daemon might have stopped due
to insufficient CPU or memory resources. If you are logged in to the CLI as Admin, you can restart the IPS policy
manager daemon by using the following command in enable mode:
hostname # pm process ipspolicyd restart
Parameters
None.
Output Fields

License status Status of the IPS license:
l enabled—The IPS license is installed and valid.

l disabled—The IPS license is installed but not valid.
For more information, see Enabling IPS Capabilities.


Auto-update rules for an active policy Status of the auto-update rules feature for active IPS policies:
l enabled—The feature is enabled.

l disabled—The feature is disabled.
This feature is enabled by default. For more information, see

Managing Auto-Addition of New IPS Rules to Active Interfaces.
IPS Global Blocking Status

IPS blockmode Status of the platform-wide policy to allow, deny, or force blocking of
traffic matched by IPS rules:
l enabled—Only IPS rules with blocking action block can drop

matched traffic.
l disabled—All IPS rules act as monitoring-only rules.
l all—All IPS rules act as blocking rules.
IPS blockmode is enabled by default. For more information, see

Options to Disable or Force Blocking for All IPS Rules.
IPS blockmode last modified Date and time of the last update to the configuration of appliance-
wide disabling or enabling of the blocking actions of all IP rules.
IPS Configuration Status

Fully applied to system Status of the rules engine with respect to IPS rules specified by the
active IPS policies:
l N/A (no active policies)—No IPS policies are applied to

monitoring interfaces.
l yes—Loading of IPS rules to the rules engine is complete.
l no—Loading of IPS rules to the rules engine is in progress.
Config change ID of last change applied (If the loading of IPS rules is still in progress) System identification
number of the IPS configuration change being processed by the
rules engine.
Timestamp of last config change applied (If the loading of IPS rules is still in progress) Date and time at which
the last IPS policy was applied to monitoring interfaces
Sample Output
l show ips status (No Active IPS Policies)
l show ips status (Loading of IPS Rules Into Rules Engine is Complete)
l show ips status (Loading of IPS Rules Into Rules Engine is In Progress)

Release 7.5 show ips status
show ips status (No Active IPS Policies)


Fully applied to system : N/A (no active policies)
show ips status (Loading of IPS Rules Into Rules Engine is Complete)


show ips status (Loading of IPS Rules Into Rules Engine is In Progress)


Fully applied to system : no
Config change ID of last change applied : 3026
Timestamp of last config change applied : 2014/10/27 17:55:08

show policymgr signatures

To display policy details about blocking or suppression applied to vulnerabilities or individual IPS rules active on an
IPS-enabled platform, use the show policymgr signatures command in enable mode. This command is available
on NX Series appliances.
Syntax
show policymgr signatures
User Role
Monitor, Operator, or Admin role.
Release Information
Command output enhanced in Release 7.5.0 to support disabled or forced blocking for a vulnerability or IPS rule
and to support suppression of a vulnerability or IPS rule.
Description
Displays the deployment mode and policy mix of monitoring interfaces on the NX Series appliance. Also displays
the overrides—disabled or forced blocking or suppression—applied to vulnerabilities or IPS rules active on the
appliance monitoring interfaces.
For information about disabled or forced blocking a vulnerability or IPS rule, see Options to Disable or Force
Blocking for a Vulnerability or an IPS Rule. For information about disabled or forced blocking for all rules activated
on the appliance, see Options to Disable or Force Blocking for All IPS Rules.
For information about suppression, see Options to Suppress a Vulnerability or an IPS Rule.
Parameters
None
Output Fields
Monitoring Interface Fields

Interface Identifier of a monitoring interface: A, B, C, D, or ALL.

Release 7.5 show policymgr signatures

opmode Interface operational mode:
l block—The appliance is deployed inline and blocks malicious traffic at this interface.
l bypass—The appliance is deployed inline but does not analyze or block traffic at this
interface.
l monitor—The appliance is deployed inline, analyzes traffic, and generates alerts on

malicious events at this interface.
l tap—The appliance is deployed in SPAN or TAP mode and monitors malicious traffic at this
interface.
policy Type of standard (non-IPS) policy active on the interface:
l global—FireEye-defined global policy is active on the interface.
l local—User-defined local policy is active on the interface.
l mixed—Both local and global policies are active on the interface. The local policy overrides
the global policy.
l none—No policy is active on the interface.
ACTION TABLE Columns

SIGNATURE Signature for an event that is eligible for inline blocking. Can be either of the following:
l signatureID—Eight-digit integer that identifies the signature.
l signatureName—Text string that identifies the signature. Names are truncated to 32

characters.
INTF Name of the NX Series appliance monitoring interface: A, B, C, D, or ALL.
BLOCKED Indicates whether the signature blocks or allows matched traffic on the specified interface:
l yes—Matched traffic is blocked.
l no—Matched traffic is allowed.
l --—Matched traffic cannot be blocked because the interface is not configured for inline
blocking.
SUPPRESSED Indicates whether the specified signature is suppressed or allowed on the specified interface:
l yes—The appliance suppresses the signature.
l no—The appliance allows the signature.
Sample Output
l show policymgr signatures (Without Blocked or Suppressed Vulnerabilities or Rules)
l show policymgr signatures (With Blocked or Suppressed Vulnerabilities or Rules)
l show policymgr signatures (Interface Is Not Configured for Inline Blocking)

show policymgr signatures (Without Blocked or Suppressed Vulnerabilities or Rules)

Interface : A
opmode: block
policy: mixed
tolerance: 1
Interface : B
opmode: tap
policy: mixed
tolerance: 1
ACTION TABLE
show policymgr signatures (With Blocked or Suppressed Vulnerabilities or Rules)

Interface : A
opmode: block
policy: mixed
tolerance: 1
Interface : B
opmode: tap
policy: mixed
tolerance: 1
ACTION TABLE
85305159 ALL no no
85305160 B no yes
Mozilla Firefox XUL Tree Element ALL yes no
Windows Executable Download As I A yes no
show policymgr signatures (Interface Is Not Configured for Inline Blocking)

Interface : A
opmode: tap
policy: mixed
tolerance: 1
ACTION TABLE
85301908 A -- yes
Exploit Kit Landing Page A -- yes

Appendix: CM Series Support for IPS Features
This section describes how to operate IPS features on IPS-enabled platforms that are centrally managed from a
FireEye CM series platform.
Overview of CM Series Support for IPS-Enabled Platforms 268
Configuring an IPS Policy Using a CMC Profile (CLI) 270
Applying an IPS Policy to Managed Platforms (Web UI) 273
Applying an IPS Policy to Managed Platforms (CLI) 274

Appendix: CM Series Support for IPS Features NX Series IPS Feature Guide
Overview of CM Series Support for IPS-Enabled Platforms

l IPS Policy Configuration and Application
l Aggregation of IPS Data
l Limitations for Managing IPS-Enabled Platforms
IPS Policy Configuration and Application

You can use a CM series platform to configure and apply IPS policies at managed IPS-enabled platforms.
IPS Policy Configuration
From a CM series platform CLI, you can create, modify, or delete custom IPS policies on a managed IPS-
enabled platform. For more information, see Configuring an IPS Policy Using a CMC Profile (CLI).
IPS Policy Application at Monitoring Interfaces

From a CM series platform Web UI or CLI, you can apply IPS policies to monitoring interfaces on managed
IPS-enabled platforms. The IPS policy definitions must be identical on the managed platforms. For more
information, see Applying an IPS Policy at Managed Platforms (Web UI) or Applying an IPS Policy at
Managed Platforms (CLI).
For general information about NX Series appliances managed from a CM Series appliance, see the NX Series
System Administration Guide.
Aggregation of IPS Data

You can use a CM series platform to aggregate IPS data consolidated across the centrally managed IPS-enabled
platforms. You can display IPS events, display IPS alerts (MVX-correlated IPS events), and generate IPS reports.
IPS Events
On a CM series platform that manages one or more IPS-enabled platforms, you can filter the
Alerts > Web MPS > IPS Events page to display IPS events and IPS alerts for a single IPS-enabled platform
or for multiple platforms. If the CM series platform manages multiple IPS-enabled platforms, the page
displays consolidated results.
IPS Alerts
On a CM series platform that manages one or more IPS-enabled platforms, you can filter the
Alerts > Web MPS > Alerts page to display the IPS alerts for a single NX Series appliance or for a group of
NX Series appliances. If the CM series platform manages multiple IPS-enabled platforms, the page displays
consolidated results that include all IPS alerts generated on the managed appliances.
IPS Event Acknowledgment

On a CM series platform that manages one or more IPS-enabled platforms, you can acknowledge IPS
events detected at one of the managed appliances. The updated acknowledgment information is
aggregated at the CM Series appliance, but is not pushed to the managed appliance.

Release 7.5 Overview of CM Series Support for IPS-Enabled Platforms
IPS Reports
On a CM series platform that manages one or more IPS-enabled platforms, you can use the Reports page
to generate the following IPS-specific reports:
l IPS Executive Summary
l IPS Top N Attacks
l IPS Top N Attackers
l IPS Top N Victims
l IPS Top N MVX-Correlated
Limitations for Managing IPS-Enabled Platforms

When using a CM series platform to manage an IPS-enabled platform, be aware of the following limitations:
IPS Policy Configuration Reports

The CM series Reports page does not support the following IPS reports:
l IPS Policy Configuration Summary
l IPS Policy Configuration Details
IPS Dashboard Data

The CM series platform Dashboard page displays malware information only and does not include the IPS
dashboard panels that are available on locally managed IPS-enabled platforms.
IPS Custom Rules
The CM series platform Settings > IPS page does not support importing of IPS custom rules to a managed
IPS-enabled platform.

Configuring an IPS Policy Using a CMC Profile (CLI)

From the CM series platform CLI, you can use a central management console (CMC) profile to configure a custom
IPS policy on managed IPS-enabled platforms in the centralized management domain. You can configure the
custom IPS policy on a single managed IPS-enabled platform, or you can configure the policy on a group of
managed platforms.
Prerequisites
l Log in to the CLI of the CM series platform as Operator or Admin.
Procedure
To configure a custom IPS policy on a managed IPS-enabled platform:

hostname > enable

hostname (config) #
2. Configure the first command of the CMC profile to create a custom IPS policy.
The following example configures profile c1 to create a custom IPS policy named p1.
hostname (config) # cmc profile c1 comment "IPS policy for IPS-ena NX platforms"
hostname (config) # cmc profile c1 command 1 "ips policy p1"
3. Configure the profile to specify required match attributes for the custom IPS policy.
The following example configures the attack-target, min-severity, and max-severity attributes.
hostname (config) # cmc profile c1 command 2 "ips policy p1 match attack-target

client"
hostname (config) # cmc profile c1 command 3 "ips policy p1 match min-severity 8"
hostname (config) # cmc profile c1 command 4 "ips policy p1 match max-severity 10"
4. (Optional) Configure the profile to specify optional match attributes for the custom IPS policy.
The following example configures an optional protocol attribute.
hostname (config)# cmc profile c1 command 5 "ips policy p1 match protocol SNMP"
5. (Optional) Configure the profile to specify optional rule exclusion or inclusion attributes for the custom IPS
policy.
The following example configures the optional rules exclude and rules include attributes.
hostname (config) # cmc profile c1 command 6 "ips policy p1 rules exclude 85300001"
hostname (config) # cmc profile c1 command 7 "ips policy p1 rules include 85300002"
hostname (config) # cmc profile c1 command 8 "ips policy p1 rules include 85300003"

Release 7.5 Configuring an IPS Policy Using a CMC Profile (CLI)
6. Before you save the CMC profile to managed IPS-enabled platforms, list the CLI commands and comments in
the profile.
The following example step lists the CLI commands in the profile c1.
hostname (config) # show cmc profile c1

Profile c1
Comment: IPS policy for IPS-ena NX platforms
Commands:
1. ips policy p1
2. ips policy p1 match attack-target client
3. ips policy p1 match min-severity 8
4. ips policy p1 match max-severity 10
5. ips policy p1 match protocol SNMP
6. ips policy p1 rules exclude 85300001
7. ips policy p1 rules include 85300002
8. ips policy p1 rules include 85300003
NOTE: To delete a command from the profile, use the no cmc profile name command and specify the
command sequence_number option. The following example deletes the eighth command from the profile:
hostname (config) # no cmc profile c1 command 8

7. Apply the profile to a single managed IPS-enabled platform or to a group of appliances.
l To apply the profile to a single managed appliance, use the cmc profile name command and specify the
apply appliance name option.
The following example step applies the profile to the appliance NX_4400_IPS.
hostname (config) # cmc profile c1 apply appliance NX_4400_IPS

============ Appliance NX_4400_IPS ============
Execution was successful.
Execution output:
The configuration for the managed appliance NX_4400_IPS includes the definition of the custom IPS
profile p1.
l To apply the profile to a group of managed appliances, use the cmc profile name command and specify
the apply group name option.
The following example step applies the profile to the appliances in the group NXips, which is composed
of IPS-enabled appliances named NX_900_IPS and NX_10000_IPS.
hostname (config) # cmc profile c1 apply group NXips

============ Appliance NX_900_IPS ============
Execution output:
============ Appliance NX_10000_IPS ============
Execution output:
The configurations for the managed appliances in group NXips include the definition of the custom IPS
profile p1.

Release 7.5 Applying an IPS Policy to Managed Platforms (Web UI)
Applying an IPS Policy to Managed Platforms (Web UI)

From the CM series platform Web UI, you can apply an IPS policy to the monitoring interfaces of managed IPS-
enabled platforms.
Prerequisites
l Log in to the Web UI of the CM series platform as Operator or Admin.
l Verify that you can access the IPS-enabled platforms you want to manage.
l Verify that the IPS policy to be applied at multiple platforms is identical across those platforms by comparing
the fingerprints.
NOTE: For this software release, IPS policy fingerprints can be verified from the CLI only.
In the following example, the IPS policy p1 is defined identically on the two IPS-enabled platforms that are
centrally managed in the group NXips.
host (config) # cmc execute group NXips command "show ips policies p1 fingerprint"
============ Appliance NX_900_IPS ============
Execution output:
2014/04/18 12:36:34 | 4862cb13e6777d20c3b720d9d5b471a4
============ Appliance NX_10000_IPS ============
Execution output:
2014/04/18 13:01:58 | 4862cb13e6777d20c3b720d9d5b471a4
Procedure
To apply an IPS policy on a centrally managed IPS-enabled platform:

1. Go to the Settings > Appliance Settings page.
2. Use the Group and Appliance drop-down menus to select the IPS-enabled platforms you want to manage.
3. Select IPS in the left navigation bar.
4. To apply an IPS policy to monitoring interfaces on multiple managed IPS-enabled platforms, click Apply Policy
in the Actions column for that policy.
5. Select the monitoring interfaces to which you want the IPS policy applied.
6. Click Apply Policy.
7. Click Done.

Applying an IPS Policy to Managed Platforms (CLI)

From the CM series platform CLI, you can apply an IPS policy to the monitoring interfaces of managed IPS-enabled
platforms.
Prerequisites
l Log in to the CM series platform as Operator or Admin.
l Verify that the IPS policy to be applied at multiple platforms is identical across those platforms by comparing
the fingerprints.
In the following example, the IPS policy p1 is defined identically on the managed appliances in the group
NXips.
host (config) # cmc execute group NXips command "show ips policies p1 fingerprint"
============ Appliance NX_900_IPS ============
Execution output:
2014/04/18 12:36:34 | 4862cb13e6777d20c3b720d9d5b471a4
============ Appliance NX_10000_IPS ============
Execution output:
2014/04/18 13:01:58 | 4862cb13e6777d20c3b720d9d5b471a4
Procedure
To apply an IPS policy on a centrally managed IPS-enabled platform:

l To apply the policy to interfaces on a single managed appliance, use the cmc execute appliance name
command and specify the command command_text option.
The following example applies IPS policy p1 to interface A on appliance named NX4400.
host (config) # cmc execute appliance NX4400 command "ips apply p1 interface A"
============ Appliance NX4400 ============
Execution output:
(none)
The IPS policy p1 is activated on interface A of the managed appliance NX4400

Release 7.5 Applying an IPS Policy to Managed Platforms (CLI)
l To apply the policy to interfaces on a group of managed appliances, use the cmc execute group name
command and specify the command command_text option.
The following example applies IPS policy p1 to interface A of the appliances in group NXips, which is
composed of IPS-enabled appliances NX_900_IPS and NX_10000_IPS.
host (config) # cmc execute group NXips command "ips apply p1 interface A"
============ Appliance NX_900_IPS ============
Execution output:
(none)
============ Appliance NX_10000_IPS ============
Execution output:
(none)
The IPS policy p1 is activated on interface A of the managed appliances in group NXips.

NX Ips 7.6.0 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

NX Ips 7.6.0 PDF

Transféré par

Droits d'auteur :

Formats disponibles

NX Series

Copyright © 2015 FireEye, Inc. All rights reserved.

NX Series IPS Feature Guide

FireEye Contact Information:

United States: 877.FIREEYE (877.347.3393)

INTRODUCING IPS ON NX SERIES APPLIANCES 7

IPS Events and IPS Alerts 11

IPS Support in the NX Series Web UI 13

IPS Support in the NX Series CLI 14

INITIAL CONFIGURATION OF IPS 15

Preparing the Appliance to Support IPS Features 16

Configuring How IPS Event Notifications Are Sent 23

Configuring When IPS Event Notifications Are Sent 28

Configuring Notification of Inline Packet Inspection Process State Changes (CLI) 31

INITIAL ACTIVATION OF IPS 35

Optional: Disabling or Forcing Blocking for All IPS Rules (CLI) 36

Activating IPS Processing 38

Displaying IPS Events and Alerts (Web UI) 41

Testing IPS Event Notifications 46

Optional: Re-Enabling Blocking for All IPS Rules (CLI) 48

Beyond the Basics: Fine-Tuning the IPS Configuration 49

IPS INFORMATION IN THE DASHBOARD 51

About the Dashboard of an IPS-Enabled Appliance 52

IPS ALERTS FOR MVX-CORRELATED EVENTS 59

About IPS Event Correlation and Verification 60

IPS Events Page 62

IPS Events Page Drill-Down View 67

Copyright © 2015 FireEye, Inc. 3

IPS DETECTION OF RECONNAISSANCE ACTIVITY 81

About IPS Detection of Reconnaissance Activity 82

Showing IPS Reconnaissance Events (Web UI) 83

Reconnaissance Event Entries in the IPS Events Page 85

IPS Reconnaissance Event Details for Ping Sweeps 87

IPS Reconnaissance Event Details for Port Scans 88

Enabling IPS Detection of Reconnaissance Activity (CLI) 90

Configuring the Detection Thresholds for Reconnaissance Events (CLI) 91

IPS DETECTION OF BRUTE-FORCE ATTACKS 93

About IPS Detection of Brute-Force Attacks 94

Showing Brute-Force Events (Web UI) 95

Brute-Force Event Entries in the IPS Events Page 97

Brute-Force Event Details 99

Enabling Detailed Inspection Mode (CLI) 100

Configuring the Detection Threshold for Brute-Force Attacks (CLI) 101

Disabling Detection of Brute-Force Attacks (Web UI) 102

Suppressing an IPS Brute-Force Rule (Web UI) 104

IPS EVENT AND ALERT MANAGEMENT 105

IPS Event Notifications 106

IPS Event Acknowledgment 108

About IPS Policies 118

Attributes of IPS Policies 120

Settings > IPS Page 124

Settings > IPS > Policy Editor Page 126

Displaying the Attributes of an IPS Policy (CLI) 129

IPS POLICY CONFIGURATION 131

Creating a Custom IPS Policy (CLI) 132

Cloning an IPS Policy 133

Editing an IPS Policy 136

4 Copyright © 2015 FireEye, Inc.

Deleting an IPS Policy 146

IPS POLICY APPLICATION AT MONITORING INTERFACES 149

Applying an IPS Policy to Monitoring Interfaces 150

Removing All IPS Policies from Monitoring Interfaces 153

Removing a Single IPS Policy from Monitoring Interfaces 156