Host Intrusion Prevention notifications
Host Intrusion Prevention supports the following product-specific notification categories:
- Host Intrusion detected and handled
- Network Intrusion detected and handled
- Application blocked
- Computer placed in quarantine mode
Notifications can be configured only for all or none of the Host (or Network) IPS signatures. Entercept 5.x supported notifications based on sets of signature IDs or individual severity levels. Host Intrusion Prevention supports the specification of a single IPS signature ID as the Threat Name or Rule Name field in the notification rule configuration. By internally mapping the signature ID attribute of an event to the threat name, a rule is created to uniquely identify an IPS signature.
The specific mappings of Host Intrusion Prevention parameters allowed in the subject/body of a message include:
Parameters
|
Host and Network IPS Events Values
|
Blocked Application Event Values
|
Quarantine Event Values
|
ReceivedThreatNames
|
SignatureID
|
none
|
none
|
SourceComputers
|
Remote IP address
|
computer name
|
computer name
|
AffectedObjects
|
Process Name
|
Application name
|
IP address of computer
|
EventTimestamp
|
Incident time
|
Incident time
|
Incident time
|
EventID
|
ePO mapping of event ID
|
ePO mapping of event ID
|
ePO mapping of event ID
|
AdditionalInformation
|
Localized Signature Name (from client computer)
|
Application full path
|
none
|
Copyright © 2006 McAfee, Inc. All Rights Reserved.