cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
calvinmaher
Level 7
Report Inappropriate Content
Message 1 of 8
‎05-07-2019 01:52 AM

Installation of ENS on File Servers causing NIPS events

Jump to solution
I have installed ENS 10.6 on a File Server Cluster and Exploit Prevention is enabled. Ever since it was installed there are random hip.nips threat events Threat Name: ExP:NIPS Violation Description: ExP:NIPS Violation Blocked a Network exploit attempt Analyser Rule name: TCP Port Scan Does anybody know if there are any more detailed logs to find the route cause? Or is it a false positive?
0 Kudos
Reply
2 Solutions

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 8
‎05-07-2019 01:59 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

You would really need to look more into the event details to see what was being triggered. To be honest, ENS Debug Logging would help provide more details as well and after the issue had occurred again you would need to review the ENS Debug Logs in %Programdata%\McAfee\Endpoint Security\Logs.

What further details do you see from the event reported in ePO?

View solution in original post

Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 8
‎05-07-2019 03:15 PM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

If you have NIPS events to review in ePO, you can use that now.  Find the ExP:NIPS Violation (or Event Category: Host intrusion (hip.nips)) related to Signature 3700 in the ePO Threat Events menu, and review the Threat Source IP address (or Threat Source IPv4 address) value.  This is the remote IP address triggering the signature.

Review the system that is configured with that IP address.  Determine what on the system may be performing a TCP Port scan on the system.  It could be a legitimate port scanner (ePO Rogue Sensor with OS Fingerprinting, NMAP or third-party scanner, or third party vulnerability assessment solutions), or it could be a possible malicious (or unapproved) port scanner (e.g. something in your environment that is not setup as a legitimate port scanning device).

If legitimate, create a NIPS exclusion for that remote IP address, in the ENS Threat Prevention Exclusions configuration (exclusion type = Network IPS).

View solution in original post

0 Kudos
Reply
7 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 8
‎05-07-2019 01:59 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

You would really need to look more into the event details to see what was being triggered. To be honest, ENS Debug Logging would help provide more details as well and after the issue had occurred again you would need to review the ENS Debug Logs in %Programdata%\McAfee\Endpoint Security\Logs.

What further details do you see from the event reported in ePO?

Reply
calvinmaher
Level 7
Report Inappropriate Content
Message 3 of 8
‎05-07-2019 07:34 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

Thanks for the info - I've turned on debug logging for EP on one of the hosts, wait and see.

There was no other information other than it triggering the  TCP port scan analyser rule

0 Kudos
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 8
‎05-07-2019 03:15 PM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

If you have NIPS events to review in ePO, you can use that now.  Find the ExP:NIPS Violation (or Event Category: Host intrusion (hip.nips)) related to Signature 3700 in the ePO Threat Events menu, and review the Threat Source IP address (or Threat Source IPv4 address) value.  This is the remote IP address triggering the signature.

Review the system that is configured with that IP address.  Determine what on the system may be performing a TCP Port scan on the system.  It could be a legitimate port scanner (ePO Rogue Sensor with OS Fingerprinting, NMAP or third-party scanner, or third party vulnerability assessment solutions), or it could be a possible malicious (or unapproved) port scanner (e.g. something in your environment that is not setup as a legitimate port scanning device).

If legitimate, create a NIPS exclusion for that remote IP address, in the ENS Threat Prevention Exclusions configuration (exclusion type = Network IPS).

0 Kudos
Reply
calvinmaher
Level 7
Report Inappropriate Content
Message 5 of 8
‎05-08-2019 06:51 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

Thanks. The source is a virtual switching IP being used in a hyper-v cluster. Our Nessus scanner sits on the same cluster so just investigating that to confirm

0 Kudos
Reply
Sohel
Level 10
Report Inappropriate Content
Message 6 of 8
‎07-18-2019 06:01 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

Hello,

I'm having a similar issue and I was wondering if you were able to resolve the issue.

Our Nessus scanner is getting blocked even after creating an exclusion for the ip-address in Exploit prevention.

I pulled below from threat event in ePO:

...................................................................................................................................................

Analyzer Detection Method:Exploit Prevention
Threat Name: ExP:NIPS Violation
Analyzer Rule Name:SMB Brute Force Attack
Description:ExP:NIPS Violation Blocked a Network exploit attempt.
Attack Vector Type:Network

.........................................................................................................

(below is my policy)

Capture.JPG

 

0 Kudos
Reply
calvinmaher
Level 7
Report Inappropriate Content
Message 7 of 8
‎07-18-2019 09:01 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

Hi, this might be a stupid question but have you got the , (comma) character after the IP address, for syntax separation.
We don't get the SMB brute force attack rule, we get a TCP Port Scan analyzer which is triggered from Clustered hosts. If you're getting SMB attack is your Nessus scanner using Port 139? It could be a host trying to port scan to spread the Wannacry detection, for example.

0 Kudos
Reply
Sohel
Level 10
Report Inappropriate Content
Message 8 of 8
‎07-18-2019 11:36 AM

Re: Installation of ENS on File Servers causing NIPS events

Jump to solution

Commas are in place per policy instruction.

We are not using port 139, so I'm not sure why it's saying SMB Bruce attack. 

so by adding the ips to exclusion list fixed your issue?

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC