INTR Troubleshooting 4.1

McAfee® Network Protection Industry-leading intrusion prevention solutions

IntruShield Troubleshooting Guide

McAfee® IntruShield® IPS version 4.1

revision 10.0

COPYRIGHT Copyright ® 2001 - 2009 McAfee, Inc. All Rights Reserved.

TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE AND PATENT INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor ([email protected]), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi ([email protected]), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary ([email protected]), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.

Issued JUNE 2009 / IntruShield Troubleshooting Guide 700-1561-00/ 10.0 - English

iii

Contents

Preface ........................................................................................................... v Introducing McAfee IntruShield IPS .............................................................................................. v About this Guide............................................................................................................................ v Audience ....................................................................................................................................... v Conventions used in this guide .....................................................................................................vi Related Documentation................................................................................................................vii Contacting Technical Support ......................................................................................................vii

Information requested for Troubleshooting ......................................................................... viii

Before You Install.......................................................................................... 1 Pre-installation recommendations ................................................................................................. 1

Planning for installation ..........................................................................................................1 Functional requirements.........................................................................................................2 Using anti-virus software with the Manager ...........................................................................4 User interface responsiveness...............................................................................................5

Hardening the ISM Server ............................................................................ 7 Introduction.................................................................................................................................... 7 Install a desktop firewall ................................................................................................................ 7 Harden the MySQL installation...................................................................................................... 7

Remove test database ...........................................................................................................8 Remove local anonymous users ............................................................................................8 Remove remote anonymous users ........................................................................................8 Secure MySQL remote access ..............................................................................................9 Rolling back your changes ...................................................................................................10 Remove debug shell at port 9001 ........................................................................................10

Other best practices for securing ISM......................................................................................... 11 Recommended practices .....................................................................................................11

Troubleshooting IntruShield IPS ............................................................... 12 Facilitating troubleshooting.......................................................................................................... 12 Starting your troubleshooting ...................................................................................................... 13 Difficulties connecting sensor and ISM ....................................................................................... 13

Network connectivity ............................................................................................................13 Inconsistency in sensor and ISM configuration....................................................................13 Software or signature set incompatibility..............................................................................14 Firewall between the devices ...............................................................................................14 Management port configuration ...........................................................................................14

Connectivity issues between the sensor and other network devices .......................................... 15 Duplex mismatches..............................................................................................................15 Valid auto-negotiation and speed configurations .................................................................15 Explanation of CatOS show port Command Counters.........................................................18 Auto-negotiation ...................................................................................................................20

Checking sensor health............................................................................................................... 20 Pinging a sensor ..................................................................................................................21

Ensuring that the sensor is receiving traffic................................................................................. 21 Checking sensor failover status .................................................................................................. 21

Cabling failover through a network device ...........................................................................21

iv

Checking whether a signature or software update was successful............................................. 22 Checking status of a download or upload ................................................................................... 22 Conditions requiring a sensor reboot .......................................................................................... 22

Rebooting a sensor via the ISM ...........................................................................................23 Rebooting a sensor using the reboot command ..................................................................23

Sensor doesn’t boot .................................................................................................................... 23 Loss of connectivity between the sensor and ISM ...................................................................... 23

How sensor handles new alerts during connectivity loss .....................................................24 ISM connectivity to the database ................................................................................................ 24

ISM database is full ..............................................................................................................25 Error on accessing the Configuration page................................................................................. 25 Sensor response if its bandwidth is exceeded ............................................................................ 25 MySQL issues ............................................................................................................................. 26 How sensors handle various types of traffic................................................................................ 26

Jumbo Ethernet frames........................................................................................................26 ISL frames............................................................................................................................26

Determining False Positives ...................................................................... 27 Reducing false positives.............................................................................................................. 27 Tune your policies ....................................................................................................................... 27

About false positives and “noise” .........................................................................................28 Determining a false positive versus noise............................................................................29

System Fault Messages.............................................................................. 31 Critical faults................................................................................................................................ 31 Error faults................................................................................................................................... 43 Warning faults ............................................................................................................................. 48 Informational faults ...................................................................................................................... 51 M-series sensor faults ................................................................................................................. 60 Other faults.................................................................................................................................. 61

Error Messages ........................................................................................... 62 Error messages for RADIUS servers .......................................................................................... 62 Error messages for LDAP server ................................................................................................ 63

Using the InfoCollector tool ....................................................................... 65 Introduction.................................................................................................................................. 65 Running the InfoCollector............................................................................................................ 66 Using InfoCollector ...................................................................................................................... 66

Automatically restarting a failed ISM with ISM Watchdog...................... 68 Introduction.................................................................................................................................. 68 How the ISM Watchdog Works ................................................................................................... 68 Installing ISM Watchdog.............................................................................................................. 68 Starting ISM Watchdog ............................................................................................................... 69 Using ISM Watchdog with ISM in an MDR configuration ............................................................ 69 Tracking ISM Watchdog activities ............................................................................................... 69

Sensor capacity by model number ........................................................... 71

Utilizing the McAfee Knowledge Base ...................................................... 74

Index ............................................................................................................. 76

v

Preface This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.

Introducing McAfee IntruShield IPS

McAfee IntruShield delivers the most comprehensive, accurate, and scalable network IPS solution for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks.

IntruShield combines real-time detection and prevention to provide the most comprehensive and effective network IPS in the market.

What do you want to do?

• Learn more about McAfee IntruShield components. • Learn how to get started. • Learn about the Home page and interaction with the Manager interface.

About this Guide

This guide provides the basic troubleshooting techniques for IntruShield system. You get information on the key issues to be taken care of in the ISM and sensor software in a step-by- step manner; right from installing IntruShield to troubleshooting the system.

This guide provides detailed sections on the following topics:

• Pre-installation recommendations • Hardening ISM Server • Troubleshooting techniques • How to use the InfoCollector tool and ISM Watchdog

Audience

This guide is intended for use by network technicians responsible for maintaining the IntruShield Security Management System (ISM) and analyzing and disseminating the resulting data. It is assumed that you are familiar with IPS-related tasks, the relationship between tasks, and the commands necessary to perform particular tasks.

McAfee® IntruShield® IPS 4.1 IntruShield Troubleshooting Guide Conventions used in this guide

vi

Conventions used in this guide

This document uses the following typographical conventions:

Convention Example

Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font.

The Service field on the Properties tab specifies the name of the requested service.

Menu or action group selections are indicated using a right angle bracket.

Select My Company > Admin Domain > View Details.

Procedures are presented as a series of numbered steps.

1. On the Configuration tab, click Backup.

Names of keys on the keyboard are denoted using UPPER CASE.

Press ENTER.

Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font.

Type: setup and then press ENTER.

Variable information that you must type based on your specific situation or environment is shown in italics.

Type: sensor-IP-address and then press ENTER.

Parameters that you must supply are shown enclosed in angle brackets.

set sensor ip <A.B.C.D>

Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation.

Caution:

Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation.

Warning:

Notes that provide related, but non-critical, information are denoted using this notation.

Note:

McAfee® IntruShield® IPS 4.1 IntruShield Troubleshooting Guide Related Documentation

vii

Related Documentation

The following documents and on-line help are companions to this guide. Refer to IntruShield System Quick Reference Card for more information on these guides.

• Manager Installation Guide • 3.1 to 4.1 Upgrade Guide • Getting Started Guide • IntruShield Quick Tour • Planning & Deployment Guide • IntruShield Sensor 1200 Product Guide • IntruShield Sensor 1400 Product Guide • IntruShield Sensor 2600 Product Guide • IntruShield Sensor 2700 Product Guide • IntruShield Sensor 3000 Product Guide • IntruShield Sensor 4000 Product Guide • IntruShield Sensor 4010 Product Guide • IntruShield Configuration Basics Guide

• Administrative Domain Configuration Guide • Manager Server Configuration Guide • Policies Configuration Guide • Sensor Configuration Guide—using CLI • Sensor Configuration Guide—using ISM • Sensor Configuration Guide—using ISM Wizard • Alerts & System Health Monitoring Guide • Reports Guide

• User-Defined Signatures Developer's Guide • Attack Description Guide • Special Topics Guide

• Database Tuning • Best Practices • Denial-of-Service • Sensor High Availability • Custom Roles Creation • In-line Sensor Deployment • Virtualization

• Gigabit Optical Fail-Open Bypass Kit Guide • Gigabit Copper Fail-Open Bypass Kit Guide

Contacting Technical Support

If you have any questions, contact McAfee for assistance:

Online Contact McAfee Technical Support http://mysupport.mcafee.com.

http://mysupport.mcafee.com/

McAfee® IntruShield® IPS 4.1 IntruShield Troubleshooting Guide Contacting Technical Support

viii

Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.

Phone Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page.

Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.

Information requested for Troubleshooting

McAfee wants to provide you with the best possible support. When you contact Technical Support, we will request a variety of information to use to troubleshoot your deployment.

This section describes the information we ask that you have available for troubleshooting.

General information

• your GRANT ID. This was provided to you when you purchased the product. • the version number of the ISM software you are using • the version number of the sensor software you are using • Is this a new or existing issue? • any physical changes made to the environment recently • Did you make any changes in your environment/setup/configuration that

may have introduced the issue?

ISM-specific information

We may ask you to use our troubleshooting tool, which is called InfoCollector. This tool will collect all ISM-related log files (For example, ems.log, emsout, output.bin, config back, and the sensor trace file, if you have uploaded it to the ISM) and return them to us for analysis

As of this writing, the tool is available at the following link:

http://serviceweb/mcafee/backline/escalations/MER_TOOL/IPSInfoCollector.zip

http://www.mcafee.com/us/about/contact/index.html

McAfee® IntruShield® IPS 4.1 IntruShield Troubleshooting Guide Contacting Technical Support

ix

Sensor issues

• the sensor deployment configuration • information on the GBICs you are using with sensor GE ports; this

information is extremely helpful for troubleshooting link issues • the volume of traffic through the sensor • in some cases, a network diagram (particularly for troubleshooting

asymmetric traffic issues) • a sensor trace file, which you can create using the process described in

Providing a sensor diagnostics trace. • sensor operating mode (i.e., In-line, SPAN or TAP). This information can be

obtained from: Sensor_Name > Interface > View Details • peer device port settings (For example, for Cisco switches/routers, you

would provide the output of the show port [mod[/port] command. • Management port configuration (obtained by issuing a show mgmtport

command)

Signature set issues

• the signature set and software versions you are running • the frequency at which you see the false positive • whether the alert condition is reproducible • policy configuration • alert evidence reports • traffic volume, if possible • traffic type • what software and systems are on the affected systems • your network topology

1

C H A P T E R 1

Before You Install This chapter lists pre-installation recommendations.

Pre-installation recommendations

These IntruShield pre-installation recommendations are a compilation of the information gathered from individual interviews with some of the most seasoned IntruShield System Engineers at McAfee.

Planning for installation

Before installation, ensure that you complete the following tasks:

• The server, on which the ISM software will be installed, should be configured and ready to be placed online.

• You must have administrator privileges for the ISM server system. • This server should be dedicated, hardened for security, and placed on its

own subnet. This server should not be used for programs like instant messaging or other non-secure Internet functions.

• Make sure your hardware requirements meet the following minimum criteria: Server class hardware (as opposed to a Desktop). At least a P4 1 GHz chip (dual 2+ GHz chips are highly recommended). At least 1 GB of RAM (at least 2 GB of RAM is highly recommended). At least 40 GB of free disk space. Fast disks and a hardware RAID array with a good amount of cache are

highly encouraged. This will only improve Alert Manager performance. At least one 100 Mbps Ethernet adapter.

• Make sure the Windows operating system required for this version of the ISM software is installed as defined by the system requirements in the version’s release notes. The same holds true for the Windows operating system required for the client(s).

• Ensure the proper IPv4 address has been allocated for IntruShield. • If applicable, configure name resolution for the ISM. • Ensure that all parties have agreed to the solution design, including the

location and mode of all sensors, the use of sub-interfaces or interface groups, and if and how the ISM will be connected to the production network.

• Get the required license file and grant number. • Accumulate the required quantity of wires and (supported) GBICs, SFPs, or

XFPs. Ensure these are approved hardware from McAfee or a supported vendor. Ensure that the required quantity of IntruShield dongles, which ship with the sensors, are available.

McAfee® IntruShield® IPS 4.1 Before You Install IntruShield Troubleshooting Guide Pre-installation recommendations

2

• Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly connected to a firewall, router, or end node. Otherwise, standard patch cables are required for the Fast Ethernet ports.

• If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to mirror them.

• Allocate the proper IP addresses for the sensors. • Identify hosts that may cause false positives, for example, HTTP cache

servers, DNS servers, mail relays, SNMP managers, and vulnerability scanners.

Functional requirements

Following are the functional requirements to be taken care of:

• Install Wireshark (formerly known as Ethereal http://www.wireshark.com http://www.wireshark.org) on the client PCs. Ethereal is a network protocol analyzer for Unix and Windows servers, used to analyze the packet logs created by IntruShield sensors.

• Ensure the correct version of JRE is installed on the client system, as described in the Release Notes. This can save a lot of time during deployment.

Note: Note that a particular version of JRE is installed with the ISM server, as described in the release notes; be sure that the ISM server does not have a conflicting version of JRE installed.

• Determine a way in which ISM maintains the correct time. To keep time from drifting, for example, point the ISM server to an NTP timeserver. (If the time is changed on the ISM server, the ISM will lose connectivity with all sensors and the Update Server because SSL is time sensitive.)

• If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary ISMs is less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with the sensors will be lost.)

• We recommend that the Management port of the sensor and the ISM be on the same internal network; for security and management reasons.

• If you are upgrading from a previous version, we recommend that you follow the instructions in the respective version’s release notes or, if one is available for your release, Upgrade Guide. We recommend that you remove old ISM software and reboot your machine before upgrading to a new version.

Install a desktop firewall

McAfee strongly recommends that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009, and 8552 of your ISM server. The firewall can either be a host-based or a network-based.

Set your firewall to deny connections to these ports if the connections are not initiated by the localhost. The only connections that should be allowed are those from the ISM server itself; that is, the localhost.

For example, if another machine attempts to connect to port 8551, 8552, 3306, 8007 and 8009 the firewall should automatically block any packets sent. If you need assistance in blocking these, contact Technical Support.

http://www.wireshark.org/

3

If a firewall will reside between the sensor, ISM, or administrative client, which includes a personal firewall on the ISM, the following ports must be opened:

Port Protocol Description Direction of communication

4167 (high ports)

(source port on the Manager)

and

8500

(destination port on the sensor)

UDP Default SNMPv3 command channel

Manager-->sensor

8501 TCP Proprietary (install port)

sensor-->ISM

8502 TCP Proprietary (alert channel/control channel)

sensor-->ISM

8503 TCP Proprietary (packet log channel)

sensor-->ISM

8504 TCP Proprietary (file transfer channel)

sensor-->ISM

8555 TCP SSL/TCP/IP (Alert Manager)

client-->ISM

443 TCP HTTPS client-->ISM

80 TCP Web-based user interface

client-->ISM (Webstart/JNLP, Console Applets)

22 TCP SSH Remote console access

Note: If you choose to use non-default ports for the Install port, Alert port, and Log port, ensure that those ports are also open on the firewall.

• Note that 3306/TCP is used internally by the ISM to connect to the MySQL database.

• If you have Email Notification or SNMP Forwarding configured on the ISM, and there is firewall residing between the ISM and your SMTP or SNMP server, ensure the following ports are available as well.


4

Additional communication ports

Port Description Direction of communication

25/TCP SMTP ISM-->SMTP server

49/TCP TACACS+ Integration Sensor-->TACACS+ server

162/UDP SNMP Forwarding ISM-->SNMP server

389/TCP LDAP Integration (without SSL) ISM-->LDAP server

443/TCP Secure communication for MDR ISM 1-->ISM 2

443/TCP Secure communication for MDR ISM 2-->ISM 1

514/UDP Syslog forwarding (ACL logging)

ISM-->Syslog server

636/TCP LDAP Integration (with SSL) ISM-->LDAP server

1812/UDP RADIUS Integration ISM-->RADIUS server • Close all open programs, including email, the Administrative Tools > Services

window, and instant messaging before installation to avoid port conflicts. A port conflict may prevent the application from binding to the port in question because it will already be in use.

Caution: The ISM is a standalone system and should not have other applications installed.

Using anti-virus software with the Manager

If you plan to install anti-virus software such as McAfee VirusScan on the ISM, be sure the MySQL directory and its sub-directories, for example, c:\mysql\*, are excluded from the various scanning processes. Otherwise, IntruShield packet captures may result in the deletion of essential MySQL files.

Also exclude the IntruShield installation directory and its sub-directories, for example, c:\intrushield\*, because temporary files are created there that might conflict with the anti-virus scanner.

Note: If you install McAfee VirusScan 8.0i on the ISM after the installation of the ISM software, the MySQL scanning exceptions will be created automatically, but the IntruShield exceptions will not.

McAfee VirusScan 8.0i and SMTP notification

VirusScan 8.0i includes an option (enabled by default) to block all outbound connections over TCP port 25. This helps reduce the risk of a compromised host propagating a worm over SMTP using a homemade mail client.

VirusScan 8.0i avoids blocking outbound SMTP connections from legitimate mail clients, such as Outlook and Eudora, by including the processes used by these products in an exclusion list. In other words, VirusScan 8.0i ships with a list of

5

processes it will allow to create outbound TCP port 25 connections; all other processes are denied that access.

The ISM takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification and also run VirusScan 8.0i, you must therefore add java.exe to the list of excluded processes. If you do not explicitly create the exclusion within VirusScan 8.0i, you will see a Mailer Unreachable error in the ISM System Health to each time the ISM attempts to connect to its configured mail server.

To add the exclusion, follow these steps:

1 Launch the VirusScan Console. 2 Right-click the task called Access Protection and choose Properties. 3 Highlight the rule called Prevent mass mailing worms from sending mail. 4 Click Edit. 5 Append java.exe to the list of Excluded Processes.

User interface responsiveness

The responsiveness of the user interface, the Alert Manager in particular, has a lasting effect on your overall product satisfaction.

In this section we suggest some easy but essential steps, to ensure that IntruShield responsiveness is optimal:

• During ISM software installation, use the recommended values for memory and connection allocation.

• You will experience better performance in your configuration and data forensic tasks by connecting to the ISM from a browser on a client machine. Performance may be slow if you connect to the ISM using a browser on the server machine itself.

• Perform monthly or semi-monthly database purging and tuning. The greater the quantity of alert records stored in the database, the longer it will take the user interface to parse through those records for display in the Alert Manager. The default IntruShield settings err on the side of caution and leave alerts (and their packet logs) in the database until the user explicitly decides to remove them. However, most users can safely remove alerts after 30 days.

Caution: It is imperative that you tune the MySQL database after each purge operation. Otherwise, the purge process will fragment the database, which can lead to significant performance degradation.

• Defragment the disks on the ISM on a routine basis, with the exception of the MySQL directory. The more often you run your defragmenter, the quicker the process will be. Consider defragmenting the disks at least once a month.

Warning: Do NOT attempt to defragment the MySQL directory using an O/S defrag utility. To defragment MySQL tables, use a MySQL-specific utility, myisamchk available in the <mysqlinstallation>\bin directory.

• Limit the quantity of alerts to view when launching the Alert Manager. This will reduce the total quantity of records the user interface must parse and therefore potentially result in a faster initial response on startup.


6

• When scheduling certain ISM actions (backups, file maintenance, archivals, database tuning), set a time for each that is unique and is a minimum of an hour after/before other scheduled actions. Do not run scheduled actions concurrently.

7

C H A P T E R 2

Hardening the ISM Server This section describes methods for hardening your ISM server.

Introduction

IntruShield Security Manager (ISM) implementation varies between environments. The Manager server’s positioning in the network, both physically and logically, may influence specific remote access and firewall configuration requirements.

The following best practices are intended to cover the configurable features that can impact the security of ISM. This information should be used in combination with the IntruShield Release Notes and the rest of the documentation set.

McAfee’s recommendations, at a high level:

• Install a desktop firewall on the server and open the proper ports • Harden the MySQL installation • Harden the ISM host

Install a desktop firewall

It is recommended that you operate a desktop firewall on the ISM server. Certain ports are used within the IntruShield system. Some of these required for ISM--sensor and ISM client-server communication. All remaining unnecessary ports should be closed. The ports used by IntruShield are listed in Install a desktop firewall (on page 2).

Harden the MySQL installation

Ensure the cmd window used for making changes to database tables in the “mysql” database stays opened in the mysql shell until validation is completed.

This is necessary to enable you to rollback the changes in case you need to. Rollback procedures are shown at the end of this section.

Use another cmd window, where necessary, to validate hardening changes you have made.

McAfee® IntruShield® IPS 4.1 Hardening the ISM Server IntruShield Troubleshooting Guide Harden the MySQL installation

8

Remove test database

Remove the ‘test” database from the server.

1. Start My SQL. mysql> use mysql;

2. Backup db table to do dbbackup before changing it.

mysql> create table db_backup as select * from db;

3. Validate that the backup table was created and row count matches that of the mysql.db table.

mysql> select count(*) from db_backup;

4. Check all the databases on the ISM server.

mysql> show databases;

5. Remove the test db, Keep only the MYSQL and INTRUSHIELD (for example, lf) databases.

mysql> drop database test;

6. You should see only two databases (MYSQL and LF) if you are using the default Intrushield installation of MySQL.

mysql> show databases;

Remove local anonymous users

To remove local anonymous users:

1. Look for blank entries for user. mysql> select host,db,user from db;

2. Remove anonymous access to databases mysql> update db set host="localhost" where user="";

3. Remove anonymous/blank accounts mysql> flush privileges;

4. Validate that “localhost” replaced % entry under the host column. You will also notice you will now need to qualify username and password on the local machine to get into mysql shell from the mysql.exe CLI.

Remove remote anonymous users

To remove remote anonymous users, you harden mysql.exe CLI access by forcing the requirement for a username and password to get into the mysql shell as follows.


9

Start MySQL. mysql> use mysql;

Back up the db table to user_backup before changing it.

mysql> create table user_backup as select * from db;

Validate that the backup table was created and row count matches that of the mysql.db table.

mysql> select count(*) from user_backup;

List all users and hosts. mysql> select user,host from user;

Remove anonymous/blank accounts. mysql> delete from user where user="";

Validate that rows with blank user columns have been removed.

mysql> select user,host from user;

Secure MySQL remote access

This section provides two options for removing remote access.

• Remove individual users’ remote access • Remove ALL remote access (Recommended)

Remove individual users’ remote access

Do ONE of the following:

• Remove admin (Intrushield user) remote access mysql> delete from user where host!='localhost' and user='admin'; (The admin user cannot login remotely; however ISM root can. Use second cmd window to validate.) mysql>flush privileges; • Remove root remote access (Recommended minimum action) mysql> delete from user where host!='localhost'? and user='root'; This ensures that the root user cannot login remotely; however an ISM user can log in remotely. Use second cmd window to validate. mysql>flush privileges;

Remove ALL remote access

mysql> delete from user where host!='localhost'

ALL user access is disabled including ISM users from remote host(s).


10

Use another cmd window to validate; you can ONLY log in to the MySQL CLI on the ISM server by qualifying username, password and db. For example: mysql -uadmin -pXXX lf

Rolling back your changes

If you need to roll back your changes, use the following commands:

To roll back changes made to the mysql.db table from the mysql.db_backup table:

mysql> rename table db to db_1; mysql> rename table db_backup to db; mysql> flush privileges;

To roll back changes made to the "mysql.user" table from mysql.user_backup table:

mysql> rename table user to user_1 mysql> rename table user_backup to user; mysql> flush privileges;

Remove debug shell at port 9001

In addition to denying traffic over port 9001 and 9002 (as per Install a desktop firewall) (on page 2), the debugging shell that runs on port 9001 can be disabled by modifying the value of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in the iv_emsproperties table. To disable the port, set the value in the field called “value” = -1

Figure 1: The debug shell port

McAfee® IntruShield® IPS 4.1 Hardening the ISM Server IntruShield Troubleshooting Guide Other best practices for securing ISM

11

Other best practices for securing ISM

Recommended practices

• Use a clean, dedicated machine for the ISM server and perform a fresh install of the ISM software, including the installation of the embedded MySQL database. No other software should be available on the server, with the exception of a host-based firewall as described in Install a desktop firewall. (on page 2)

• Make sure the PC is in an isolated, physically secure environment • Disallow access to the directory clumsily and all its sub-directories to anyone

other than authorized administrators. Use Microsoft Knowledge Base article # 324067 to accomplish this procedure. Disallow the following permissions:

• Read • Write • Read and Write • Modify • List folder contents • Full control • Disable HTTP TRACE request. It can be disabled with the following

mod_rewrite syntax in the Apache Server's httpd.conf file (available in the “<Intrushield installation directory>/Apache/conf” directory).

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

12

C H A P T E R 3

Troubleshooting IntruShield IPS This section lists some troubleshooting tips for IntruShield.

Facilitating troubleshooting

When an in-line device experiences problems, most people’s instinct is to physically pull it out of the path; to disconnect the cables and let traffic flow unimpeded while the device can be examined elsewhere. McAfee recommends you first try the following techniques to troubleshoot a sensor issue:

• All sensors have a Layer2 Passthru feature. If you feel your sensor is causing network disruption, before you remove it from the network, issue the following command:

layer2 mode assert This pushes the sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the sensor while bypassing the detection engine. Check to see whether your services are still affected; if they are, then you have eliminated certain sensor hardware issues; the problem could instead be a network issue or a configuration issue. (The layer2 mode deassert command pushes the sensor back to detection mode.) • McAfee recommends that you configure Layer2 Passthru Mode on each

sensor. This enables you to set a threshold on the sensor that pushes the sensor into L2 bypass mode if the sensor experiences a specified number of errors within a specified timeframe. Traffic then continues to flow directly through the sensor without passing to the detection engine.

• Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE monitoring port pairs on the sensor. If a kit is attached to the sensor, disabling the sensor ports forces traffic to flow through the bypass switch, effectively pulling the sensor out of the path. For FE monitoring ports, there is no need for the external kit. Sensors with FE ports contain an internal tap; disabling the ports will send traffic through the internal tap, providing fail-open functionality.

Caution 1: Note that the sensor will need to reboot to move out of L2 mode only if the sensor entered L2 mode because of internal errors. (It does not need a reboot if the layer2 mode assert command was used to put the sensor into L2 mode).

Caution 2: A sensor reboot breaks the link connecting the devices on either side of the sensor and requires the renegotiation of the network link between the two devices surrounding the sensor.

Caution 3: Depending on the network equipment, this disruption should range from a couple of seconds to more than a minute with certain vendors’ devices. A very brief link disruption might occur while the links are renegotiated to place the sensor back in in-line mode.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Starting your troubleshooting

13

Starting your troubleshooting

Before you get too deep into troubleshooting techniques, it is a good practice to consider the following questions:

• Were there physical changes to your network that occurred recently? • If another device is placed in the sensor’s position, does that device receive

traffic? • If the sensor is in L2 mode, are your network’s services still affected? • Are you using approved McAfee GBICs or SFP GBICs with your sensor?

(For a list of approved hardware, see McAfee KnowledgeBase article KB56364 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]

Difficulties connecting sensor and ISM

If you experience problems getting the ISM and sensor to communicate, see if one of the following situations may be the cause.

Network connectivity

• Ensure that the sensor and ISM server have power and are appropriately connected to the network.

• Verify the link LEDs on both devices to indicate they have an active link. • Ping the sensor and ISM server to ensure that they are available on the

network.

Inconsistency in sensor and ISM configuration

• Check to ensure that the sensor name that was entered in the CLI is identical to that entered in the ISM. Ensure the same for the shared secret key value. If these values do not match, the two cannot communicate.

Note : Note that the sensor name is case-sensitive.

• Check the network addresses for the ISM, the ISM’s gateway, and the sensor to ensure everything is configured correctly by typing show at the sensor CLI command prompt.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Difficulties connecting sensor and ISM

14

Software or signature set incompatibility

Check to ensure that the sensor software image, ISM software version, and signature set version are compatible.

• A compatibility matrix is provided in the release notes that accompany each product release.

Firewall between the devices

If there is a firewall between the sensor and the ISM server, make sure the devices are able to communicate by opening the appropriate ports.

Note : Ports used by the ISM server are listed in the section Install a desktop firewall. (on page 2)

Management port configuration

If you experience problems getting your sensor and ISM to communicate, it may be a communication issue between the sensor’s Management port and the network device to which it is connected. Check the Management Port Link LEDs on the sensor; if the link is down, see if any of the following suggestions enable connectivity.

• Check that the network device is on-line. • Check the cable connecting the sensor to the network device. • Ensure that the port on the device to which the Management port is

connected is enabled/active. • The port speed and duplex mode of the two devices must match. For

example, if the device connecting to the sensor is not set to auto-negotiate, you must configure the Management port to use the same settings as those of the device connecting to the Management port. To troubleshoot this, use the set mgmtport command.

Note: Check the link LEDs on the devices to see if communication is established, or use the show mgmtport command to show the link’s status.

Try each of these configuration options to see if one establishes a link:

1 First (if possible) set the other device’s port configuration to auto-negotiate. (The sensor is set to auto-negotiate by default.)

2 Using the set mgmtport command as described below in Setting the management port speed and duplex mode, try setting the speed and port of the sensor to speed 100 and duplex half.

3 If no link is established, try speed 10 and duplex half. 4 If none of the above attempts creates a link, try setting the port on the other

device to a speed of 100, duplex half, and try steps 2 and 3 again. 5 If this does not establish a link, you can then do the same, setting the other

device to a speed of 10, duplex half, and try steps 2 and 3 again. 6 If you are still experiencing difficulties, contact McAfee Technical Support.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Connectivity issues between the sensor and other network devices

15

Setting the management port speed and duplex mode

1 Set the speed of the Management port and whether the port should be set to half-or full-duplex. At the prompt, type: set mgmtport speed <10 | 100 | 1000> duplex <half | full> where <10> indicates 10 Mbps, <100> indicates 100 Mbps, and <1000> indicates 1000 Mbps <half> indicates half-duplex and <full> indicates full-duplex.

Example: set mgmtport speed 100 duplex half

Connectivity issues between the sensor and other network devices

The most common sensor problems relate to configuration of the speed and duplex settings. Speed determination issues may result in no connectivity between the sensor and the switch.

Duplex mismatches

A duplex mismatch (for example, one end of the link in full-duplex and the other in half-duplex) may result in performance issues, intermittent connectivity, and loss of communication. It can also create subtle problems in applications. For example, if a Web server is talking to a database server through an Ethernet switch with a duplex mismatch, small database queries may succeed, while large ones fail due to a timeout.

Manually setting the speed and duplex to full-duplex on only one link partner generally results in a mismatch. This common issue results from disabling auto-negotiation on one link partner and having the other link partner default to a half-duplex configuration, creating a mismatch. This is the reason why speed and duplex cannot be hard-coded on only one link partner. If your intent is not to use auto-negotiation, you must manually set both link partners' speed and duplex settings to full-duplex.

Valid auto-negotiation and speed configurations

The table below summarizes all possible settings of speed and duplex for IntruShield sensors and switch ports.


16

IntruShield Configuration

10/100/1000 port (Speed/Duplex)

Configuration of Switch(Speed/Duplex)

Resulting Sensor

(Speed/Duplex)

Resulting Catalyst

(Speed/Duplex)

Comments

1000 Mbps

Full-duplex

1000 Mbps

Full-duplex

1000 Mbps

Full-duplex

100 Mbps

Full-duplex

1000 Mbps

Full-duplex

No Link No Link Neither side establishes link, due to speed mismatch

100 Mbps

Full-duplex

AUTO 100 Mbps

Full-duplex

100 Mbps

Full-duplex

Duplex Mismatch 1

100 Mbps

Full-duplex

1000 Mbps

Full-duplex

100 Mbps

Full-duplex

100 Mbps

Full-duplex

Correct Manual Configuration2

100 Mbps

Half-duplex

AUTO 100 Mbps

Half-duplex

100 Mbps

Half-duplex

Link is established, but switch does not see any auto-negotiation information from IntruShield and defaults to half-duplex when operating at 10/100 Mbps.

10 Mbps

Half-duplex

AUTO 100 Mbps

Half-duplex

100 Mbps

Half-duplex

Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex.

10 Mbps

Half-duplex

1000 Mbps

Half-duplex

No Link No Link Neither side establishes link, due to speed mismatch.


17

Gigabit auto-negotiation (no link to connected device)

Gigabit Ethernet has an auto-negotiation procedure that is more extensive than that which is used for 10/100 Mbps Ethernet (per Gigabit auto-negotiation specification IEEE 802.3z-1998). The Gigabit auto-negotiation negotiates flow control, duplex mode, and remote fault information. You must either enable or disable link negotiation on both ends of the link. Both ends of the link must be set to the same value or the link will not connect.

If either device does not support Gigabit auto-negotiation, disabling Gigabit auto-negotiation forces the link up.

Troubleshooting a Duplex Mismatch with Cisco Devices When troubleshooting connectivity issues with Cisco switches or routers, verify that the sensor and the switch/routers are using a valid configuration. The show intfport <port> command on the IntruShield sensor CLI will help reveal errors.

Sometimes there are duplex inconsistencies between IntruShield and the switch port. Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switch port. To troubleshoot this issue, manually configure the switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems, you may be running into this issue. Contact Cisco's TAC for assistance.

Use the following commands to verify fixed interface settings on some Cisco devices that connect to IntruShield sensors:

Cisco PIX® Firewall

• interface ethernet0 100full

Cisco CSS 11000

• interface ethernet-3 • phy 100Mbits-FD

Cisco Catalyst® 2900XL, 3500XL Series (Hybrid)

• interface FastEthernet0/2 • duplex full • speed 100

Cisco Catalyst 4000, 5000, 6000 Series (Native)

• set port speed 1/1 100 • set port duplex 1/1 full


18

Connectivity issues with Cisco 3750-12S switch

Use the following ports when connecting a Cisco 3750-12s switch to your IntruShield sensor: 3, 4, 7, 8, 11, or 12. Connections using ports 1, 2, 5, 6, 9, or 10 may cause network jitter, which is an inconsistent delay of packets.

Cisco IOS® for Catalyst 4000, 6000 Series

• Router(config)# interface fastethernet slot/port • Router(config-if)# speed 100 • Router(config-if)# duplex full

When troubleshooting IntruShield performance issues with Cisco switches, view the output of the show port mod/port command, and note the counter information.

Explanation of CatOS show port Command Counters

Counter Description Possible Causes

Alignment Errors

Alignment errors are a count of the number of frames received that do not end with an even number of octets and have a bad CRC.

These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames that do not end with on an octet and have a bad FCS.

FCS FCS error count is the number of frames that were transmitted or received with a bad checksum (CRC value) in the Ethernet frame. These frames are dropped and not propagated onto other ports.

These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames with bad FCS.

Xmit-Err This is an indication that the internal transmit buffer is full.

This is an indication of excessive input rates of traffic. This is also an indication of transmit buffer being full. The counter should only increment in situations in which the switch is unable to forward out the port at a desired rate. Situations such as excessive collisions and 10 Mb ports cause the transmit buffer to become full. Increasing speed and moving the link partner to full-duplex should minimize this occurrence.

Rcv-Err This is an indication that the receive buffer is full.

This is an indication of excessive output rates of traffic. This is also an indication of the receive buffer being full. This counter should be zero unless there is excessive traffic through the switch. In some switches, the Out-Lost counter has a direct correlation to the Rcv-Err.

UnderSize These are frames that are smaller than 64 bytes (including FCS) and have a good FCS value.

This is an indication of a bad frame generated by the connected device.


19

Counter Description Possible Causes

Single Collisions

Single collisions are the number of times the transmitting port had one collision before successfully transmitting the frame to the media.

This is an indication of a half-duplex configuration.

Multiple Collisions

Multiple collisions are the number of times the transmitting port had more than one collision before successfully transmitting the frame to the media.

This is an indication of a half-duplex configuration.

Late Collisions

A late collision occurs when two devices transmit at the same time and neither side of the connection detects a collision. The reason for this occurrence is that the time to propagate the signal from one end of the network to another is longer than the time to put the entire packet on the network. The two devices that cause the late collision never see that the other is sending until after it puts the entire packet on the network. Late collisions are detected by the transmitter after the first time slot of the 64-byte transmit time occurs. They are only detected during transmissions of packets longer than 64 bytes. Its detection is exactly the same as it is for a normal collision; it just happens later than it does for a normal collision.

This is an indication of faulty hardware (NIC, cable, or switch port) or a duplex mismatch.

Excessive Collisions

Excessive collisions are the number of frames that are dropped after 16 attempts to send the packet resulted in 16 collisions.

This is an indication of over utilization of the switch port at half-duplex or duplex mismatch.

Carrier Sense

Carrier sense occurs every time an Ethernet controller wants to send data and the counter is incremented when there is an error in the process.

This is an indication of faulty hardware (NIC, cable, or switch port).

Runts These are frames smaller than 64 bytes with a bad FCS value.

This is an indication of the result of collisions, duplex mismatch, IEEE 802.1Q (dot1q), or an Inter-Switch Link Protocol (ISL) configuration issue.

Giants These are frames that are greater than 1518 bytes and have a bad FCS value.

This is an indication of faulty hardware, dot1q, or an ISL configuration issue.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Checking sensor health

20

Auto-negotiation

Auto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issues mainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example, full-duplex mode and the other in half-duplex (also known as a duplex mismatch), errors and retransmissions can cause unpredictable behavior in the network causing performance issues, intermittent connectivity, and loss of communication. Generally these errors are not fatal-traffic still makes it through-but locating and fixing them is a time-waster.

Situations that may lead to Auto-negotiation issues

Auto-negotiation issues with the IntruShield sensor may result from nonconforming implementation, hardware incapability, or software defects.

Generally, if the switch used with the sensor adheres to IEEE 802.3u auto-negotiation specifications and all additional features are disabled, auto-negotiation should properly negotiate speed and duplex, and no operational issues should exist.

• Problems may arise when vendor switches/routers do not conform exactly to the IEEE specification 802.3u.

• Vendor-specific advanced features that are not described in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as auto-polarity or cabling integrity) can also lead to hardware incompatibility and other issues.

Checking sensor health

To see if your sensor is functioning correctly, do one of the following:

On the sensor:

• At the command prompt, type status. This displays system status (such as system health, system initialization, signature version, trust, channel status, alert counts, and so on). Sensor should be initialized and in good health.

• At the command prompt, type show. This displays configuration information (such as sensor image version, type, name, ISM and sensor IP addresses, and so on).

On the ISM:

• In the ISM Home page, select Sys Health > View to launch the System Health. ISM status should be UP, and sensor status should be ACTIVE.

Note: If you see system faults indicating that the ISM is down, see System Fault Messages (on page 31), to interpret the fault and, if necessary, take action to clear the fault.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Ensuring that the sensor is receiving traffic

21

Pinging a sensor

The sensor Management port responds only to 1 ping/sec. This prevents it from susceptibility to a ping flood.

To ping a sensor Management port from multiple hosts, increase the time interval between pings.

Ensuring that the sensor is receiving traffic

Check the sensor’s Performance Statistics to verify that traffic is being sent and received. Do the following to verify the traffic flow:

1 From the ISM Home page, click on Configure. 2 Click on the desired sensor in the Resource Tree. 3 Click on the Statistics tab on the right pane. 4 Click on the Performance Statistics action. 5 Select the appropriate configured port.

You’ll see statistics such as the following: Port Total Unicast Pkts Sent. Port Total Unicast Pkts Recv count. Port Total Multicast Pkts Sent count. Port Total Multicast Pkts Recv count.

6 Refresh the screen and verify the packet counts are increasing.

Checking sensor failover status

To ensure that two sensors comprising a failover pair are communicating via their interconnection cable, go to each sensor's CLI and type show failover-status. Failover should display as enabled (YES), and the peer sensor should display as UP.

Cabling failover through a network device

Do not cable the heartbeat connection through an external network device.

To keep overhead low and throughput high, the sensors do not include layer 2 or 3 headers on the packets they pass over the heartbeat connection, and they pass data larger than the standard Ethernet maximum frame size (1518 bytes).

If you attempt to place a network device, such as a switch or router, between the heartbeat ports, the heartbeat connection will fail.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Checking whether a signature or software update was successful

22

Checking whether a signature or software update was successful

To see if your sensor successfully received a signature update or software upgrade, you can use the status command as shown in the following procedure, or the downloadstatus command, described later in this chapter.

To use the status command:

1 On the sensor, type status at the command prompt before updating the signature set on the sensor. Note the signature version.

2 Update the signature set on the sensor using the ISM screens. 3 On the sensor, again type status at the command prompt. Verify that the

signature version number has incremented. The new signature version should match with the signature set version that has been just applied to the sensor.

Checking status of a download or upload

To see the progress of an upload or download, use the downloadstatus command.

The downloadstatus command displays the status of various download/upload operations: signature, software image, and DoS profile downloads (from ISM to sensor) and DoS profile and debug trace uploads (from sensor to ISM). It also lists the number of times you have performed the operation, status of your previous attempt to perform the operation (including—if the operation failed—the cause of failure), and the time the command was executed.

Do the following:

1 On the sensor, type downloadstatus at the command prompt.

Conditions requiring a sensor reboot

The following situations either cause or require a sensor reboot. You have two options for rebooting the sensor. You can reboot the sensor from the ISM interface, or you can issue the reboot CLI command.

Note: Note that a reboot can take up to five minutes.

Deleting signatures using the deletesignatures CLI command causes an automatic sensor reboot.

• Issuing a resetconfig CLI command causes an automatic sensor reboot. • Changing a sensor’s IP address requires a manual reboot of the sensor

before the change will take effect. • Certain internal software errors may cause the sensor to reboot itself. See a

description of sensor fault messages later in this chapter. For more information on System Health Viewer, see Alert & system Health Monitoring Guide.

• Upgrading sensor software requires a manual reboot of the sensor.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Sensor doesn’t boot

23

• Signature set updates that include a protocol change.

Rebooting a sensor via the ISM

The Reboot Sensor action restarts a sensor. You perform this action in the ISM interface.

To reboot a sensor, do the following:

1 Select Sensor_Name > Sensor > Reboot. 2 Click Reboot Sensor.

Rebooting a sensor using the reboot command

The reboot command restarts a sensor. You perform this action in the sensor CLI:

1 At the prompt, type: reboot

2 Confirm the reboot.

Sensor doesn’t boot

If you cannot get the sensor to boot, try the following:

• Check to ensure that the sensor is powered on. Check the LEDs on the front of the sensor.

• Check the front panel LEDs to ensure that the sensor temperature is normal. For more information on sensor LEDs, see the respective Product Guide for your sensor model.

• If you receive an error message in the CLI: “OS not found,” you may have a corrupted internal flash. If you see this error, contact Technical Support to obtain help in recovering the sensor.

Loss of connectivity between the sensor and ISM

If you have previously established a connection between the sensor and the ISM and the connection fails, try the following:

• Check network connectivity. • View the system status on both the ISM and the sensor. • Check to ensure the Management port on the sensor is configured with the

proper speed and duplex mode as described in Management port configuration.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide ISM connectivity to the database

24

• Has the time been reset on the ISM server? The connection between the sensor and ISM server is secure, and this secure communication is time-sensitive, so the time on the devices should remain synchronized. You must set the time on the ISM server before you install the ISM software and never change the time on that machine. If the time changes on the ISM server, the ISM will lose its connectivity with the sensor and the Update Server. A time change could ultimately cause serious database errors.

For more information, see the KnowledgeBase article KB555587 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]

How sensor handles new alerts during connectivity loss

The sensor stores alerts internally until connection is restored. IntruShield classifies events and prioritizes to ensure the buffer is filled with the most meaningful events to an analyst.

The following table lists the number of alerts that can be stored locally on the sensor.

Number Alert Type

100000 Signature based alerts

2500 Throttled alerts (with source and destination IP and port information)

2500 Compressed throttled alerts (alerts with no source and destination IP information)

2500 Statistical or anomaly DoS

2500 Throttled DoS alerts

1000 Host sweep alerts

1000 Port scan alerts Once the connection from the sensor to the ISM has been re-established, the queued alerts are forwarded up to the manger. So the customer will retain them even in the event that connectivity is disrupted for some time.

If the buffer fills up before connectivity is restored, the sensor will drop new alerts, but if blocking is enabled, the sensor will continue to block irrespective of the sensor's connectivity with the ISM.

ISM connectivity to the database

In the event that the ISM loses connectivity to the database (i.e. the database goes down) the alerts are stored in a flat file on the ISM server. When the database connectivity is restored, the alerts are stored in the database.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide Error on accessing the Configuration page

25

ISM database is full

We recommend that the customer monitor the disk space on a continuous basis to prevent this from happening.

If the ISM database or disk space is full, the ISM will unable to process any new alerts or packet logs. In addition, the ISM may not be able to process any configuration changes, including policy changes and alert acknowledgement. In fact, the ISM may stop functioning completely.

To rectify this situation, please perform maintenance operations on the database, including deleting unnecessary alerts and packet logs. Furthermore, please reevaluate database capacity planning and sizing, and monitor free space proactively. The ISM is designed with various file and disk maintenance functions. You can archive alert and packetlog data and then delete the data to free up disk space. It also provides a standalone tool for creating database backups that can be archived for emergency restoration.

The ISM also provides disk maintenance alerts, which send proactive system fault messages when certain disc-dependent processes exceed a user-defined threshold (say 70%).

Error on accessing the Configuration page

On some occasions, accessing the ISM Configuration page can result in an error message. This typically happens if you access various versions of the ISM from the same client or use the ISM client to access other Web-based applications as well. This is a Java-cache related issue.

To resolve the issue:

1 On the ISM client, go to Windows Control Panel > Java > General > Settings. 2 Click Delete Files and then click OK in the Delete Temporary Files dialog.

This deletes all Java-related temporary files on the client. 3 Log out of the ISM and close Internet Explorer. 4 Log on to the ISM in a new instance of Internet Explorer.

Sensor response if its bandwidth is exceeded

Each sensor model has a limited throughput. For example, the IntruShield 2700 sensor is rated at 600Mbps performance. With the Gigabit interfaces it is theoretically possible to oversubscribe the limit. What happens in this situation? Will it throttle the throughput to 600Mbps or will you just lose the IPS functionality for everything more than 600Mbps?

The answer is that the sensor will drop packets the same way that a Cisco switch would if you oversubscribed it--you cannot send 1Gig of traffic to a 100Mbps port.

It is very important that you stay within the operating parameters of the device you deploy. If you are actually running at gigabit speeds, you should probably be running an I-3010/I-4000/I-4010 sensor, which all have a much higher throughput.

McAfee® IntruShield® IPS 4.1 Troubleshooting IntruShield IPS IntruShield Troubleshooting Guide MySQL issues

26

MySQL issues

The common symptoms that occur if your database tables become corrupt:

• .MYI or .MYD errors reported in the ems.log file • Inability to acknowledge or delete faults in System Health • When trying to view packet log for in the Alert Viewer, you receive an error

message: • You receive the message “No Packet log available for this alert at this time”

If you think that your MySQL database tables have become corrupt, follow the instructions on verifying your tables, which is available in McAfee KnowledgeBase article KB60660 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]

How sensors handle various types of traffic

Jumbo Ethernet frames

IntruShield sensors respond differently to jumbo frames based on which ports are receiving them. Inspection is not available for jumbo frames.

• 10/100 (FE) ports: Jumbo frames are not supported. When a 10/100 port receives a jumbo frame, the frame is dropped.

• 1000 (GE) port: The frame is passed through the sensor, but is not subjected to IPS inspection.

ISL frames

All IntruShield sensor models (running all sensor software versions) pass ISL frames through the sensor without IPS inspection.

27

C H A P T E R 4

Determining False Positives This section lists methods for determining and reducing false positives.

Reducing false positives

Your policy determines what traffic analysis your sensor will perform. IntruShield provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Alert Viewer to those which are valid and useful for your analysis.

There are two stages to this process: initial policy configuration and policy tuning. Each are tedious tasks. Because networks and attacks constantly evolve, the policy tuning process is not only tedious, it is also never truly complete. Instead, you might equate it to a disk defragmentation; the more often you do it, the less time each check takes. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts.

Tune your policies

The default IntruShield policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also modify a policy directly rather than modifying a copy.) This process is involved, and is discussed in Policies Configuration Guide.

Some things to remember when tuning your policies:

• We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper IntruShield implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence.

• When initially deployed, IntruShield frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example.

• Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment.

McAfee® IntruShield® IPS 4.1 Determining False Positives IntruShield Troubleshooting Guide Tune your policies

28

• Take steps to reduce false positives and noise from the start. If you allow a large number of “noisy” alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. One method may be is to disable all alerts that are obviously not applicable to the hosts you will protect. For example, if you use only Apache Web servers, you may wish to disable IIS-related attacks.

About false positives and “noise”

The mere mention of false positives always causes concern in the mind of any security analyst. However, false positives may mean quite differently things to different people. In order to better manage the security risks using any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts so that appropriate response can be applied.

With IntruShield, there are three types of alerts which are often taken as “false positives:”

• incorrectly identified events • correctly identified events subject to interpretation by usage policy • correctly identified events uninteresting to the user.

Incorrect identification

These alerts typically result from overly aggressive signature design, special characteristics of the user environment, or system bugs. For example, typical users will never use nested file folders with a path more than 256 characters long; however, a particular user may push the Windows' free-style naming to the extreme and create files with path names more than 1024 characters. Issues in this category are rare. They can be fixed by signature modifications or software bug fixes.

Correct identification; significance subject to usage policy

Events of this type include those alerting on activities associated with Instant Messaging (IM), Internet Relay chat (IRC), and Peer to Peer programs (P2P). Some security policies forbid such traffic on their network; for example, within a corporate common operation environment (COE); others may allow them to various degrees. Universities, for example, typically have a totally open policy for running these applications. IntruShield provides two means by which to tune out such events if your policies deem these events uninteresting. First, you can define a customized policy in which these events are disabled. In doing so, the sensor will not even look for these events in the traffic stream to which the policy is applied. If these events are of interest for most of the hosts except a few, creating alert filters to suppress alerts for the few hosts is an alternative approach.


29

Correct identification; significance subject to user sensitivity (also known as noise)

There is another type of event which you may not be interested in, due to the perceived severity of the event. For example, IntruShield will detect a UDP-based host sweep when a given host sends UDP packets to a certain number of distinct destinations within a given time interval. Although you can tune this detection by configuring the threshold and the interval according to their sensitivity, it's still possible that some or all of the host IPs being scanned are actually not live. Some users will consider these alerts as noise, others will take notice because it indicates possible reconnaissance activity. Another example of noise would be if someone attempted an IIS-based attack against your Apache Web server. This is a hostile act, but it will not actually harm anything except wasting some network bandwidth. Again, a would-be attacker learns something he can use against your network: the fact that the attack failed can help him zero in on the type of Web server you use. Users can also better manage this type of events through policy customization or installing alert filters.

The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions:

• the configured policy includes a lot of Informational alerts, or scan alerts which are based on request activities (such as the All Inclusive policy)

• deployment links where there is a lot of hostile traffic, such as in front of a firewall

• overly coarse traffic VIDS definition that contains very disparate applications, for example, a highly aggregated link in dedicated interface mode

Users can effectively manage the noise level by defining appropriate VIDS and customize the policy accordingly. For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can also be used.

Determining a false positive versus noise

Some troubleshooting tips for gathering the proper data to determine whether you are dealing with a false positive or uninteresting event;

• What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the alert is supposed to exploit?

• Ensure that you capture valid traffic dumps that are captured from the attack attempt (for example, have packet logging enabled and can view the resulting packet log)

• Determine whether any applications are suspected of triggering the alert—which ones, which versions, and in what specific configurations.

If you intend to work with McAfee Technical Support on the issue, we ask that you provide the following information to assist in troubleshooting:

• If this occurred in a lab using testing tools rather than live traffic, please provide detailed information of the attack/test tool used, including its name, version, configuration and where the traffic originated.

• If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are valid, TCP traffic follows a proper 3-way handshake, and so on


30

• Also, please provide detailed information of the test configuration in the form of a network diagram.

• Create an Evidence Report (within Alert Viewer) with the packet log • Be ready to tell Technical Support how often you are seeing the alerts and

whether they are ongoing

31

C H A P T E R 5

System Fault Messages Table <> lists the system fault messages visible in the ISM System Health viewer, organized by severity, with Critical messages first, then Errors, then Warnings, then Informational messages.

The faults are then listed alphabetically within those categories.

This table lists the fault messages you might encounter, their severity, and a description, including information on what action clears the fault. In many cases, the fault clears itself if the condition causing the fault is resolved. In some cases, the fault does not clear—you must acknowledge or delete it to dismiss it.

Critical faults

Critical faults are the highest severity faults and generally indicate a serious issue. See the Action column for potential troubleshooting tips.

Fault Severity Description/Cause Action

Alert update failed Critical An attempt to save alerts to the database failed, most likely due to insufficient database capacity.

Ensure that the disk space allocated to the database is sufficient, and try the operation again.

Bootloader upgrade failure

Critical The firmware upgrade has failed on the sensor.

Debug or reload the firmware on the sensor.

Cannot start control channel service (certificate)

Critical The ISM’s certificate is unavailable; this could indicate database corruption.

If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support.

Cannot start control channel service (key store)

Critical The ISM’s key file is unavailable and possibly corrupted. This fault could indicate a database corruption.

If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support.

McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide Critical faults

32


Cluster software mismatch status

Critical The software versions on the cluster primary and cluster secondary are not the same.

Debug and upgrade the sensor software.

Communication failure with the Intrushield Update Server

Critical The ISM is unable to communicate with the Update Server.

Any connectivity issues with the Update Server will generate this fault, including DNS name resolution failure, Update Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the ISM server.

This fault clears when communication with the Update Server succeeds.

If your ISM is connected to the Internet, ensure it has connectivity to the Internet.

Contact McAfee Technical Support if you lost your Update Server authentication information.

Communication failure with the proxy server

Critical The ISM is unable to communicate with the proxy server. (This fault can occur only when the ISM is configured to communicate with a proxy server.)

This fault clears when communication to the Update Server through the proxy succeeds.

Conflict in MDR Status

Critical Sensor found a conflict with MDR Status; ISM IP address / MDR status as ...

There is a problem with MDR configuration. Check your MDR settings.

Conflict in MDR Mode

Critical Sensor found a conflict with MDR Mode; ISM IP address / MDR status as ...


Conflict in MDR Pair IP address

Critical Sensor found a conflict with MDR-Pair IPAddress; ISM-IP address / MDR action.

You may need to correct the MDR configuration

Conflict in MDR IP address type

Critical Sensor found a conflict with MDR IP AddressType.

You may need to correct the MDR configuration.

Database backup failure

Critical A manual attempt to backup the database failed.

This can indicate insufficient disk space for storage of the backup file. Check your disk capacity and clear enough space to accommodate the backup file, and then attempt the backup again.


33


Database Connectivity Problems

Critical Problems in communicating to the database

Check if the database service is running and connectivity is present

Database System Integrity

Critical A warning is displayed: Unable To Locate Index File For Table

Repair the corrupt Database tables

Dropping alerts and packet logs

Critical ISM is not communicating with the database; the alert and packet logs overflowing queues.

Perform maintenance operations to clean and tune the database.

Exceeding alert capacity threshold

Critical As with the “Approaching alert capacity threshold” fault message, this message indicates the percentage of space occupied by alerts in the database. This message appears once you have exceeded the alert threshold specified in ISM > Maintenance.

Perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days.

Failure to create additional space could cause undesirable behavior in the ISM.

Failed to create command channel association

Critical Indicates a failure to create a secure connection between the ISM and the sensor. Can be caused by loss of synchronisms between the system time of the ISM server and the sensor. Can also indicate that the sensor is not completely on-line after a reboot.

Restart the ISM. Check the sensor’s operating status to ensure that the sensor’s health is good and status is good.

Fail Open Control Module Timeout

Critical Communication has timed out between the Fail Open Controller in the sensor’s Compact Flash port and the Fail Open Bypass Switch. This situation has caused the sensor to move to Bypass mode and traffic to bypass the sensor.

The fault could be the result of a cable being disconnected, or removal of the Bypass Switch. This fault clears automatically when communication resumes between the Fail Open Controller and Fail Open Bypass Switch.

Failover peer status Critical This fault indicates whether the sensor peer is up or down.

This fault clears automatically when the sensor peer is up.


34


Fan error Critical One or more of the fans inside the sensor have failed.

For the I-4000 and 4010, the ISM indicates which fan has failed. For the I-2600, the fan number is not specified.

On the I-4000, you can also check the sensor’s front panel LEDs to see which fan has failed.

If a fan is not operational, McAfee strongly recommends powering down the sensor and contacting Technical Support to schedule a replacement unit.

In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the replacement is completed.

Fail-Open Bypass Switch timeout

Critical The sensor is not communicating with the Fail-Open Bypass Switch.

This fault indicates that the Bypass Switch did not receive a signal from the Fail-Open Controller, and could possibly indicate sensor port failure.

Firewall connection failure

Critical The connectivity between the sensor and the

firewall is down.

This fault can occur in situations where, for example, the firewall machine is down, or the network is experiencing problems. Ping the firewall to see if the firewall is available. Kindly contact your IT department to troubleshoot connectivity issues.

ICC UDS signature synchronization failed

Critical Port conflict in ICC UDS synchronization. Port already in use by UDS. Free this port for ICC synchronization to succeed.

Free this port for ICC synchronization to succeed.

Illegal In-line, Fail-Open configuration

Critical The sensor is configured to operate with an external Fail-Open Module hardware component, but cannot detect the hardware.

This error applies only to sensors running in in-line mode with a gigabit port in fail-open mode (using the external Fail Open Module). When this fault is triggered, the port will be in bypass mode and will send another fault of that nature to the ISM. When appropriate configuration is sent to the sensor (either the hardware is discovered or the configuration changes), and the sensor begins to operate in in-line-fail open mode.


35


Incompatible UDS signature

Critical A user-defined signature (UDS) is incompatible with the current signature set.

You will need to edit your existing UDS attacks to make them conform to the new signature set definitions. Bring up the UDS Editor (Policies > Policies > UDS) and manually performing the edit / validation.

This fault clears when a subsequent UDS compilation succeeds.

Invalid SSL decryption key

Critical The sensor detects that a particular SSL decryption key is no longer valid; for example, it may be failing to decrypt traffic.

Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid.

Image downgrade detected

Critical Unsupported configuration upgrade/downgrade, default configurations are used.

This is an internal error. Check the sensor status to see that the sensor is online and in good health.

Licence expires soon

Critical Indicates that your IntruShield license is about to expire; this fault first appears 7 days prior to expiration.

Contact [email protected] for a current license.

This fault clears when the license is current.

Licence expired Critical Indicates that your IntruShield license has expired.

Contact [email protected] for a current license.

This fault clears when the license is current.

Link failure Critical The link between a Monitoring port on the sensor and the device to which it is connected is down, and communication is unavailable. The fault indicates which port is affected.

Contact your IT department to troubleshoot connectivity issues: check the cabling of the specified Monitoring port and the device connected to it; check the speed and duplex mode of the connection to the switch or router to ensure parameters such as port speed and duplex mode are set correctly; check power to the switch or router.

This fault clears when communication is re-established.

Low JVM Memory Critical The ISM is experiencing high memory usage. Available system memory is low.

Reboot the ISM server.

Low Tomcat JVM Memory

Critical The ISM is experiencing high memory usage. Available system memory is low.

Reboot the ISM server.


36


MPE Certificate download failure

Critical Cannot push MPE Certificate to

sensor. See log for details

Occurs when the Manager cannot push the MPE Certificate to a sensor. This could result from a network connectivity issue

On-demand scan failed because connection was refused to FoundScan engine

Critical This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown.

For more information on using Fully Qualified Domain Name, see Foundstone Installation, Administrative Domain Configuration Guide.

Packet log update failed

Critical An attempt to save packet log data to the database failed, most likely due to insufficient database capacity.

Ensure that the disk space allocated to the database is sufficient, and try the operation again.

Port late collision Critical This fault could indicate a problem with the setup or configuration of the 10/100 Ethernet ports or devices connected to those ports. It could also indicate a compatibility issue between the sensor and the device to which it is connected.

The sensor may be detecting an issue with another device located on the same network link. Check to see if there is a problem with one of the other devices on the same link as the sensor. This situation could cause traffic to cease flowing on the sensor and may require a sensor reboot.

Port media type mismatch

Critical There is a mismatch in the media or connector type on the port that says "copper and uses fiber or vice versa".

Replace the media according to the configured value.

Port certification mismatch

Critical There is a mismatch in the McAfee Certified SFP. The configuration says 'use McAfee certified', but the SFP is not McAfee certified.

Replace with a McAfee

certified SFP.

Port pair is in Bypass Mode

Critical This fault indicates that the indicated GBIC ports are unable to remain in In-line Mode as configured. This has caused fail-open control to initiate and the sensor is now operating in Bypass Mode. Bypass mode indicates that traffic is flowing through the Fail Open Bypass Switch, bypassing the sensor completely.

Check the health of the sensor and the indicated ports. Check the connectivity of the Fail Open Control Cable to ensure that the Fail Open Control Module can communicate with the Fail Open Controller in the sensor’s Compact Flash port.


37


Port pair back to In-line, Fail-Open Mode

Critical Sensor is back to In-line, Fail-Open Mode

This message indicates that the ports have gone from Bypass Mode back to normal.

Power supply error Critical (Seen only with sensors with a redundant power supply). This fault indicates a loss of power in one of the two power supplies in the sensor (primary or secondary). This fault can indicate that the power supply has failed; that supply has been inserted, but there is no power to the supply; or that the power supply has been removed.

If the power supply is in place and plugged in to a power source, check power to the outlet providing power to the power supply. If the fault indicates that there is no power and a power interruption is not the cause, replace the failed power supply. Contact McAfee Technical Support to schedule a replacement unit.

Scheduled Foundstone vulnerability data import failed

Critical This message indicates that the vulnerability data import by the Scheduler from Foundstone database has failed.

Sensor changes to a different model

Critical A sensor was replaced with a different model type (for example, an I-1200 was replaced with an I-1200-FO (failover only) sensor). The alert channel will be unable to make a connection.

When replacing a sensor, ensure that you replace it with an identical model (for example, replace an I-1200 with an I-1200, do not attempt to replace a regular sensor with a failover-only model, and vice-versa).

Sensor configuration download failure

Critical The ISM cannot push original sensor configuration to sensor during sensor re-initialization, possibly because the trust relationship is lost between ISM and sensor.

This can also occur when a failed sensor is replaced with a new unit, and the new unit is unable to discover its configuration information.

The link between ISM and sensor may be down, or you may need to re-establish the trust relationship between sensor and ISM by resetting the shared key values.


38


Sensor discovery failure

Critical The sensor failed to discover its configuration information, and thus is not properly initialized. Typically, the ISM will be unable to display the sensor. Could indicate an old sensor image on the sensor.

If this fault is triggered because the sensor is temporarily unavailable, the ISM will clear this fault when the sensor is back on-line.

If the fault persists, check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server.

Sensor internal configuration error

Critical An internal communication error occurred within the sensor.

You must manually clear this fault.

This error may cause a reboot of the sensor, which may resolve the issue causing the fault.

If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in Uploading a diagnostics trace from a sensor to your ISM, Sensor Configuration Guide—using ISM, and submit the trace file to Technical Support for troubleshooting.

Sensor model has changed

Critical A sensor has been replaced with a different model (for example, an I-4000 sensor and I-4010 sensor has been replaced by an I-2600 sensor, or a regular sensor is replaced by a failover model).

A sensor can be replaced only by a similar model. Check to ensure that the configuration information matches the model type. For instructions on replacing a sensor, see Replacing a Sensor, Sensor Configuration Guide—using CLI.

Sensor reboot required for SSL decryption configuration change

Critical User-configured SSL decryption settings for a particular sensor changed, requiring a sensor reboot.

Reboot the sensor to cause the changes to take effect.


39


Sensor re-discovery failure

Critical This fault occurs as a second part to the “Sensor discovery failure” fault. If the condition of the sensor changes such that the ISM can again communicate with it, the ISM again checks to see if the sensor discovery was successful.

This fault is issued if discovery fails, and thus the sensor is still not properly initialized.

Check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server.

Sensor reports a signature set error

Critical Indicates that an error has occurred with a signature set that has been successfully applied on a sensor.

Re-import the signature set onto the sensor. This can indicate a problem within the signature set itself that was not detected during download; if re-importing the same set does not solve the problem, providing a new signature set may clear the fault. If this does not solve the issue, reboot the sensor. If the fault persists, contact Technical Support.

The fault will clear when the signature set is successfully applied on the sensor and continues to be error-free after application.

Sensor switched to Layer2 Bypass mode

Critical Sensor is now operating in Layer2 Bypass mode. Intrusion detection/prevention is not functioning

The sensor has experienced multiple errors, surpassing the configured Layer2 mode threshold. Check the sensor's status

Sensor switched to Layer 2 mode

Critical The sensor has moved from detection mode to Layer 2 (Passthru) mode. This indicates that the sensor has experienced the specified number of errors within the specified timeframe and Layer 2 mode has triggered.

The sensor will remain in Layer 2 mode until Layer 2 is disabled and the sensor is rebooted


40


Sensor is unreachable

Critical Indicates that the sensor cannot communicate with the ISM, indicating that the connection between the sensor and the ISM is down, or that the sensor has been administratively disconnected.

Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor exists; check the sensor’s status using the status command in the sensor command line interface or ping the sensor or the sensor gateway to ensure connectivity to the sensor.

This fault clears when the ISM detects the sensor again.

Signature set update not successful

Critical The attempt to update the signature set on the ISM was not successful, and thus signature set is not available in the ISM.

A valid signature set must be present before any action can be taken in IntruShield.

Signature set download failure

Critical Occurs when the ISM cannot push the signature set file to a sensor. Could result from a network connectivity issue.

Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor.

Software error Critical Indicates a recoverable software error within the sensor.

This error may cause a reboot of the sensor, which may resolve the issue causing the fault.

If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in the Sensor Configuration Guide—using ISM, and submit the trace file to Technical Support for troubleshooting.

Signature set update not successful

Critical The attempt to update the signature set on the ISM was not successful, and thus signature set is not available on the ISM.

You must re-import a signature set before performing any action on the ISM.

A valid signature set must be present before any action can be taken in IntruShield.

SSL decryption key download failure

Critical Occurs when the ISM cannot push a decryption key file to a sensor. Could result from a network connectivity issue.

Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor.


41


The ISM is not reachable

Critical Indicates that the IntruShield Command Center and ISM cannot communicate each other, the connection between these two may be down, or the ISM has been administratively disconnected.

1) Check that a connection route exists between the IntruShield Command Center and the ISM.

2) Access the ISM/IntruShield Command Center directly.

This fault clears when the ISM detects the sensor again.

Temperature error Critical Indicates that the temperature of the sensor is abnormal.

The sensor will raise a temperature alert when the internal temperature of the sensor crosses 50 degrees Centigrade. The fault is removed only when the temperature falls below 40 degrees Centigrade.

Check for a Fan Status fault, and also check the sensor’s front panel LEDs to see if the sensor’s fans are operational.

If a fan is not operational, McAfee strongly recommends contacting Technical Support as soon as possible to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the repair is completed.

If a fan is not the issue, please ensure that the room where the sensor is located cool enough for the sensor to operate without overheating.

VIDS creation failure Critical This fault generally occurs in situations where the port in question is configured incorrectly. For example, a pair of ports is configured to be in different operating modes (1A is in-line while 1B is in SPAN).

Check the configuration of the port pair to see if there is an inconsistency, and make the port pair run in the same operating mode.

IntruShield Sensor - McAfee NAC Server Communication Status

Critical An IntruShield sensor sends this fault to ISM when it is not able to communicate with the McAfee NAC server to which it has been configured.

Check the Condition Type field in the Fault Detail page to know the probable reason for this communication failure.


42


The Manager <ISM name><IP address> is not reachable

Critical No communication exists between ICC and ISM.

Indicates that the ICC server and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected.

1) Check that a connection route exists between the ICC and ISM;

2) Access the ISM directly. This fault clears when the ISM detects the sensor again.

Trust request has failed

Critical No communication exists between ICC and ISM. ICC may not be configured.

ISM failed to establish trust with ICC server. ICC could not be configured onto ISM or ICC server is not reachable.

The ISM IP address is not configured.

ICC may already been configured with an ISM.

The ICC is in MDR mode and no Manager is in Active state.

The trust request failed due an internal error.

Indicates that the ICC and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected.

Check whether ISM is configured in ICC.

Delete the previous configuration and establish a new trust with ICC.

Bring any ICC MDR pair into Active state.

Check the log for details.

McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide Error faults

43


The Manager <ISM name> has moved to MDR mode, and this manager cannot handle the change

Critical The ICC server is in Standby mode. The ISM server which is configured by ICC goes into secondary Standby mode after MDR creation or before data dump from primary to secondary takes place.

The ISM server configured by ICC is in Active mode but is in a disconnected state and therefore cannot communicate with ICC.

If ISM is reconnected and ICC is in Standby mode, then the Peer ICC does not have ISM configuration.

If the ICC server has moved to Standby ,then the ICC with latest ISM information is moved to Active mode or recreate MDR pair.

If the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data.

The Manager <ISM name> has moved to MDR mode, and this manager cannot handle the change

Critical The ISM server is in Standby mode(MDR action) and active peer ISM does not have ICC information

If the ISM server has moved to Stand by ,then make ICC with latest ISM information as Active or reform MDR; if the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data.

There is conflicts in the MDR configuration for the Manager <name>.

Critical The configuration between an existing MDR pair (ISM 1 and ISM 2 - both ISMs are ICC configured) is disabled and a new MDR pair configuration has been created with ISM 2 and ISM 3. ISM 2 is in Standby mode and ISM 3 does not have ICC configuration.

Dissolve and recreate an MDR pair.

The Manager info is deleted

Critical If two ISMs, ISM 1 and ISM 2 are configured to ICC, and MDR pair has to be established between them, then, ICC considers the active ISM configuration. The Standby ISM information is deleted from ICC.

The Standby ISM information is deleted from ICC.

Error faults

The faults listed in the following table have a severity of Error.


44


Alert channel is down

Error Indicates a failure to communicate with the sensor via the channel on which the ISM listens for sensor alerts.

This fault clears when the alert channel is back up.

Approaching alert capacity threshold

Error Displays the percentage of space occupied by alerts in the database. As available space decreases, this message will continue to appear—at 50%, 70%, 90% and 100%. Once you’ve exceeded this threshold, an ‘Exceeding’ fault will appear.

Please perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days.

Firewall filter application error

Error Error, while applying firewall filter. An attempt to apply this firewall filter from the sensor to the firewall has failed.

Check your firewall configuration. If

possible, increase the maximum

number of available filters. Ensure

connectivity between

the Sensor and the firewall.

Get peer DoS profile failure

Error The ISM was unable to obtain the requested profile from a peer sensor. This was likely due to the requested profile or a valid, saved version being unavailable

See the ems.log file for details on why the error is occurring. The fault will clear when the ISM is able to obtain a valid DoS profile.

Incident update failed

Error The ISM is unable to accept more incidents. You have reached the maximum number of incidents that can be accepted by the ISM.

Delete old incidents to provide room for incoming incidents. The fault clears when the ISM can accept incoming incidents.

Internal packet drop error

Error Sensor is dropping packets due to extreme

traffic load

Mailer unreachable

Error This fault indicates that the SMTP mailer host is unreachable, and occurs when the ISM fails to send an email notification or a scheduled report.

This fault clears when an attempt to send the email is successful.


45


Packet log channel is down

Error Indicates a failure to communicate with the sensor via the channel on which the ISM receives packet logs.

This fault clears when the pktlog channel is back up.

Put peer DoS profile failure

Error The sensor was unable to push a requested profile to the ISM.

See the ems.log file for details on why the error is occurring. The fault will clear when the sensor is able to push a valid DoS profile.

Queue size full Error The ISM alert queue has reached its maximum size (default 200,000 alerts), and is unable to process alerts until there is space in the queue. Packets are being detected by your sensor(s) faster than the ISM can process them.

This is evidence of extremely heavy activity. Check the packets you are receiving to see what is causing the heavy traffic on the sensor.

Also see the suggested actions for the alert Unarchived, queued alert count full.

Scheduled real-time update from Update Server to ISM failed

Error This fault can indicate problems with network connectivity between the Update Server and the ISM, invalid update sets, or update sets that were not properly signed.

This fault clears when a signature update is applied successfully.

Scheduled real-time update from Update Server to ISM failed

Error Unable to make scheduled update of ISM signature sets. This fault can indicate—for example, problems with network connectivity between the Update Server and the ISM or between the ISM and the sensor; invalid update sets; or update sets that were not properly signed.

This fault clears when a signature update is applied successfully.

Scheduled update from ISM to sensor failed

Error Unable to make scheduled update of sensor. This fault can indicate—for example, problems with network connectivity between the ISM and the sensor, incompatibility between the update set and the ISM software, compilation problems with the signature update set, or invalid update set.

This fault clears when an update is sent to sensor successfully.


46


Sensor is in bad health

Error This fault occurs with any type of sensor software failure, and usually occurs in conjunction with a ‘Software error’ fault.

If this fault persists, McAfee recommends that you execute a logstat from the sensor CLI twice (1 minute apart), then perform a Diagnostic Trace and submit the trace file to McAfee Technical Support for troubleshooting.

Sensor reports a anti-virus dat file error

Error The sensor has detected an error on av-dat file segment

Ensure that the sensor is online and in good health. The ISM will make another attempt to push the file to the sensor.

This fault is cleared when the av-dat file is successfully pushed to the sensor.

Sensor reports that the packet log channel is down

Error Sensor reports Pktlog channel between the EMS and sensor is DOWN, but the EMS detects that the link(socket) is up. This inconsistency may cause by channel heartbeat timeout.

The sensor will typically recover on its own. If you are receiving alerts and your sensor is otherwise functioning normally, you can ignore this message. Check to see if trust is established between the sensor and ISM, by issuing a show command in the sensor CLI.

Sensor reports that the alert channel is down

Error This fault indicates that the sensor is reporting that the alert channel is down, but the physical channel is actually up.

The sensor will typically recover on its own. If you are receiving alerts with packet logs and your sensor is otherwise behaving normally, you can ignore this message.

Check to see if trust is established between the sensor and ISM by issuing a show command in the sensor CLI.

If this fault persists, contact McAfee Technical Support.

Sensor reports an out-of-range configuration

Error The ISM received a value from the sensor that is invalid. The additional text of the message contains details.

This fault does not clear automatically; it must be cleared manually.

Contact McAfee Technical Support for assistance.

Sensor configuration update failed

Error The sensor configuration update failed to be pushed from the ISM Server to the sensor.

Please see ems.log file to isolate reason for failure.


47


SSL decryption key invalid

Error The ISM detects that a particular SSL decryption key is no longer valid. The detailed reason why the fault is occurring is shown in the fault message. These reasons can range from the sensor re-initializing itself with a different certificate to an inconsistency between the decryption key residing on a primary sensor and its failover peer sensor.

Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid.

Unable to clean alerts and packet logs

Error Maintenance is not able to clean alerts and packet logs

Unarchived, queued alert count full

Error Indicates that the ISM has reached the limit (default of 100,000) of alerts that can be queued for storage in the database. Also indicates the number of dropped alerts.

Alerts are being detected by your sensor(s) faster than the ISM can process them. This is evidence of extremely heavy activity.

Try the following:

Check the alerts you are receiving to see what is causing the heavy traffic on the sensor(s). You may be under a heavy attack.

Check your policies. You may have enabled a very verbose policy (for example, All-Inclusive with Audit) which is causing too many alerts/packet logs to be sent to the ISM, or packet logging is excessive (for example, packet logging is enabled for entire flow for all alerts).

Your ISM server may not have sufficient disk space/processing power to accommodate the number/rate of alerts your sensors are generating.

Rectify the situation in your policies and let the queue drain and write to the database.

Unarchived, queued packet log count full

Error Indicates that the ISM has reached the limit (default of 100,000) of packet logs that can be queued for storage in the database. Also indicates the number of dropped packet logs.

See the suggestions for the fault ‘Unarchived, queued alert count full.'

McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide Warning faults

48

Warning faults

The faults listed in the following table have a severity of Warning.


Attempt to disable failover failed

Warning The ISM’s attempt to disable failover on the sensor failed.

This is likely due to the sensor being unavailable, or down.

Ensure that the sensor is on-line. The ISM will make another attempt to disable failover when it detects that the sensor is up. The fault will clear when the ISM is successful.

DB Tuning Required

Warning Database Tuning is needed. "..." days have passed since the last database tuning.

Shutdown the ISM and execute the Database Tuning Utility at the earliest

Disabled scheduled Report Template

Warning Report Generation has failed for Schedule Report Template due to unavailability of resource(s) in the ISM.

Edit and save the disabled template in Report Generation.

Failed to backup IDS Policy

Warning Failed to backup Policy. Delete previous versions or please contact technical support or local reseller.

Failed to backup Recon Policy

Warning Failed to backup Policy. Delete previous versions or please contact technical support or local reseller.

Firewall connection status inconsistent on failover sensor pair

Warning The firewall connection

status on the failover pair is inconsistent. This may cause the firewall function to be inconsistent for the pair.

Ensure that both sensors of the failover pair are connected to the firewall and that both sensors are online and in good health.


49


Initiating Audit Log file rotation

Warning The Audit Log capacity of the ISM was reached, and the ISM will begin overwriting the oldest records with the newest records (i.e. first in first out).

The fault indicates the number of records that have been written to the audit log; and equal number of audit log records are now being overwritten.

This fault will be raised after a configured number of records written. No action is required.

The capacity is configured in the iv_emsproperties table in MySQL; this option can be turned off. If this feature is enabled, when disk capacity is reached or audit log capacity is reached, then Audit Log rotation is initiated.

ISM shutdown was not graceful

Warning The ISM experienced an abrupt shutdown, such as a crash.

Perform database tuning (dbtuning) to fix possible database inconsistencies that may have resulted. Tuning may take a while, depending on the amount of data currently in the database.

McAfee NAC channels are already Installed

Warning This warning denotes the failure to update the McAfee NAC-installation-related configuration.

Uninstall and try to update the McAfee NAC- installation-related configuration.

Pluggable interface certification status

Warning Pluggable interface in port.

Pluggable interface absent

Warning Pluggable interface in port.

Policy Synchronization aborted because concurrent processes are running on the ISM Server

Warning Unable to synchronize policy due to concurrent processes are running on the ISM Server.

Policy Synchronization aborted because concurrent processes are running on the ISM Server.


50


Problems Communicating to Database: Syntax error or access violation: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '<text>')' at line 1

Warning In McAfee ISM 1.8 or 1.9 it was possible to enter an apostrophe when creating an Alert Filter. However in version 2.1 having an apostrophe in the Alert Filter became invalid. Any attempt in the McAfee ISM 2.1 to add an apostrophe will prompt the user with a popup error warning that invalid characters were entered. You may be unable to push updated policies to sensors. After a policy update, the ISM still shows a policy update is required.

You must delete the alert filter with the apostrophe and recreate it without an apostrophe. To delete an alert filter:

In the ISM, click on the <Domain Name> which has the error.

Click the Policies node.

It is not already selected, click the Policies tab.

Click Alert Filter Editor.

In the Alert Filter Name section, select the alert filter with the apostrophe.

Click Delete. A Confirmation dialog box displays with the question, “Do you want to delete the selected item?”

Click Yes. The alert filter no longer displays in the list.

Physical configuration changed

Warning This warning could be caused by the physical configuration of the MFA chassis changing. This occurs when the sensor connects to the ISM with a different physical configuration.

Signature segments out of sync

Warning An attempt to update the signature set on both sensors of a failover pair was unsuccessful for one of the pair, causing the signature sets to be out of sync on the two sensors.

The ISM will make another attempt to automatically push the signature file down to the sensor on which the update operation failed.

Ensure that the sensor in question is on-line and in good health. The fault will clear when the ISM is successful.

If the operation fails a second time, a Critical Signature set download failure fault will be shown as well.

Both faults will clear when the signature set is successfully pushed to the sensor.

Scheduled backup failed

Warning Unable to make a scheduled backup of the ISM Configuration. This fault can indicate problems such as SQL exceptions, database connectivity problems, or out-of-disk space errors.

Check your Backup configuration settings.

This fault clears when a successful backup is made.

McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide Informational faults

51


Sensor not initialized

Warning The sensor is not properly initialized. Either it is in the process of starting up and is not ready, or the signature set is missing on the sensor.

The sensor may have just been rebooted and is not up yet. Wait a few minutes to see if this is the issue; if not, check to ensure that a signature set is present on the sensor. A resetconfig command may have been issued, and the sensor not yet been reconfigured.

Sensor power up Warning The sensor has just completed booting and is on-line.

This message is informational.

Acknowledge or delete the fault to clear it.

SSL decryption keys out of sync

Warning The ISM was unable to update the decryption key on one sensor in a failover pair, causing the key on one sensor to be out of sync with the one on its failover peer

The ISM will make another attempt to update the key. Ensure that the sensor is online and in good health.

The fault will clear when the ISM successfully pushes the key to the sensor and both keys are in sync.

System startup in progress; alerts being restored

Warning System startup restored alerts from the archive file. Alert Manager may not show all alerts.

Alert Manager may not show all alerts.

Informational faults

`The faults listed in the following table are Informational in nature. These faults indicate system status, for example. An Action type of “n/a” indicates that no action is required--the message is informational.


Alert archival in progress

Informational ISM is archiving the alerts, and this is in progress

Wait for the Alert archival to complete

Alert Archival state has changed

Informational The alert archival process has started.

n/a

Cluster software initialization status

Informational Sensor software has initialized correctly

n/a

Conflict in MDR Pair IP address

Informational Sensor found a conflict with MDR pair IP address; ISM IP address / MDR status as ...


Daily scheduled report generation complete

Informational Daily scheduled report generation process successfully completed

n/a


52


Daily scheduled report generation in progress

Informational Daily scheduled report generation process in progress

n/a

Data dump retrieval from peer has been completed successfully

Informational n/a

Data dump retrieval from peer is in progress

Informational n/a

Database archival in progress

Informational The database archival process is in progress.

Do not attempt to tune the database or perform any other database activity such as a backup or restore until the archival process successfully completes.

Database archival successful

Informational The database archival was successful.

n/a

Database backup failure.

Informational Unable to backup database tables.

This message indicates that an attempt to manually back up the database backup has failed. The most likely cause of failure is insufficient disk space on the ISM server; the backup file may be too big. Check your disk capacity to ensure there is sufficient disk space, and try the operation again.

Database backup in progress.

Informational A manual or scheduled database backup process is in progress.

Do not attempt to tune the database or perform any other database activity such as an archive or restore until the backup process successfully completes.

Database backup successfully completed

Informational The database backup was successful.

n/a


53


Database tuning in progress

Informational The database tuning process is in progress.

The user cannot do the following operations during tuning process (1) Viewing / Modifying alerts from alert viewer (2) Generating IDS reports on alerts (3) Backing up / Restoration of all tables OR alert and packet log tables. (4) Archiving alerts and packet logs into files

Database Tuning Required

Informational Database Tuning is needed.

"..." days have passed since

the last database tuning.

Shutdown the ISM and execute the Database Tuning Utility at the earliest

Database tuning successful

Informational The database tuning process successfully completed.

n/a

Deleted ICC Policy is applied on resources

Informational Policy <policy name> is applied on resources. Creating clone <policy name> before delete.

Deleted ICC policy is applied to components.

ISM Request is not from Trusted IP Address

Informational The ISM Request is not from Trusted IP Address.

Ensure the Peer ISM is not already in MDR with other Manager.

ISM version mismatch. Primary ISM has latest version

Informational The two ISMs in an MDR configuration must have the same ISM software version installed. The Primary ISM software is more recent than that of the Secondary ISM.

Ensure the two ISMs run the same software version.


54


ISM version mismatch. Secondary ISM has latest version

Informational The two ISMs in an MDR configuration must have the same ISM software version installed. The Secondary ISM software is more recent than that of the Primary ISM.

Ensure the two Managers run the same software version.

IntruShield-defined UDS overridden by signature set.

Informational An IntruShield-defined UDS has been incorporated in a new signature set and has been removed from the UDS Editor.

This message is informational and indicates that an emergency McAfee-provided UDS signature has been appropriately overwritten as part of a signature set upgrade.

MDR manual switchover successful; Secondary ISM is in control of sensors

Informational Manager Disaster Recovery initiated via a manual switchover, is successfully completed. Secondary ISM is now in control of sensors.

n/a

MDR automatic switchover has been completed; Secondary ISM is in control of sensors

Informational Manager Disaster Recovery switchover has been completed; the Secondary Manager is in control of sensors.

Failover has occurred; the Secondary ISM is now in control of the sensors. Troubleshoot problems with the Primary ISM and attempt to bring it online again. Once it is online again, you can switch control back to the Primary.

MDR configuration information retrieval from Primary ISM successful

Informational Manager Disaster Recovery Secondary ISM has successfully retrieved configuration information from the Primary ISM.

n/a

MDR force switch has been completed; Secondary ISM is in control of sensors

Informational Manager Disaster Recovery is completed via a manual switchover. Secondary ISM is now in control of sensors.

n/a

MDR has been cancelled

Informational Manager Disaster Recovery has been cancelled

n/a

MDR has been configured

Informational Manager Disaster Recovery has been successfully configured

n/a


55


MDR operations have been resumed

Informational Manager Disaster Recovery functionality has been resumed. Failover functionality is again available.

n/a

MDR operations have been suspended

Informational Manager Disaster Recovery functionality has been suspended. No failover will take place while MDR is suspended.

n/a

MDR switchback has been completed; Primary ISM is in control of sensors

Informational Manager Disaster Recovery switchback has been completed; the Primary ISM has regained control of sensors.

n/a

No Syslog Forwarder configured

Informational No Syslog server has been configured to accept ACL logs for the Admin Domain <Admin Domain Name>. Configure a Syslog server

This message will appear until a Syslog server has been configured for use in forwarding ACL logs.

Packet Log Archival state has changed

Informational n/a

Packet Log archival in progress

Informational ISM is archiving the

Packet Logs

Kindly wait for the Packet Log archival to complete.

Problem retrieving the data dump from peer

Informational The data import process is aborted as there was a problem while retrieving the dump from peer.

This fault is generated for MDR pairs.

Check whether the peer ISM machine is reachable from this machine

Real-time signature file update from ISM to Sensor(s) is in progress

Informational A real-time signature file update to sensor(s) is in progress. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled.

n/a


56


Real-time signature file update from ISM to Sensor(s) successful

Informational A real-time signature file update to sensor(s) is successful. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled.

n/a

Report creation complete

Informational Report creation successfully complete

n/a

Report generation in progress

Informational Report generation process in progress

n/a

Reset to standalone has been invoked; Primary ISM is in control of sensors

Informational A “Reset to Standalone” has been invoked; the Primary ISM is standalone and is in control of sensors

n/a

Reset to standalone has been invoked; Secondary ISM is in control of sensors

Informational A “Reset to Standalone” has been invoked; the Secondary ISM is standalone and is in control of sensors

n/a

Reset to standalone has been invoked; This Manager is in control of sensors

Informational A "Reset to Standalone" has been invoked; the current ISM is standalone and in control of sensors.

n/a

Reset to standalone has been invoked; Peer ISM is in control of sensors

Informational A "Reset to Standalone" has been invoked; the Peer ISM is standalone and in control of sensors.

n/a

Scheduled backup failed

Informational Unable to create backup for scheduled database

This fault indicates problems such as SQL exceptions, database connectivity problems, or out-of-disk space errors.

Check your backup configuration settings. This fault clears when a successful backup is made.

Scheduled signature set download from Update Server to ISM in progress

Informational A scheduled signature set update is in the process of downloading from the McAfee Update Server to the ISM server

n/a


57


Scheduled signature set download from Update Server to ISM is successful

Informational A scheduled signature set download from the McAfee Update Server to the ISM server is Successful.

n/a

Scheduled signature file update from ISM to sensor(s) is in progress

Informational A scheduled signature file update from the ISM to sensor(s) is in progress.

n/a

Scheduled signature file update from ISM to Sensor(s) successful

Informational A scheduled signature file update from the ISM to sensor(s) is successful.

n/a

Scheduler - Signature download from ISM to Sensor failed

Informational Scheduler - Signature download from ISM to Sensor has failed

n/a

Sensor configuration update failed

Informational Sensor configuration update failed while transferring from the ISM server to the sensor.

n/a

Sensor configuration update in progress

Informational A sensor configuration update is in the process of being pushed from the ISM server to the sensor.

n/a

Sensor configuration update successful

Informational Sensor configuration update successfully pushed from the ISM server to the sensor.

n/a

Sensor discovery is in progress

Informational The ISM is attempting to discover the sensor.

n/a

Sensor software image download failed

Informational Sensor software image failed to download from the McAfee Update Server to the ISM server.

n/a

Sensor software image download in progress

Informational Sensor software image is in the process of downloading from the McAfee Update Server to the ISM server.

n/a

Sensor software image download successful

Informational Sensor software image successfully downloaded from the McAfee Update Server to the ISM server.

n/a


58


Sensor software image or signature set import in progress

Informational A sensor software image or signature set file is in the process of being imported from the McAfee Update Server to the ISM server.

n/a

Sensor software update is in progress

Informational A sensor software update is in the process of being pushed from the ISM Server to the sensor.

n/a

Sensor software update successful

Informational Sensor software update is successfully pushed from the ISM Server to sensor.

n/a

Signature set download successful

Informational Signature set successfully downloaded from the McAfee Update Server to the ISM server.

n/a

Signature set update failed

Informational Signature set update failed while transferring from the ISM server to the sensor.

n/a

Signature set update is in progress

Informational A signature set is in the process of being pushed from the ISM server to the sensor.

n/a

Signature set update not successful.

Informational The attempt to update the signature set on the ISM was not successful, and thus no signature set is available on the ISM.

You must re-import a signature set before performing any action on the ISM. A valid signature set must be present before any action can be taken in IntruShield.

Switchback has been completed, the primary ISM has got the control of sensors now

Informational n/a

System startup in process; alerts being restored

Informational Alert Manager may not show all alerts.

You need to restart ISM, to view the restored alerts in Alert Manager.


59


Syslog Forwarder is not configured for the Admin Domain: <Admin Domain Name> to accept the ACL logs.

Informational ACL logging is enabled, but no Syslog server has been configured to accept the log messages.

Configure a Syslog server to receive forwarded ACL logs.

The Sensor to ISM communication IP do not match with the peer ISM's peer IP configured in the MDR set up.

Informational The Sensor to ISM communication IP does not match with the peer ISM's peer IP. The peer IP configured in the peer ISM is the IP of this ISM, and this IP should match with the Sensor- ISM Communication IP set in this ISM during installation.

Ensure that the sensor- ISM communication IP matches with the peer ISM's peer IP in MDR configuration.

The MDR pair is changed, <ISM name>

Informational ICC has a MDR pair created and the ISM is in disconnected mode.If ICC MDR pair is dissolved, and recreated,making the existing primary manager as secondary manager and existing secondary manager as primary manager,the fault is raised .

Dissolve and recreate an MDR pair.

UDS export to the ISM in progress

Informational One or more UDS is in the process of being exported from the UDS Editor to the ISM server.

n/a

UDS export to the ISM successful

Informational n/a

Vulnerability data import from Foundstone database was successful

Informational This message indicates that the vulnerability data import from Foundstone database is successful.

For more information on importing vulnerability data reports in ISM, see Importing Vulnerability Scanner Reports, Policies Configuration Guide.

Weekly scheduled report generation complete

Informational Weekly scheduled report generation process successfully completed

n/a

Weekly scheduled report generation in progress

Informational Weekly scheduled report generation process in progress

n/a

McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide M-series sensor faults

60

M-series sensor faults


<Port name> configured media type is <Optical / Copper / Unknown>, inserted media type is <Optical /Copper /Unknown>.

Critical This fault occurs when there is a mismatch between the configured port media type and the inserted port media type.

Configure the correct port media type.

<Port name> McAfee Certified pluggable interface status is <Matched /Mismatched>.

Critical This fault occurs when there is a mismatch while using a McAfee certified pluggable interface status port with a non McAfee certified pluggable interface status port.

Configure the correct port.

Report Generation failed for Schedule Report Template <template name> due to unavailability of resource(s) in ISM.

Warning This fault occurs when the scheduled report template is disabled.

Enable and save the template to generate the report.

Sensor <sensor name> discovered with license that will expire on <expiry date>.

Informational This is an informational fault occurs when the sensor discovers that it has a license.

Renew the license before it expires.

Sensor <sensor name> discovered without license, sensor may not detect attacks.

Critical This fault occurs when a sensor does not have a license.

Contact Technical Support or your local reseller to obtain a permanent license.

Sensor <sensor name> device license expired, sensor may not detect attacks.

Critical This fault occurs when the license has expired.


Sensor <sensor name>support license expired, sensor may not detect attacks

Critical This fault occurs when the support term license has expired.


McAfee® IntruShield® IPS 4.1 System Fault Messages IntruShield Troubleshooting Guide Other faults

61


Sensor discovered with cluster secondary license

Critical Sensor discovered with cluster secondary license, and must not be connected to ISM directly.

To obtain a standard license now, kindly contact Technical Support or your local reseller.

< XLR A die / XLR B die /XLR C die> temperature is <Normal / Abnormal / Critical / Unknown>. Critical This fault occurs when temperature of XLR chip/module in the sensor is abnormal. Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.

Critical This fault occurs when temperature of XLR chip/module in the sensor is abnormal.

Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.

Other faults

Host Quarantine and Remediation In the case of Host Quarantine and Remediation, an error message is raised when the number of quarantine rules exceed the permitted limit. The sensor raises a fault message to the ISM when the number of quarantine rules exceeds the maximum permitted limit. The fault is displayed as IP: host quarantine block nodes exhausted. This can be viewed as an alert in the Alert Manager. For more information, see Fault messages for Host Quarantine, Alerts & System Health Monitoring Guide.

Note 1: You can have up to 1000 host quarantine rules for an IPv4 addresses, and up to 500 host quarantine rules for IPv6 addresses. For more information on using quarantine from Alert Manager, see Using Host Quarantine, Alerts & System Health Monitoring Guide.

Note 2: For more information on quarantine and remediation functionality, see Host Quarantine and Remediation, Sensor Configuration Guide—using ISM.

62

C H A P T E R 6

Error Messages This section lists the error messages displayed in ISM.

Error messages for RADIUS servers

The table lists the error messages displayed in the ISM.

The table lists the error messages displayed in the User Activity Audit report.

Error Name Description/Cause Action

RADIUS Connection Successful

RADIUS server is up and running RADIUS server is up and running

RADIUS Connection Failed

Network failure, congestion at servers or RADIUS server not available

Try after sometime, check IP address and Shared Secret key

No RADIUS server configured

No server available Configure at least one RADIUS server

Server with IP address and port already exists for RADIUS server

IP address and port connection not unique

Use a different IP address and port number

RADIUS server host IP address/host name is required

Field cannot be blank Enter a valid host name /IP address

Shared Secret key is unique in case of RADIUS server


RADIUS server host IP address/host name cannot be resolved as entered

Invalid host name /IP address Enter a valid host name /IP address

McAfee® IntruShield® IPS 4.1 Error Messages IntruShield Troubleshooting Guide Error messages for LDAP server

63

Error Name Description/Cause Error Type

RADIUS Authentication User <user name> with login Id <login Id> failed to authenticate to RADIUS server <RADIUS server host name /IP address> on port <port number> due to server timeout/ network failure

User

Add Radius Server Added RADIUS server IP Address/Host <IP address or host name> , port <port number> enable <Yes/No>

Manager

Edit RADIUS server IP Address/Host <IP address or host name> set port <port number> ,set Enabled <Yes/No>

Manager

Delete RADIUS server Deleted RADIUS Server IP Address/Host <IP address or host name> , port <port number>

Manager

Error messages for LDAP server

The table lists the error messages displayed in the ISM.

The table lists the error messages displayed in the User Activity Audit report.

Error Name Description/Cause Action

Server with IP address and port already exists for LDAP server

IP address and port connection not unique

Use a different IP address and port number

LDAP server host IP address/host name is required


LDAP server host IP address/host name cannot be resolved as entered

Invalid host name /IP address Enter a valid host name /IP address

LDAP Connection Successful

LDAP server is up and running LDAP server is up and running

LDAP Connection Failed

Network failure, congestion at servers or LDAP server not available

Try after sometime, check IP address

No LDAP server configured

No server available Configure at least one LDAP server

McAfee® IntruShield® IPS 4.1 Error Messages IntruShield Troubleshooting Guide Error messages for LDAP server

64

Error Name Description/Cause Error Type

LDAP Authentication User <user name> with login Id <login Id> failed to authenticate to LDAP server <LDAP server host name /IP address> on port <port number> due to server timeout/ network failure.

User

Add LDAP server Added LDAP server IP Address/Host <IP address or host name> , port <port number>, enable <Yes/No>

Manager

Edit LDAP server IP Address/Host <IP address or host name> set port <port number> ,set Enabled <Yes/No>

Manager

Delete LDAP server Deleted LDAP Server IP Address/Host <IP address or host name" , port<port number>

Manager

65

C H A P T E R 7

Using the InfoCollector tool

Introduction

InfoCollector is an information collection tool, bundled with ISM that allows you to easily provide McAfee with IntruShield-related log information. McAfee can use this information to investigate and diagnose issues you may be experiencing with the ISM.

InfoCollector can collect information from the following sources within the IntruShield system:

Information Type Description

Ems.log Files Configurable logs containing information from various components of the ISM. The current ems.log file is renamed when its size reaches 1MB, using the current timestamp. Another ems.log is created to collect the latest log information.

Configuration backup A collection of database information containing all IntruShield configuration information.

Configuration files XML and property files within the IntruShield config directory.

Fault log A table in the IntruShield database that contains generated fault log messages.

Sensor Trace A file containing various sensor-related log files.

Compiled Signature A file containing signature information and policy configuration for a given sensor.

InfoCollector is a tool that can be used both by you and by McAfee.

McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via email. This file is configured by McAfee to automatically choose information that McAfee needs from your installation of IntruShield. You simply open the definition file within the InfoCollector and it will automatically select the information that McAfee needs from your installation of the ISM.

Alternatively, a manual approach can also be used with InfoCollector, and you can select information yourself to provide to McAfee. For example, McAfee may ask you to select checkboxes that correspond to different sets of information available within IntruShield.

McAfee® IntruShield® IPS 4.1 Using the InfoCollector tool IntruShield Troubleshooting Guide Running the InfoCollector

66

Running the InfoCollector

To run InfoCollector, follow the following steps:

1. If you do not already have InfoCollector installed, download the InfoCollector.zip file from the McAfee website and extract it to the following location:

C:\[INTRUSHIELD_INSTALL_DIR]\diag

Files related to InfoCollector, such as infocollector.bat should be in the following location:

C:\[INTRUSHIELD_INSTALL_DIR]\diag\InfoCollector

2. Run the following batch file:

C:\[INTRUSHIELD_INSTALL_DIR]\diag\InfoCollector\infocollector.bat

Using InfoCollector

To use InfoCollector, follow these steps:

1 After you run InfoCollector, do one of the following: If McAfee provides you with a definition file:

i. After you run InfoCollector, open the File menu and click Open Definition.

Figure 2: Diagnostic information collector – Open definition

ii. Select the definition file that McAfee sent you via email and click Select. If McAfee instructs you to select InfoCollector checkboxes:

McAfee® IntruShield® IPS 4.1 Using the InfoCollector tool IntruShield Troubleshooting Guide Using InfoCollector

67

iii. After you run InfoCollector, select the checkboxes as instructed by McAfee.

iv. Select a Duration. Select Date to specify a start and end date, or select Last X Days and

v. Select the number of days from which InfoCollector should gather information.

vi. Click Browse and select the path and filename of the output ZIP file. 2 Click Run.

Figure 3: Diagnostic information Collector - Run

3 Provide the output ZIP file to McAfee as recommended by McAfee Technical Support. You can send the file via email or through FTP.

Caution: The output ZIP file contains the toolconfig.txt file, which lists the information that you have chosen to provide McAfee.

68

C H A P T E R 8

Automatically restarting a failed ISM with ISM Watchdog

Introduction

The ISM Watchdog feature is designed to restart the ISM if the ISM crashes, potentially bringing the ISM back online before MDR enables.

The ISM Watchdog monitors the ISM process on the ISM server periodically for availability. If ISM Watchdog detects that the ISM has gone down unexpectedly, it restarts the service automatically. (It does not restart the ISM if the ISM has been shut down intentionally.)

How the ISM Watchdog Works

ISM Watchdog runs as a separate process and monitors ISM through the Windows OS Services model. ISM Watchdog polls ISM every 10 seconds. If the ISM Watchdog does not detect the ISM during a polling period, it waits 30 seconds and then restarts the ISM service automatically. ISM Watchdog will make five attempts to restart the ISM and then, if it has not succeeded, it will exit.

ISM Watchdog, by default, is a manual service; you must explicitly start it.

Caution 1: You can instead change this setting to be automatic if you wish the service to start automatically after a system reboot.

Caution 2: If you have chosen to change the ISM service setting from its default (Auto) to "Manual," (during a troubleshooting session, for example) then consider doing the same for ISM Watchdog. This will prevent the ISM Watchdog from restarting ISM automatically.

Installing ISM Watchdog

ISM Watchdog is installed automatically during ISM installation, and a new OS service called "IntruShield Watchdog Service" is created to enable you to start and stop the ISM Watchdog service.

Caution: ISM Watchdog monitors only the "IntruShieldMgr" service; it does not monitor services like MySQL or Apache.

McAfee® IntruShield® IPS 4.1 Automatically restarting a failed ISM with ISM Watchdog IntruShield Troubleshooting Guide Starting ISM Watchdog

69

Starting ISM Watchdog

The ISM watchdog process is, by default, not started after installation; you must start the ISM watchdog process manually.

To start/stop ISM Watchdog:

1. Select Start > Settings > Control Panel. Double-click Administrative Tools, and then double-click Services.

2. Click IntruShield Watchdog Service.

3. Do one of the following:

To start the service, select Action > Start. To stop the service, select Action > Stop.

Using ISM Watchdog with ISM in an MDR configuration

When using ISM Watchdog on an ISM that is part of an MDR configuration, consider whether you want the ISM Watchdog to restart the ISM before failover can occur. If so, you must ensure that the value set for the MDR setting "Downtime Before Switchover" is greater than the ISM Watchdog setting of 30 seconds. This prevents the initiation of MDR, wherein the peer ISM takes over if the primary ISM fails. McAfee suggests retaining the default value of 5 minutes or greater to allow the ISM Watchdog time to restart the ISM.

If the ISM Watchdog brings up a primary ISM after MDR has initiated, note that the primary ISM does not come back Active; it checks first to determine whether the secondary is Active and if so, remains as standby.

Tracking ISM Watchdog activities

The ISM Watchdog logs all controlled activities in a log file. Log files can be found at

/<IntruShield install directory>/ named with the filename convention wdout_<<time stamp>>.log.

A sample log file entry follows:

Sample ISM Watchdog Log ----------------------------------------------------------------------------------------------------------------------------------- Restarting server at Mon Jun 09 14:48:53 GMT+05:30 2006 SERVER STDOUT: The IntruShield Manager Service is starting. SERVER STDOUT: The IntruShield Manager Service was started successfully. SERVER STDOUT: SERVER STDOUT: -----------------------------------------------------------------------------------------------------------------------------------

McAfee® IntruShield® IPS 4.1 Automatically restarting a failed ISM with ISM Watchdog IntruShield Troubleshooting Guide Tracking ISM Watchdog activities

70

If the ISM Watchdog fails after five attempts to restart ISM, the following line will appear in the log file:

SERVER STDOUT: Failed to restart Manager after five attempts. Exiting. [kl]

71

C H A P T E R 9

Sensor capacity by model number The following table lists the sensor limitations by category and by sensor model.

Maximum Type I-1200 I-1400 I-2600 I-2700 I-3000 I-4000 I-4010

Concurrent connections 40,000 80,000 250,000 250,000 500,000 1,000,000 1,000,000

Connections established per sec. 1,000 2,000 6,250 6,250 10,000 25,000 25,000

Concurrent SSL Flows (2.1.x and later)

NA NA 25,000 25,000 50,000 100,000 100,000

Number of SSL keys that can be stored on the sensor

NA NA 64 64 64 64 64

Virtual Interfaces (VIDS) 16 32 100 100 1000 1000 1000

VLANS / CIDR Blocks 32 64 300 300 3000 3000 3000

VLANS / CIDR Blocks per Physical Port

32 64 254 254 254 254 254

Customized attacks 20,000 40,000 100,000 100,000 100,000 100,000 100,000

Alert filters 16,000 32,000 64,000 64,000 128,000 128,000 128,000

Default number of supported UDP Flows

5,000 6,000 25,000 25,000 100,000 100,000 100,000

Supported UDP Flows 30,000 60,000 187,500 187,500 750,000 750,000 750,000

DoS Profiles 100 120 300 300 5000 5000 5000

SYN rate (64-byte packets per second)

83,000 64,000 250,000 250,000 500,000 1,000,000 1,000,000

ACL Rules (refer to note below) 50 100 400 400 1000 1000 1000

McAfee® IntruShield® IPS 4.1 Sensor capacity by model number IntruShield Troubleshooting Guide Tracking ISM Watchdog activities

72

I-Series Sensor Capacity

M-Series Sensor Capacity Maximum Type M-6050 M-8000

Concurrent connections 2,000,000 4,000,000

Connections established per sec.

60,000 120,000

Concurrent SSL Flows (2.1.x and later)

Not Supported

Not Supported

Number of SSL keys that can be stored on the sensor

Not Supported

Not Supported

Virtual Interfaces (VIDS) 1000 1000

VLANS / CIDR Blocks 3000 3000

VLANS / CIDR Blocks per Physical Port

254 254

Customized attacks 100,000 100,000

Alert filters 128,000 128,000

Default number of supported UDP Flows

400,000 400,000

Supported UDP Flows 1,500,000 3,000,000

DoS Profiles 5000 5000

SYN rate (64-byte packets per second)

2,000,000 3,900,000

ACL Rules (refer to note below)

1000 1000

For more information on computing ACL, see Viewing ACL descriptions using Effective ACL rules, Sensor Configuration guide—using ISM.

Note for customized attacks The signature set push from ISM to a sensor will fail if the number of customized attacks on the sensor exceeds the customized attack limit.

The number of customized attacks can increase due to:

• Modifications done to attacks on a policy by users • Recommended for blocking (RFB) attacks • User created asymmetric policies Example: How numerous customized attacks are created in asymmetric policies.

McAfee® IntruShield® IPS 4.1 Sensor capacity by model number IntruShield Troubleshooting Guide Tracking ISM Watchdog activities

73

a. Create a new policy.

b. Set the Inbound rule set to "File Server rule set".

c. Set the Outbound rule set to "All-inclusive with Audit rule set".

You will see that: • The File Server rule set has 166 exploit attacks. • The All-inclusive with Audit rule set has 2204 exploit attacks.

The total number of customized attacks for this policy is 2204 – 116 = 2038 customized attacks.

74

C H A P T E R 1 0

Utilizing the McAfee Knowledge Base The McAfee Knowledgebase (KB) contains a large number of useful articles designed to answer specific questions that might not have been addressed elsewhere in the documentation set. We suggest checking to see if a question you have is answered in a KB article.

To access the McAfee Knowledgebase:

Go to http://mysupport.mcafee.com/Eservice/ and click Search the KnowledgeBase.

The following list contains some of the more commonly accessed KB articles.

Old Number New Number

Topic

KB38000 KB55446 All signature set releases with links to signature set release notes

KB38001 KB55447 All UDS releases and release notes of the UDS’s (this is a restricted article and requires the user to log into service portal or be internal)

KB38002 KB55448 Table displaying the current versions for IntruShield

KB38003 KB55449 Listing of IntruShield’s response to high profile public vulnerabilities

KB38004 KB55450 How to request coverage for a threat that isn't already covered

KB38005 KB55451 List of all McAfee Recommended for Blocking (RFB) attacks

KB37553 KB55318 Sensor heat dissipation rates (BTUs per hour)

KB37773 KB60660 Verify MySQL Database Tables

KB38041 KB55470 IntruShield maximum number of CIDR blocks using VIDS

KB38365 KB55549 Collecting a diagnostics trace from the IntruShield sensor

KB38487 KB55568 VLAN limitations for IntruShield

KB39232 KB55723 Maximum number of SSL keys for an ISM or sensor

KB39353 KB55743 Submitting IntruShield incorrect identifications (false positive/incorrect detection) to support

KB39888 KB55908

Support for legacy versions

KB40570 KB55364 Asymmetric traffic and TCP flow violation options.

KB40571 KB56069

"Login failed: Unable to get the IntruShield Security Manager license information"

McAfee® IntruShield® IPS 4.1 Utilizing the McAfee Knowledge Base IntruShield Troubleshooting Guide Tracking ISM Watchdog activities

75

Old Number New Number

Topic

KB40582 KB56071

Configuring authentication on the ISM for the update server

KB41752 KB56364 3rd Party Recommended Hardware for IntruShield Sensors

NAI32011 KB59347

Sensor is reporting false DOS attacks / New network device is added and sensor is now reporting DOS attacks

NAI32008 KB59344 Recover the password for the ISM

Index

A auto-negotiation and speed configurations ...... 15, 20

C connectivity issues ................................................. 15

critical faults ........................................................... 32

D duplex mismatches ................................................ 15

F false positives......................................................... 28

H hardening the ISM server......................................... 7

hardening the MySQL installation ............................ 7

I InfoCollector tool .................................................... 71

informational faults ................................................. 55

ISM Watchdog........................................................ 74

M management port configuration ............................. 14

MySQL issues ........................................................ 27

O other faults ............................................................. 67

P problems with sensor reboot ............................ 23, 24

R rolling back changes .............................................. 10

S Sensor capacity by model number......................... 77

sensor failover status ............................................. 22

system health......................................................... 21

W warning faults......................................................... 51

INTR Troubleshooting 4.1

Documents

Transcript of INTR Troubleshooting 4.1