Sunday, December 30, 2012

Upgrade SIEM from 9.1.1 to 9.1.3

  1. Always download upgrade files using internet explorer or Mozilla. Don’t use Chrome.
  2.  Verify download file has been placed in the correct directory with correct file extension. To do so go to “cd /usr/local/NitroGuard” and verify the download file is placed in this directory with .tgz extension. If not then change the file extension to .tgz with command “mv RECEIVER_Update_9.1.3.signed.gz RECEIVER_Update_9.1.3.signed.tgz”.
  3. Compare hash values of downloaded files with original hash values provided at McAfee website.
  4. Upgrade ESM first then ELM and then any one of the rest of the devices.
  5. After upgrading each single device, verify version in system properties. Also verify device health check status. To do so select the device e.g ADM then select the “device status” dashboard from the menu.
  6. Also check device logs of each device after upgrade. If there is a problem then you can see it in the logs. Ensure that the files in the directory "/usr/local/NitroGuard/updates" are updated with the latest version, use the command “ls -lrt” to list the files. You will observe many files with version 9.1.3 will appear stating that the files have been upgraded with the latest version.(As we were upgrading to version 9.1.3 from 9.1.1)
  7. Make sure there is no red flag with any device. If there is any click on it to see device log stating the reason.
  8. Open policy editor and roll out policy on all devices so that changes in the new version are applied on to all devices and data sources.
  9. Take Full backup.
  10. Apply any necessary patches or hotfix that have been recommended by the vendor.

Tuesday, December 11, 2012

Correlating IPS events in Nitro SIEM

Issue
If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized.


Solution
A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly updated and new attacks signature will be added from time to time.  

Example scenario
You have a set of critical servers for which you want to see exploit attacks. The first step would be to select your IPS in "physical display" and select "Normalized dashboard" from the list of available dashboards. Next select an exploit event in the "Event Summary" sub-group and go to rule definition by selecting "Show rule" option.



 Policy editor window will be opened showing the rule definition you selected previously. Double click on the rule definition and click on the green button next to "Normalized ID". Next you can move this rule to the exploit category in normalization taxonomy.

Once you normalize all your exploit events, you are ready to proceed with writing correlation rule to see all exploit events to your critical servers. First create a variable rule defining IP addresses of all your critical servers.


Next create a correlation rule as following.


You can further reduce resultant events by excluding all events that are blocked by your IPS as shown in the above rule.

How to set HOMENET Variable in Mcafee Nitro SIEM

How to set HOMENET Variable in Mcafee Nitro SIEM

Issue
The issue we had was when we try to set HOMENET Variable in Policy Editor. The HOMENET variable is almost used in every rule that is used in Mcafee Nitro SIEM. However, we have observed that even though we have defined out custom values of Internet Subnet still the rules were showing that HOMENET variable is using 0.0.0.0/0.







Solution:

GO TO "Asset Manager" in Mcafee Nitro Siem as shown in the post

Go TO "Network Discovery"

CLICK "Homenet"

and specify your subnet, we wanted to include our whole subnet so we have mentioned 10.0.0.0/8.





After updating the value here, we have considerably reduced the false positives and this issue was solved.

Thursday, December 6, 2012

How to detect and prevent users from removing McAfee agent from Client machines

1) Create an automated response for client events to show: Attempt to uninstall McAfee Agent 2) Setup a VirusScan access protection policy to not modify or terminate McAfee files, processes, etc. 3) Follow KB69716 to add a registry key to remove the option from add/remove programs for VirusScan. 4) Generate queries, called compliance reports, to show machines which do not have VirusScan or McAfee Agent installed and also specify which version. With this, you can then automatically deploy agents and VirusScan. If however, you give local admin rights to your users, they will always be able to go to the registry and run commands or delete keys to uninstall.

Tuesday, December 4, 2012

Mcafee ePO policies for Microsoft Failover Cluster

Mcafee ePO policies for Microsoft Failover Cluster






Lets suppose we want cluster for MS SQL Server, we will exclude the data file path and log file path as shown below along with the above three file/drive path exclusions

C:\Program Files\Microsoft SQL Server\MSSQL10.RTCLOCAL\MSSQL\DATA

C:\Program Files\Microsoft SQL Server\MSSQL10.RTCLOCAL\MSSQL\Log




Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More