Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Guide d'installation télécharger pdf (Page 21)

legitimate activities, most common with internally-developed applications, these false positives

can be resolved in the next step.

TIP: Often when scanning repetitious log data, you miss specifics that would trigger a different

rule decision. During extensive reviews, take occasional breaks to avoid this.

Start tuning protection

From the event log data, work to:

• Elevate protection for logged events that should be blocked.

• Eliminate false positives based on legitimate business activities.

Begin by doing the following:

1 Edit reactions to signatures. Keep in mind that a client can be told to react in one of

three ways:

• Ignore — No reaction. The event is not logged and the process is not prevented.

• Log — The event is logged and the process is not prevented.

• Prevent — The event is logged and the process is prevented.

Apply the Prevent reaction to any High Severity signatures.

2 Create exceptions. Identify events that flag legitimate behavior that should be allowed,

or perhaps allowed and logged.

Exception rules override a security policy in specific circumstances. You can set a reaction

response to ignore and events will no longer be logged. For example, though a policy might

deem certain script processing to be illegal behavior, some systems in your engineering

groups need to run scripts. Create exceptions for the engineering systems so they can

function normally, while the policy continues to prevent scripts on other systems. Make

these exceptions part of a server-mandated policy to cover only engineering.

Exceptions enable you to reduce false-positive alerts and minimize needless and irrelevant

data flowing to the console. By reducing the noise, you will more readily identify important

events in your daily monitoring.

TIP: Make the exception generic enough that it will work on all similar systems under the

same or similar circumstances.

3 Create trusted applications.

Trusted applications are application processes that are exempt from all IPS and firewall

rules. Limit trusted applications for processes that cause so many false positives that it is

impractical to make fine-tuned exceptions. Trusted applications can vary by usage profile.

For example, you might permit certain software applications in your technical support

organization, but prevent their use in your finance department; therefore, you could establish

these applications as trusted on the systems in technical support to allow this use. See

Configuring a Trusted Applications Policy

in the product guide for more details.

4 Run queries

Use queries to obtain data about a particular item and filter the data for specific subsets

of that data; for example, high-level events reported by particular clients for a specified

time period. Look for signatures that are triggered most often. Are these day-to-day

legitimate business functions that should be allowed? Adjust the severity level to a lower

level for these signatures. Some desktop exceptions prove to be erroneous behaviors of

Best Practices for Quick Success

4. Do initial tuning

21McAfee Host Intrusion Prevention 8.0 Installation Guide

1 2 ... 16 17 18 19 20 21 22 23 24 25 26 ... 48 49

Commentaires sur ces manuels

Pas de commentaire

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Guide d'installation Page 21

Commentaires sur ces manuels