INTR Troubleshooting 4.1

IntruShield Troubleshooting Guide
revision 10.0
McAfee IntruShield IPS

version 4.1
McAfee Network Protection

Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright 2001 - 2009 McAfee, Inc. All Rights Reserved.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), IntruShield, INTRUSION PREVENTION THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 19952002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy <http://www.housemarque.com>, (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek.
Issued JUNE 2009 / IntruShield Troubleshooting Guide

700-1561-00/ 10.0 - English
Contents
Preface ........................................................................................................... v
Introducing McAfee IntruShield IPS .............................................................................................. v About this Guide............................................................................................................................ v Audience ....................................................................................................................................... v Conventions used in this guide .....................................................................................................vi Related Documentation................................................................................................................vii Contacting Technical Support ......................................................................................................vii Information requested for Troubleshooting ......................................................................... viii
Before You Install.......................................................................................... 1

Pre-installation recommendations ................................................................................................. 1 Planning for installation ..........................................................................................................1 Functional requirements.........................................................................................................2 Using anti-virus software with the Manager ...........................................................................4 User interface responsiveness...............................................................................................5
Hardening the ISM Server ............................................................................ 7

Introduction.................................................................................................................................... 7 Install a desktop firewall ................................................................................................................ 7 Harden the MySQL installation...................................................................................................... 7 Remove test database ...........................................................................................................8 Remove local anonymous users ............................................................................................8 Remove remote anonymous users ........................................................................................8 Secure MySQL remote access ..............................................................................................9 Rolling back your changes ...................................................................................................10 Remove debug shell at port 9001 ........................................................................................10 Other best practices for securing ISM ......................................................................................... 11 Recommended practices .....................................................................................................11
Troubleshooting IntruShield IPS ............................................................... 12

Facilitating troubleshooting.......................................................................................................... 12 Starting your troubleshooting ...................................................................................................... 13 Difficulties connecting sensor and ISM ....................................................................................... 13 Network connectivity ............................................................................................................13 Inconsistency in sensor and ISM configuration....................................................................13 Software or signature set incompatibility..............................................................................14 Firewall between the devices ...............................................................................................14 Management port configuration ...........................................................................................14 Connectivity issues between the sensor and other network devices .......................................... 15 Duplex mismatches ..............................................................................................................15 Valid auto-negotiation and speed configurations .................................................................15 Explanation of CatOS show port Command Counters.........................................................18 Auto-negotiation ...................................................................................................................20 Checking sensor health............................................................................................................... 20 Pinging a sensor ..................................................................................................................21 Ensuring that the sensor is receiving traffic................................................................................. 21 Checking sensor failover status .................................................................................................. 21 Cabling failover through a network device ...........................................................................21
iii
Checking whether a signature or software update was successful............................................. 22 Checking status of a download or upload ................................................................................... 22 Conditions requiring a sensor reboot .......................................................................................... 22 Rebooting a sensor via the ISM ...........................................................................................23 Rebooting a sensor using the reboot command ..................................................................23 Sensor doesnt boot .................................................................................................................... 23 Loss of connectivity between the sensor and ISM ...................................................................... 23 How sensor handles new alerts during connectivity loss .....................................................24 ISM connectivity to the database ................................................................................................ 24 ISM database is full..............................................................................................................25 Error on accessing the Configuration page ................................................................................. 25 Sensor response if its bandwidth is exceeded ............................................................................ 25 MySQL issues ............................................................................................................................. 26 How sensors handle various types of traffic................................................................................ 26 Jumbo Ethernet frames ........................................................................................................26 ISL frames ............................................................................................................................26
Determining False Positives ...................................................................... 27

Reducing false positives.............................................................................................................. 27 Tune your policies ....................................................................................................................... 27 About false positives and noise .........................................................................................28 Determining a false positive versus noise............................................................................29
System Fault Messages.............................................................................. 31

Critical faults................................................................................................................................ 31 Error faults................................................................................................................................... 43 Warning faults ............................................................................................................................. 48 Informational faults ...................................................................................................................... 51 M-series sensor faults ................................................................................................................. 60 Other faults.................................................................................................................................. 61
Error Messages ........................................................................................... 62

Error messages for RADIUS servers .......................................................................................... 62 Error messages for LDAP server ................................................................................................ 63
Using the InfoCollector tool ....................................................................... 65

Introduction.................................................................................................................................. 65 Running the InfoCollector............................................................................................................ 66 Using InfoCollector ...................................................................................................................... 66
Automatically restarting a failed ISM with ISM Watchdog...................... 68

Introduction.................................................................................................................................. 68 How the ISM Watchdog Works ................................................................................................... 68 Installing ISM Watchdog.............................................................................................................. 68 Starting ISM Watchdog ............................................................................................................... 69 Using ISM Watchdog with ISM in an MDR configuration ............................................................ 69 Tracking ISM Watchdog activities ............................................................................................... 69
Sensor capacity by model number ........................................................... 71 Utilizing the McAfee Knowledge Base ...................................................... 74 Index ............................................................................................................. 76
iv
Preface
This preface provides a brief introduction to McAfee IntruShield, discusses the information in this document, and explains how this document is organized. It also provides information such as the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee IntruShield IPS

McAfee IntruShield delivers the most comprehensive, accurate, and scalable network IPS solution for mission-critical enterprise, carrier, and service provider networks, while providing unmatched protection against spyware and known, zero-day, and encrypted attacks. IntruShield combines real-time detection and prevention to provide the most comprehensive and effective network IPS in the market. What do you want to do? Learn more about McAfee IntruShield components. Learn how to get started. Learn about the Home page and interaction with the Manager interface.
About this Guide

This guide provides the basic troubleshooting techniques for IntruShield system. You get information on the key issues to be taken care of in the ISM and sensor software in a step-by- step manner; right from installing IntruShield to troubleshooting the system. This guide provides detailed sections on the following topics: Pre-installation recommendations Hardening ISM Server Troubleshooting techniques How to use the InfoCollector tool and ISM Watchdog
Audience
This guide is intended for use by network technicians responsible for maintaining the IntruShield Security Management System (ISM) and analyzing and disseminating the resulting data. It is assumed that you are familiar with IPS-related tasks, the relationship between tasks, and the commands necessary to perform particular tasks.
McAfee IntruShield IPS 4.1
Conventions used in this guide
Conventions used in this guide

This document uses the following typographical conventions:
Convention
Example
Terms that identify fields, buttons, tabs, options, selections, and commands on the User Interface (UI) are shown in Arial Narrow bold font. Menu or action group selections are indicated using a right angle bracket. Procedures are presented as a series of numbered steps. Names of keys on the keyboard are denoted using UPPER CASE. Text such as syntax, keywords, and values that you must type exactly are denoted using Courier New font.
The Service field on the Properties tab specifies the name of the requested service.
Select My Company > Admin Domain > View Details.
1. On the Configuration tab, click Backup. Press ENTER. Type: setup and then press ENTER.
Variable information that you must Type: sensor-IP-address and then press ENTER. type based on your specific situation or environment is shown in italics. Parameters that you must supply are shown enclosed in angle brackets. Information that you must read before beginning a procedure or that alerts you to negative consequences of certain actions, such as loss of data is denoted using this notation. Information that you must read to prevent injury, accidents from contact with electricity, or other serious consequences is denoted using this notation. Notes that provide related, but non-critical, information are denoted using this notation. set sensor ip <A.B.C.D>
Caution:
Warning:
Note:
vi
Related Documentation
Related Documentation
The following documents and on-line help are companions to this guide. Refer to IntruShield System Quick Reference Card for more information on these guides. Manager Installation Guide 3.1 to 4.1 Upgrade Guide Getting Started Guide IntruShield Quick Tour Planning & Deployment Guide IntruShield Sensor 1200 Product Guide IntruShield Sensor 1400 Product Guide IntruShield Sensor 2600 Product Guide IntruShield Sensor 2700 Product Guide IntruShield Sensor 3000 Product Guide IntruShield Sensor 4000 Product Guide IntruShield Sensor 4010 Product Guide IntruShield Configuration Basics Guide Administrative Domain Configuration Guide Manager Server Configuration Guide Policies Configuration Guide Sensor Configuration Guideusing CLI Sensor Configuration Guideusing ISM Sensor Configuration Guideusing ISM Wizard Alerts & System Health Monitoring Guide Reports Guide User-Defined Signatures Developer's Guide Attack Description Guide Special Topics Guide Database Tuning Best Practices Denial-of-Service Sensor High Availability Custom Roles Creation In-line Sensor Deployment Virtualization Gigabit Optical Fail-Open Bypass Kit Guide Gigabit Copper Fail-Open Bypass Kit Guide
Contacting Technical Support

If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support http://mysupport.mcafee.com.
vii
Registered customers can obtain up-to-date documentation, technical bulletins, and quick tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also resolve technical issues with the online case submit, software downloads, and signature updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7 Technical Support is available for customers with Gold or Platinum service contracts. Global phone contact numbers can be found at McAfee Contact Information http://www.mcafee.com/us/about/contact/index.html page. Note: McAfee requires that you provide your GRANT ID and the serial number of your system when opening a ticket with Technical Support. You will be provided with a user name and password for the online case submission.
Information requested for Troubleshooting

McAfee wants to provide you with the best possible support. When you contact Technical Support, we will request a variety of information to use to troubleshoot your deployment. This section describes the information we ask that you have available for troubleshooting.
General information
your GRANT ID. This was provided to you when you purchased the product. the version number of the ISM software you are using the version number of the sensor software you are using Is this a new or existing issue? any physical changes made to the environment recently Did you make any changes in your environment/setup/configuration that may have introduced the issue?
ISM-specific information
We may ask you to use our troubleshooting tool, which is called InfoCollector. This tool will collect all ISM-related log files (For example, ems.log, emsout, output.bin, config back, and the sensor trace file, if you have uploaded it to the ISM) and return them to us for analysis As of this writing, the tool is available at the following link:
http://serviceweb/mcafee/backline/escalations/MER_TOOL/IPSInfoCollector.zip
viii
Sensor issues
the sensor deployment configuration information on the GBICs you are using with sensor GE ports; this information is extremely helpful for troubleshooting link issues the volume of traffic through the sensor in some cases, a network diagram (particularly for troubleshooting asymmetric traffic issues) a sensor trace file, which you can create using the process described in Providing a sensor diagnostics trace. sensor operating mode (i.e., In-line, SPAN or TAP). This information can be obtained from: Sensor_Name > Interface > View Details peer device port settings (For example, for Cisco switches/routers, you would provide the output of the show port [mod[/port] command. Management port configuration (obtained by issuing a show mgmtport command)
Signature set issues

the signature set and software versions you are running the frequency at which you see the false positive whether the alert condition is reproducible policy configuration alert evidence reports traffic volume, if possible traffic type what software and systems are on the affected systems your network topology
ix
CHAPTER 1
Before You Install

This chapter lists pre-installation recommendations.
Pre-installation recommendations
These IntruShield pre-installation recommendations are a compilation of the information gathered from individual interviews with some of the most seasoned IntruShield System Engineers at McAfee.
Planning for installation

Before installation, ensure that you complete the following tasks: The server, on which the ISM software will be installed, should be configured and ready to be placed online. You must have administrator privileges for the ISM server system. This server should be dedicated, hardened for security, and placed on its own subnet. This server should not be used for programs like instant messaging or other non-secure Internet functions. Make sure your hardware requirements meet the following minimum criteria: Server class hardware (as opposed to a Desktop). At least a P4 1 GHz chip (dual 2+ GHz chips are highly recommended). At least 1 GB of RAM (at least 2 GB of RAM is highly recommended). At least 40 GB of free disk space. Fast disks and a hardware RAID array with a good amount of cache are highly encouraged. This will only improve Alert Manager performance. At least one 100 Mbps Ethernet adapter. Make sure the Windows operating system required for this version of the ISM software is installed as defined by the system requirements in the versions release notes. The same holds true for the Windows operating system required for the client(s). Ensure the proper IPv4 address has been allocated for IntruShield. If applicable, configure name resolution for the ISM. Ensure that all parties have agreed to the solution design, including the location and mode of all sensors, the use of sub-interfaces or interface groups, and if and how the ISM will be connected to the production network. Get the required license file and grant number. Accumulate the required quantity of wires and (supported) GBICs, SFPs, or XFPs. Ensure these are approved hardware from McAfee or a supported vendor. Ensure that the required quantity of IntruShield dongles, which ship with the sensors, are available.
Before You Install
Crossover cables will be required for 10/100 or 10/100/1000 monitoring ports if they are directly connected to a firewall, router, or end node. Otherwise, standard patch cables are required for the Fast Ethernet ports. If applicable, identify the ports to be mirrored, and someone who has the knowledge and rights to mirror them. Allocate the proper IP addresses for the sensors. Identify hosts that may cause false positives, for example, HTTP cache servers, DNS servers, mail relays, SNMP managers, and vulnerability scanners.
Functional requirements
Following are the functional requirements to be taken care of: Install Wireshark (formerly known as Ethereal http://www.wireshark.com http://www.wireshark.org) on the client PCs. Ethereal is a network protocol analyzer for Unix and Windows servers, used to analyze the packet logs created by IntruShield sensors. Ensure the correct version of JRE is installed on the client system, as described in the Release Notes. This can save a lot of time during deployment.
Note: Note that a particular version of JRE is installed with the ISM server, as described in the release notes; be sure that the ISM server does not have a conflicting version of JRE installed. Determine a way in which ISM maintains the correct time. To keep time from drifting, for example, point the ISM server to an NTP timeserver. (If the time is changed on the ISM server, the ISM will lose connectivity with all sensors and the Update Server because SSL is time sensitive.) If Manager Disaster Recovery (MDR) is configured, ensure that the time difference between the Primary and Secondary ISMs is less than 60 seconds. (If the spread between the two exceeds more than two minutes, communication with the sensors will be lost.) We recommend that the Management port of the sensor and the ISM be on the same internal network; for security and management reasons. If you are upgrading from a previous version, we recommend that you follow the instructions in the respective versions release notes or, if one is available for your release, Upgrade Guide. We recommend that you remove old ISM software and reboot your machine before upgrading to a new version.
Install a desktop firewall

McAfee strongly recommends that you configure a packet-filtering firewall to block connections to ports 8551, 3306, 8007, 8009, and 8552 of your ISM server. The firewall can either be a host-based or a network-based. Set your firewall to deny connections to these ports if the connections are not initiated by the localhost. The only connections that should be allowed are those from the ISM server itself; that is, the localhost. For example, if another machine attempts to connect to port 8551, 8552, 3306, 8007 and 8009 the firewall should automatically block any packets sent. If you need assistance in blocking these, contact Technical Support.
If a firewall will reside between the sensor, ISM, or administrative client, which includes a personal firewall on the ISM, the following ports must be opened:
Port Protocol Description Direction of communication
4167 (high ports) (source port on the Manager) and 8500 (destination port on the sensor) 8501 8502
UDP
Default SNMPv3 command channel
Manager-->sensor
TCP TCP
Proprietary (install port) Proprietary (alert channel/control channel) Proprietary (packet log channel) Proprietary (file transfer channel) SSL/TCP/IP (Alert Manager) HTTPS Web-based user interface SSH
sensor-->ISM sensor-->ISM
8503 8504 8555 443 80
TCP TCP TCP TCP TCP
sensor-->ISM sensor-->ISM client-->ISM client-->ISM client-->ISM (Webstart/JNLP, Console Applets) Remote console access
22
TCP
Note: If you choose to use non-default ports for the Install port, Alert port, and Log port, ensure that those ports are also open on the firewall. Note that 3306/TCP is used internally by the ISM to connect to the MySQL database. If you have Email Notification or SNMP Forwarding configured on the ISM, and there is firewall residing between the ISM and your SMTP or SNMP server, ensure the following ports are available as well.
Before You Install
Additional communication ports

Port Description Direction of communication
25/TCP 49/TCP 162/UDP 389/TCP 443/TCP 443/TCP 514/UDP 636/TCP 1812/UDP
SMTP TACACS+ Integration SNMP Forwarding LDAP Integration (without SSL)
ISM-->SMTP server Sensor-->TACACS+ server ISM-->SNMP server ISM-->LDAP server
Secure communication for MDR ISM 1-->ISM 2 Secure communication for MDR ISM 2-->ISM 1 Syslog forwarding (ACL logging) LDAP Integration (with SSL) RADIUS Integration ISM-->Syslog server ISM-->LDAP server ISM-->RADIUS server
Close all open programs, including email, the Administrative Tools > Services window, and instant messaging before installation to avoid port conflicts. A port conflict may prevent the application from binding to the port in question because it will already be in use.
Caution: The ISM is a standalone system and should not have other applications installed.
Using anti-virus software with the Manager

If you plan to install anti-virus software such as McAfee VirusScan on the ISM, be sure the MySQL directory and its sub-directories, for example, c:\mysql\*, are excluded from the various scanning processes. Otherwise, IntruShield packet captures may result in the deletion of essential MySQL files. Also exclude the IntruShield installation directory and its sub-directories, for example,
c:\intrushield\*, because temporary files are created there that might conflict with the
anti-virus scanner. Note: If you install McAfee VirusScan 8.0i on the ISM after the installation of the ISM software, the MySQL scanning exceptions will be created automatically, but the IntruShield exceptions will not.
McAfee VirusScan 8.0i and SMTP notification

VirusScan 8.0i includes an option (enabled by default) to block all outbound connections over TCP port 25. This helps reduce the risk of a compromised host propagating a worm over SMTP using a homemade mail client. VirusScan 8.0i avoids blocking outbound SMTP connections from legitimate mail clients, such as Outlook and Eudora, by including the processes used by these products in an exclusion list. In other words, VirusScan 8.0i ships with a list of
processes it will allow to create outbound TCP port 25 connections; all other processes are denied that access. The ISM takes advantage of the JavaMail API to send SMTP notifications. If you enable SMTP notification and also run VirusScan 8.0i, you must therefore add java.exe to the list of excluded processes. If you do not explicitly create the exclusion within VirusScan 8.0i, you will see a Mailer Unreachable error in the ISM System Health to each time the ISM attempts to connect to its configured mail server. To add the exclusion, follow these steps: 1 2 3 4 5 Launch the VirusScan Console. Right-click the task called Access Protection and choose Properties. Highlight the rule called Prevent mass mailing worms from sending mail. Click Edit. Append java.exe to the list of Excluded Processes.
User interface responsiveness

The responsiveness of the user interface, the Alert Manager in particular, has a lasting effect on your overall product satisfaction. In this section we suggest some easy but essential steps, to ensure that IntruShield responsiveness is optimal: During ISM software installation, use the recommended values for memory and connection allocation. You will experience better performance in your configuration and data forensic tasks by connecting to the ISM from a browser on a client machine. Performance may be slow if you connect to the ISM using a browser on the server machine itself. Perform monthly or semi-monthly database purging and tuning. The greater the quantity of alert records stored in the database, the longer it will take the user interface to parse through those records for display in the Alert Manager. The default IntruShield settings err on the side of caution and leave alerts (and their packet logs) in the database until the user explicitly decides to remove them. However, most users can safely remove alerts after 30 days.
Caution: It is imperative that you tune the MySQL database after each purge operation. Otherwise, the purge process will fragment the database, which can lead to significant performance degradation. Defragment the disks on the ISM on a routine basis, with the exception of the MySQL directory. The more often you run your defragmenter, the quicker the process will be. Consider defragmenting the disks at least once a month.
Warning: Do NOT attempt to defragment the MySQL directory using an O/S defrag utility. To defragment MySQL tables, use a MySQL-specific utility, myisamchk available in the <mysqlinstallation>\bin directory. Limit the quantity of alerts to view when launching the Alert Manager. This will reduce the total quantity of records the user interface must parse and therefore potentially result in a faster initial response on startup.
Before You Install
When scheduling certain ISM actions (backups, file maintenance, archivals, database tuning), set a time for each that is unique and is a minimum of an hour after/before other scheduled actions. Do not run scheduled actions concurrently.
CHAPTER 2
Hardening the ISM Server

This section describes methods for hardening your ISM server.
Introduction
IntruShield Security Manager (ISM) implementation varies between environments. The Manager servers positioning in the network, both physically and logically, may influence specific remote access and firewall configuration requirements. The following best practices are intended to cover the configurable features that can impact the security of ISM. This information should be used in combination with the IntruShield Release Notes and the rest of the documentation set. McAfees recommendations, at a high level: Install a desktop firewall on the server and open the proper ports Harden the MySQL installation Harden the ISM host
Install a desktop firewall

It is recommended that you operate a desktop firewall on the ISM server. Certain ports are used within the IntruShield system. Some of these required for ISM--sensor and ISM client-server communication. All remaining unnecessary ports should be closed. The ports used by IntruShield are listed in Install a desktop firewall (on page 2).
Harden the MySQL installation

Ensure the cmd window used for making changes to database tables in the mysql database stays opened in the mysql shell until validation is completed. This is necessary to enable you to rollback the changes in case you need to. Rollback procedures are shown at the end of this section. Use another cmd window, where necessary, to validate hardening changes you have made.
Remove test database

Remove the test database from the server. 1. Start My SQL. 2. Backup db table to do dbbackup before changing it. 3. Validate that the backup table was created and row count matches that of the mysql.db table. 4. Check all the databases on the ISM server. mysql> use mysql; mysql> create table db_backup as select * from db; mysql> select count(*) from db_backup;
mysql> show databases;
5. Remove the test db, Keep only the mysql> drop database test; MYSQL and INTRUSHIELD (for example, lf) databases. 6. You should see only two databases (MYSQL and LF) if you are using the default Intrushield installation of MySQL. mysql> show databases;
Remove local anonymous users

To remove local anonymous users: 1. Look for blank entries for user. 2. Remove anonymous access to databases 3. Remove anonymous/blank accounts 4. Validate that localhost replaced % entry under the host column. You will also notice you will now need to qualify username and password on the local machine to get into mysql shell from the mysql.exe CLI. mysql> select host,db,user from db; mysql> update db set host="localhost" where user=""; mysql> flush privileges;
Remove remote anonymous users

To remove remote anonymous users, you harden mysql.exe CLI access by forcing the requirement for a username and password to get into the mysql shell as follows.
Start MySQL. Back up the db table to user_backup before changing it. Validate that the backup table was created and row count matches that of the mysql.db table. List all users and hosts. Remove anonymous/blank accounts. Validate that rows with blank user columns have been removed.
mysql> use mysql; mysql> create table user_backup as select * from db; mysql> select count(*) from user_backup; mysql> select user,host from user; mysql> delete from user where user=""; mysql> select user,host from user;
Secure MySQL remote access

This section provides two options for removing remote access. Remove individual users remote access Remove ALL remote access (Recommended)
Remove individual users remote access

Do ONE of the following: Remove admin (Intrushield user) remote access mysql> delete from user where host!='localhost' and user='admin'; (The admin user cannot login remotely; however ISM root can. Use second cmd window to validate.) mysql>flush privileges; Remove root remote access (Recommended minimum action) mysql> delete from user where host!='localhost'? and user='root'; This ensures that the root user cannot login remotely; however an ISM user can log in remotely. Use second cmd window to validate. mysql>flush privileges;
Remove ALL remote access

mysql> delete from user where host!='localhost' ALL user access is disabled including ISM users from remote host(s).
Use another cmd window to validate; you can ONLY log in to the MySQL CLI on the ISM server by qualifying username, password and db. For example: mysql uadmin -pXXX lf
Rolling back your changes

If you need to roll back your changes, use the following commands: To roll back changes made to the mysql.db table from the mysql.db_backup table: mysql> rename table db to db_1; mysql> rename table db_backup to db; mysql> flush privileges;
To roll back changes made to the "mysql.user" table from mysql.user_backup table: mysql> rename table user to user_1 mysql> rename table user_backup to user; mysql> flush privileges;
Remove debug shell at port 9001

In addition to denying traffic over port 9001 and 9002 (as per Install a desktop firewall) (on page 2), the debugging shell that runs on port 9001 can be disabled by modifying the value of the iv.policymgmt.RuleEngine.BSH_Diagnostics_Port record in the iv_emsproperties table. To disable the port, set the value in the field called value = -1
Figure 1: The debug shell port
10
Other best practices for securing ISM
Other best practices for securing ISM

Recommended practices
Use a clean, dedicated machine for the ISM server and perform a fresh install of the ISM software, including the installation of the embedded MySQL database. No other software should be available on the server, with the exception of a host-based firewall as described in Install a desktop firewall. (on page 2) Make sure the PC is in an isolated, physically secure environment Disallow access to the directory clumsily and all its sub-directories to anyone other than authorized administrators. Use Microsoft Knowledge Base article # 324067 to accomplish this procedure. Disallow the following permissions: Read Write Read and Write Modify List folder contents Full control Disable HTTP TRACE request. It can be disabled with the following mod_rewrite syntax in the Apache Server's httpd.conf file (available in the <Intrushield installation directory>/Apache/conf directory). RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
11
CHAPTER 3
Troubleshooting IntruShield IPS

This section lists some troubleshooting tips for IntruShield.
Facilitating troubleshooting
When an in-line device experiences problems, most peoples instinct is to physically pull it out of the path; to disconnect the cables and let traffic flow unimpeded while the device can be examined elsewhere. McAfee recommends you first try the following techniques to troubleshoot a sensor issue: All sensors have a Layer2 Passthru feature. If you feel your sensor is causing network disruption, before you remove it from the network, issue the following command: layer2 mode assert This pushes the sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the sensor while bypassing the detection engine. Check to see whether your services are still affected; if they are, then you have eliminated certain sensor hardware issues; the problem could instead be a network issue or a configuration issue. (The layer2 mode deassert command pushes the sensor back to detection mode.) McAfee recommends that you configure Layer2 Passthru Mode on each sensor. This enables you to set a threshold on the sensor that pushes the sensor into L2 bypass mode if the sensor experiences a specified number of errors within a specified timeframe. Traffic then continues to flow directly through the sensor without passing to the detection engine. Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE monitoring port pairs on the sensor. If a kit is attached to the sensor, disabling the sensor ports forces traffic to flow through the bypass switch, effectively pulling the sensor out of the path. For FE monitoring ports, there is no need for the external kit. Sensors with FE ports contain an internal tap; disabling the ports will send traffic through the internal tap, providing fail-open functionality. Caution 1: Note that the sensor will need to reboot to move out of L2 mode only if the sensor entered L2 mode because of internal errors. (It does not need a reboot if the layer2 mode assert command was used to put the sensor into L2 mode). Caution 2: A sensor reboot breaks the link connecting the devices on either side of the sensor and requires the renegotiation of the network link between the two devices surrounding the sensor. Caution 3: Depending on the network equipment, this disruption should range from a couple of seconds to more than a minute with certain vendors devices. A very brief link disruption might occur while the links are renegotiated to place the sensor back in in-line mode.
12
Starting your troubleshooting
Starting your troubleshooting

Before you get too deep into troubleshooting techniques, it is a good practice to consider the following questions: Were there physical changes to your network that occurred recently? If another device is placed in the sensors position, does that device receive traffic? If the sensor is in L2 mode, are your networks services still affected? Are you using approved McAfee GBICs or SFP GBICs with your sensor? (For a list of approved hardware, see McAfee KnowledgeBase article KB56364 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]
Difficulties connecting sensor and ISM

If you experience problems getting the ISM and sensor to communicate, see if one of the following situations may be the cause.
Network connectivity
Ensure that the sensor and ISM server have power and are appropriately connected to the network. Verify the link LEDs on both devices to indicate they have an active link. Ping the sensor and ISM server to ensure that they are available on the network.
Inconsistency in sensor and ISM configuration

Check to ensure that the sensor name that was entered in the CLI is identical to that entered in the ISM. Ensure the same for the shared secret key value. If these values do not match, the two cannot communicate.
Note : Note that the sensor name is case-sensitive. Check the network addresses for the ISM, the ISMs gateway, and the sensor to ensure everything is configured correctly by typing show at the sensor CLI command prompt.
13
Difficulties connecting sensor and ISM
Software or signature set incompatibility

Check to ensure that the sensor software image, ISM software version, and signature set version are compatible. A compatibility matrix is provided in the release notes that accompany each product release.
Firewall between the devices

If there is a firewall between the sensor and the ISM server, make sure the devices are able to communicate by opening the appropriate ports. Note : Ports used by the ISM server are listed in the section Install a desktop firewall. (on page 2)
Management port configuration

If you experience problems getting your sensor and ISM to communicate, it may be a communication issue between the sensors Management port and the network device to which it is connected. Check the Management Port Link LEDs on the sensor; if the link is down, see if any of the following suggestions enable connectivity. Check that the network device is on-line. Check the cable connecting the sensor to the network device. Ensure that the port on the device to which the Management port is connected is enabled/active. The port speed and duplex mode of the two devices must match. For example, if the device connecting to the sensor is not set to auto-negotiate, you must configure the Management port to use the same settings as those of the device connecting to the Management port. To troubleshoot this, use the set mgmtport command.
Note: Check the link LEDs on the devices to see if communication is established, or use the show mgmtport command to show the links status. Try each of these configuration options to see if one establishes a link: 1 2 First (if possible) set the other devices port configuration to auto-negotiate. (The sensor is set to auto-negotiate by default.) Using the set mgmtport command as described below in Setting the management port speed and duplex mode, try setting the speed and port of the sensor to speed 100 and duplex half. If no link is established, try speed 10 and duplex half. If none of the above attempts creates a link, try setting the port on the other device to a speed of 100, duplex half, and try steps 2 and 3 again. If this does not establish a link, you can then do the same, setting the other device to a speed of 10, duplex half, and try steps 2 and 3 again. If you are still experiencing difficulties, contact McAfee Technical Support.
3 4 5 6
14
Connectivity issues between the sensor and other network devices
Setting the management port speed and duplex mode

Set the speed of the Management port and whether the port should be set to half-or full-duplex. At the prompt, type: set mgmtport speed <10 | 100 | 1000> duplex <half | full> where <10> indicates 10 Mbps, <100> indicates 100 Mbps, and <1000> indicates 1000 Mbps <half> indicates half-duplex and <full> indicates full-duplex. Example: set mgmtport speed 100 duplex half 1

The most common sensor problems relate to configuration of the speed and duplex settings. Speed determination issues may result in no connectivity between the sensor and the switch.
Duplex mismatches
A duplex mismatch (for example, one end of the link in full-duplex and the other in half-duplex) may result in performance issues, intermittent connectivity, and loss of communication. It can also create subtle problems in applications. For example, if a Web server is talking to a database server through an Ethernet switch with a duplex mismatch, small database queries may succeed, while large ones fail due to a timeout. Manually setting the speed and duplex to full-duplex on only one link partner generally results in a mismatch. This common issue results from disabling autonegotiation on one link partner and having the other link partner default to a halfduplex configuration, creating a mismatch. This is the reason why speed and duplex cannot be hard-coded on only one link partner. If your intent is not to use autonegotiation, you must manually set both link partners' speed and duplex settings to full-duplex.
Valid auto-negotiation and speed configurations

The table below summarizes all possible settings of speed and duplex for IntruShield sensors and switch ports.
15
IntruShield Configuration 10/100/1000 port (Speed/Duplex)
Configuration of Switch (Speed/Duplex)
Resulting Sensor (Speed/Duplex)
Resulting Catalyst (Speed/Duplex)
Comments
1000 Mbps Full-duplex 1000 Mbps Full-duplex 1000 Mbps Full-duplex 100 Mbps Full-duplex 1000 Mbps Full-duplex No Link No Link Neither side establishes link, due to speed mismatch Duplex Mismatch 1
100 Mbps Full-duplex 100 Mbps Full-duplex 100 Mbps Half-duplex
AUTO
100 Mbps Full-duplex
100 Mbps Full-duplex 100 Mbps Full-duplex 100 Mbps Half-duplex
1000 Mbps Full-duplex AUTO
100 Mbps Full-duplex 100 Mbps Half-duplex
Correct Manual Configuration2 Link is established, but switch does not see any autonegotiation information from IntruShield and defaults to halfduplex when operating at 10/100 Mbps.
10 Mbps Half-duplex
AUTO
100 Mbps Half-duplex
Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex. Neither side establishes link, due to speed mismatch.
10 Mbps Half-duplex
No Link
No Link
16
Gigabit auto-negotiation (no link to connected device)

Gigabit Ethernet has an auto-negotiation procedure that is more extensive than that which is used for 10/100 Mbps Ethernet (per Gigabit auto-negotiation specification IEEE 802.3z-1998). The Gigabit auto-negotiation negotiates flow control, duplex mode, and remote fault information. You must either enable or disable link negotiation on both ends of the link. Both ends of the link must be set to the same value or the link will not connect. If either device does not support Gigabit auto-negotiation, disabling Gigabit autonegotiation forces the link up.
Troubleshooting a Duplex Mismatch with Cisco Devices

When troubleshooting connectivity issues with Cisco switches or routers, verify that the sensor and the switch/routers are using a valid configuration. The show intfport <port> command on the IntruShield sensor CLI will help reveal errors. Sometimes there are duplex inconsistencies between IntruShield and the switch port. Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switch port. To troubleshoot this issue, manually configure the switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems, you may be running into this issue. Contact Cisco's TAC for assistance. Use the following commands to verify fixed interface settings on some Cisco devices that connect to IntruShield sensors:
Cisco PIX Firewall

interface ethernet0 100full
Cisco CSS 11000

interface ethernet-3 phy 100Mbits-FD
Cisco Catalyst 2900XL, 3500XL Series (Hybrid)

interface FastEthernet0/2 duplex full speed 100
Cisco Catalyst 4000, 5000, 6000 Series (Native)

set port speed 1/1 100 set port duplex 1/1 full
17
Connectivity issues with Cisco 3750-12S switch

Use the following ports when connecting a Cisco 3750-12s switch to your IntruShield sensor: 3, 4, 7, 8, 11, or 12. Connections using ports 1, 2, 5, 6, 9, or 10 may cause network jitter, which is an inconsistent delay of packets.
Cisco IOS for Catalyst 4000, 6000 Series

Router(config)# interface fastethernet slot/port Router(config-if)# speed 100
Router(config-if)# duplex full When troubleshooting IntruShield performance issues with Cisco switches, view the output of the show port mod/port command, and note the counter information.
Explanation of CatOS show port Command Counters

Counter Description Possible Causes
Alignment Errors
Alignment errors are a count of the number of frames received that do not end with an even number of octets and have a bad CRC. FCS error count is the number of frames that were transmitted or received with a bad checksum (CRC value) in the Ethernet frame. These frames are dropped and not propagated onto other ports. This is an indication that the internal transmit buffer is full.
These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames that do not end with on an octet and have a bad FCS. These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames with bad FCS.
FCS
Xmit-Err
This is an indication of excessive input rates of traffic. This is also an indication of transmit buffer being full. The counter should only increment in situations in which the switch is unable to forward out the port at a desired rate. Situations such as excessive collisions and 10 Mb ports cause the transmit buffer to become full. Increasing speed and moving the link partner to full-duplex should minimize this occurrence. This is an indication of excessive output rates of traffic. This is also an indication of the receive buffer being full. This counter should be zero unless there is excessive traffic through the switch. In some switches, the Out-Lost counter has a direct correlation to the Rcv-Err. This is an indication of a bad frame generated by the connected device.
Rcv-Err
This is an indication that the receive buffer is full.
UnderSize
These are frames that are smaller than 64 bytes (including FCS) and have a good FCS value.
18
Counter
Description
Possible Causes
Single Collisions
Single collisions are the number This is an indication of a half-duplex configuration. of times the transmitting port had one collision before successfully transmitting the frame to the media. Multiple collisions are the number of times the transmitting port had more than one collision before successfully transmitting the frame to the media. This is an indication of a half-duplex configuration.
Multiple Collisions
Late Collisions
A late collision occurs when two This is an indication of faulty hardware (NIC, cable, devices transmit at the same or switch port) or a duplex mismatch. time and neither side of the connection detects a collision. The reason for this occurrence is that the time to propagate the signal from one end of the network to another is longer than the time to put the entire packet on the network. The two devices that cause the late collision never see that the other is sending until after it puts the entire packet on the network. Late collisions are detected by the transmitter after the first time slot of the 64-byte transmit time occurs. They are only detected during transmissions of packets longer than 64 bytes. Its detection is exactly the same as it is for a normal collision; it just happens later than it does for a normal collision. Excessive collisions are the number of frames that are dropped after 16 attempts to send the packet resulted in 16 collisions. Carrier sense occurs every time an Ethernet controller wants to send data and the counter is incremented when there is an error in the process. These are frames smaller than 64 bytes with a bad FCS value. These are frames that are greater than 1518 bytes and have a bad FCS value. This is an indication of over utilization of the switch port at half-duplex or duplex mismatch.
Excessive Collisions
Carrier Sense
This is an indication of faulty hardware (NIC, cable, or switch port).
Runts
This is an indication of the result of collisions, duplex mismatch, IEEE 802.1Q (dot1q), or an InterSwitch Link Protocol (ISL) configuration issue. This is an indication of faulty hardware, dot1q, or an ISL configuration issue.
Giants
19
Checking sensor health
Auto-negotiation
Auto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issues mainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example, full-duplex mode and the other in halfduplex (also known as a duplex mismatch), errors and retransmissions can cause unpredictable behavior in the network causing performance issues, intermittent connectivity, and loss of communication. Generally these errors are not fatal-traffic still makes it through-but locating and fixing them is a time-waster.
Situations that may lead to Auto-negotiation issues

Auto-negotiation issues with the IntruShield sensor may result from nonconforming implementation, hardware incapability, or software defects. Generally, if the switch used with the sensor adheres to IEEE 802.3u auto-negotiation specifications and all additional features are disabled, auto-negotiation should properly negotiate speed and duplex, and no operational issues should exist. Problems may arise when vendor switches/routers do not conform exactly to the IEEE specification 802.3u. Vendor-specific advanced features that are not described in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as auto-polarity or cabling integrity) can also lead to hardware incompatibility and other issues.
Checking sensor health

To see if your sensor is functioning correctly, do one of the following: On the sensor: At the command prompt, type status. This displays system status (such as system health, system initialization, signature version, trust, channel status, alert counts, and so on). Sensor should be initialized and in good health. At the command prompt, type show. This displays configuration information (such as sensor image version, type, name, ISM and sensor IP addresses, and so on). On the ISM: In the ISM Home page, select Sys Health > View to launch the System Health. ISM status should be UP, and sensor status should be ACTIVE.
Note: If you see system faults indicating that the ISM is down, see System Fault Messages (on page 31), to interpret the fault and, if necessary, take action to clear the fault.
20
Ensuring that the sensor is receiving traffic
Pinging a sensor
The sensor Management port responds only to 1 ping/sec. This prevents it from susceptibility to a ping flood. To ping a sensor Management port from multiple hosts, increase the time interval between pings.
Ensuring that the sensor is receiving traffic

Check the sensors Performance Statistics to verify that traffic is being sent and received. Do the following to verify the traffic flow: 1 2 3 4 5 From the ISM Home page, click on Configure. Click on the desired sensor in the Resource Tree. Click on the Statistics tab on the right pane. Click on the Performance Statistics action. Select the appropriate configured port. Youll see statistics such as the following:
Port Total Unicast Pkts Sent. Port Total Unicast Pkts Recv count. Port Total Multicast Pkts Sent count. Port Total Multicast Pkts Recv count.
Refresh the screen and verify the packet counts are increasing.
Checking sensor failover status

To ensure that two sensors comprising a failover pair are communicating via their interconnection cable, go to each sensor's CLI and type show failover-status. Failover should display as enabled (YES), and the peer sensor should display as UP.
Cabling failover through a network device

Do not cable the heartbeat connection through an external network device. To keep overhead low and throughput high, the sensors do not include layer 2 or 3 headers on the packets they pass over the heartbeat connection, and they pass data larger than the standard Ethernet maximum frame size (1518 bytes). If you attempt to place a network device, such as a switch or router, between the heartbeat ports, the heartbeat connection will fail.
21
Checking whether a signature or software update was successful
Checking whether a signature or software update was successful

To see if your sensor successfully received a signature update or software upgrade, you can use the status command as shown in the following procedure, or the downloadstatus command, described later in this chapter. To use the status command: 1 2 3 On the sensor, type status at the command prompt before updating the signature set on the sensor. Note the signature version. Update the signature set on the sensor using the ISM screens. On the sensor, again type status at the command prompt. Verify that the signature version number has incremented. The new signature version should match with the signature set version that has been just applied to the sensor.
Checking status of a download or upload

To see the progress of an upload or download, use the downloadstatus command. The downloadstatus command displays the status of various download/upload operations: signature, software image, and DoS profile downloads (from ISM to sensor) and DoS profile and debug trace uploads (from sensor to ISM). It also lists the number of times you have performed the operation, status of your previous attempt to perform the operation (includingif the operation failedthe cause of failure), and the time the command was executed. Do the following: 1 On the sensor, type downloadstatus at the command prompt.
Conditions requiring a sensor reboot

The following situations either cause or require a sensor reboot. You have two options for rebooting the sensor. You can reboot the sensor from the ISM interface, or you can issue the reboot CLI command. Note: Note that a reboot can take up to five minutes. Deleting signatures using the deletesignatures CLI command causes an automatic sensor reboot. Issuing a resetconfig CLI command causes an automatic sensor reboot. Changing a sensors IP address requires a manual reboot of the sensor before the change will take effect. Certain internal software errors may cause the sensor to reboot itself. See a description of sensor fault messages later in this chapter. For more information on System Health Viewer, see Alert & system Health Monitoring Guide. Upgrading sensor software requires a manual reboot of the sensor.
22
Sensor doesnt boot
Signature set updates that include a protocol change.
Rebooting a sensor via the ISM

The Reboot Sensor action restarts a sensor. You perform this action in the ISM interface. To reboot a sensor, do the following: 1 2 Select Sensor_Name > Sensor > Reboot. Click Reboot Sensor.
Rebooting a sensor using the reboot command

The reboot command restarts a sensor. You perform this action in the sensor CLI: 1 2 At the prompt, type: reboot Confirm the reboot.
Sensor doesnt boot

If you cannot get the sensor to boot, try the following: Check to ensure that the sensor is powered on. Check the LEDs on the front of the sensor. Check the front panel LEDs to ensure that the sensor temperature is normal. For more information on sensor LEDs, see the respective Product Guide for your sensor model. If you receive an error message in the CLI: OS not found, you may have a corrupted internal flash. If you see this error, contact Technical Support to obtain help in recovering the sensor.
Loss of connectivity between the sensor and ISM

If you have previously established a connection between the sensor and the ISM and the connection fails, try the following: Check network connectivity. View the system status on both the ISM and the sensor. Check to ensure the Management port on the sensor is configured with the proper speed and duplex mode as described in Management port configuration.
23
ISM connectivity to the database
Has the time been reset on the ISM server? The connection between the sensor and ISM server is secure, and this secure communication is timesensitive, so the time on the devices should remain synchronized. You must set the time on the ISM server before you install the ISM software and never change the time on that machine. If the time changes on the ISM server, the ISM will lose its connectivity with the sensor and the Update Server. A time change could ultimately cause serious database errors. For more information, see the KnowledgeBase article KB555587 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]
How sensor handles new alerts during connectivity loss

The sensor stores alerts internally until connection is restored. IntruShield classifies events and prioritizes to ensure the buffer is filled with the most meaningful events to an analyst. The following table lists the number of alerts that can be stored locally on the sensor.
Number
Alert Type
100000 2500 2500 2500 2500 1000 1000
Signature based alerts Throttled alerts (with source and destination IP and port information) Compressed throttled alerts (alerts with no source and destination IP information) Statistical or anomaly DoS Throttled DoS alerts Host sweep alerts Port scan alerts
Once the connection from the sensor to the ISM has been re-established, the queued alerts are forwarded up to the manger. So the customer will retain them even in the event that connectivity is disrupted for some time. If the buffer fills up before connectivity is restored, the sensor will drop new alerts, but if blocking is enabled, the sensor will continue to block irrespective of the sensor's connectivity with the ISM.
ISM connectivity to the database

In the event that the ISM loses connectivity to the database (i.e. the database goes down) the alerts are stored in a flat file on the ISM server. When the database connectivity is restored, the alerts are stored in the database.
24
Error on accessing the Configuration page
ISM database is full

We recommend that the customer monitor the disk space on a continuous basis to prevent this from happening. If the ISM database or disk space is full, the ISM will unable to process any new alerts or packet logs. In addition, the ISM may not be able to process any configuration changes, including policy changes and alert acknowledgement. In fact, the ISM may stop functioning completely. To rectify this situation, please perform maintenance operations on the database, including deleting unnecessary alerts and packet logs. Furthermore, please reevaluate database capacity planning and sizing, and monitor free space proactively. The ISM is designed with various file and disk maintenance functions. You can archive alert and packetlog data and then delete the data to free up disk space. It also provides a standalone tool for creating database backups that can be archived for emergency restoration. The ISM also provides disk maintenance alerts, which send proactive system fault messages when certain disc-dependent processes exceed a user-defined threshold (say 70%).
Error on accessing the Configuration page

On some occasions, accessing the ISM Configuration page can result in an error message. This typically happens if you access various versions of the ISM from the same client or use the ISM client to access other Web-based applications as well. This is a Java-cache related issue. To resolve the issue: 1 2 3 4 On the ISM client, go to Windows Control Panel > Java > General > Settings. Click Delete Files and then click OK in the Delete Temporary Files dialog. This deletes all Java-related temporary files on the client. Log out of the ISM and close Internet Explorer. Log on to the ISM in a new instance of Internet Explorer.
Sensor response if its bandwidth is exceeded

Each sensor model has a limited throughput. For example, the IntruShield 2700 sensor is rated at 600Mbps performance. With the Gigabit interfaces it is theoretically possible to oversubscribe the limit. What happens in this situation? Will it throttle the throughput to 600Mbps or will you just lose the IPS functionality for everything more than 600Mbps? The answer is that the sensor will drop packets the same way that a Cisco switch would if you oversubscribed it--you cannot send 1Gig of traffic to a 100Mbps port. It is very important that you stay within the operating parameters of the device you deploy. If you are actually running at gigabit speeds, you should probably be running an I-3010/I-4000/I-4010 sensor, which all have a much higher throughput.
25
MySQL issues
MySQL issues
The common symptoms that occur if your database tables become corrupt: .MYI or .MYD errors reported in the ems.log file Inability to acknowledge or delete faults in System Health When trying to view packet log for in the Alert Viewer, you receive an error message: You receive the message No Packet log available for this alert at this time If you think that your MySQL database tables have become corrupt, follow the instructions on verifying your tables, which is available in McAfee KnowledgeBase article KB60660 [Go to http://mysupport.mcafee.com/Eservice/, and click Search the KnowledgeBase]
How sensors handle various types of traffic

Jumbo Ethernet frames
IntruShield sensors respond differently to jumbo frames based on which ports are receiving them. Inspection is not available for jumbo frames. 10/100 (FE) ports: Jumbo frames are not supported. When a 10/100 port receives a jumbo frame, the frame is dropped. 1000 (GE) port: The frame is passed through the sensor, but is not subjected to IPS inspection.
ISL frames
All IntruShield sensor models (running all sensor software versions) pass ISL frames through the sensor without IPS inspection.
26
CHAPTER 4
Determining False Positives

This section lists methods for determining and reducing false positives.
Reducing false positives

Your policy determines what traffic analysis your sensor will perform. IntruShield provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Alert Viewer to those which are valid and useful for your analysis. There are two stages to this process: initial policy configuration and policy tuning. Each are tedious tasks. Because networks and attacks constantly evolve, the policy tuning process is not only tedious, it is also never truly complete. Instead, you might equate it to a disk defragmentation; the more often you do it, the less time each check takes. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts.
Tune your policies

The default IntruShield policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also modify a policy directly rather than modifying a copy.) This process is involved, and is discussed in Policies Configuration Guide. Some things to remember when tuning your policies: We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper IntruShield implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence. When initially deployed, IntruShield frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example. Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment.
27
Tune your policies
Take steps to reduce false positives and noise from the start. If you allow a large number of noisy alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. One method may be is to disable all alerts that are obviously not applicable to the hosts you will protect. For example, if you use only Apache Web servers, you may wish to disable IISrelated attacks.
About false positives and noise

The mere mention of false positives always causes concern in the mind of any security analyst. However, false positives may mean quite differently things to different people. In order to better manage the security risks using any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts so that appropriate response can be applied. With IntruShield, there are three types of alerts which are often taken as false positives: incorrectly identified events correctly identified events subject to interpretation by usage policy correctly identified events uninteresting to the user.
Incorrect identification
These alerts typically result from overly aggressive signature design, special characteristics of the user environment, or system bugs. For example, typical users will never use nested file folders with a path more than 256 characters long; however, a particular user may push the Windows' free-style naming to the extreme and create files with path names more than 1024 characters. Issues in this category are rare. They can be fixed by signature modifications or software bug fixes.
Correct identification; significance subject to usage policy

Events of this type include those alerting on activities associated with Instant Messaging (IM), Internet Relay chat (IRC), and Peer to Peer programs (P2P). Some security policies forbid such traffic on their network; for example, within a corporate common operation environment (COE); others may allow them to various degrees. Universities, for example, typically have a totally open policy for running these applications. IntruShield provides two means by which to tune out such events if your policies deem these events uninteresting. First, you can define a customized policy in which these events are disabled. In doing so, the sensor will not even look for these events in the traffic stream to which the policy is applied. If these events are of interest for most of the hosts except a few, creating alert filters to suppress alerts for the few hosts is an alternative approach.
28
Tune your policies
Correct identification; significance subject to user sensitivity (also known as noise)

There is another type of event which you may not be interested in, due to the perceived severity of the event. For example, IntruShield will detect a UDP-based host sweep when a given host sends UDP packets to a certain number of distinct destinations within a given time interval. Although you can tune this detection by configuring the threshold and the interval according to their sensitivity, it's still possible that some or all of the host IPs being scanned are actually not live. Some users will consider these alerts as noise, others will take notice because it indicates possible reconnaissance activity. Another example of noise would be if someone attempted an IIS-based attack against your Apache Web server. This is a hostile act, but it will not actually harm anything except wasting some network bandwidth. Again, a would-be attacker learns something he can use against your network: the fact that the attack failed can help him zero in on the type of Web server you use. Users can also better manage this type of events through policy customization or installing alert filters. The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions: the configured policy includes a lot of Informational alerts, or scan alerts which are based on request activities (such as the All Inclusive policy) deployment links where there is a lot of hostile traffic, such as in front of a firewall overly coarse traffic VIDS definition that contains very disparate applications, for example, a highly aggregated link in dedicated interface mode Users can effectively manage the noise level by defining appropriate VIDS and customize the policy accordingly. For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can also be used.
Determining a false positive versus noise

Some troubleshooting tips for gathering the proper data to determine whether you are dealing with a false positive or uninteresting event; What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the alert is supposed to exploit? Ensure that you capture valid traffic dumps that are captured from the attack attempt (for example, have packet logging enabled and can view the resulting packet log) Determine whether any applications are suspected of triggering the alert which ones, which versions, and in what specific configurations. If you intend to work with McAfee Technical Support on the issue, we ask that you provide the following information to assist in troubleshooting: If this occurred in a lab using testing tools rather than live traffic, please provide detailed information of the attack/test tool used, including its name, version, configuration and where the traffic originated. If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are valid, TCP traffic follows a proper 3-way handshake, and so on
29
Tune your policies
Also, please provide detailed information of the test configuration in the form of a network diagram. Create an Evidence Report (within Alert Viewer) with the packet log Be ready to tell Technical Support how often you are seeing the alerts and whether they are ongoing
30
CHAPTER 5
System Fault Messages

Table <> lists the system fault messages visible in the ISM System Health viewer, organized by severity, with Critical messages first, then Errors, then Warnings, then Informational messages. The faults are then listed alphabetically within those categories. This table lists the fault messages you might encounter, their severity, and a description, including information on what action clears the fault. In many cases, the fault clears itself if the condition causing the fault is resolved. In some cases, the fault does not clearyou must acknowledge or delete it to dismiss it.
Critical faults
Critical faults are the highest severity faults and generally indicate a serious issue. See the Action column for potential troubleshooting tips.
Fault
Severity
Description/Cause
Action
Alert update failed
Critical
An attempt to save alerts to the database failed, most likely due to insufficient database capacity. The firmware upgrade has failed on the sensor.
Ensure that the disk space allocated to the database is sufficient, and try the operation again.
Bootloader upgrade failure
Critical
Debug or reload the firmware on the sensor.
Cannot start control channel service (certificate)
Critical
The ISMs certificate is unavailable; this could indicate database corruption.
If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support. If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support.
Cannot start control channel service (key store)
Critical
The ISMs key file is unavailable and possibly corrupted. This fault could indicate a database corruption.
31
Critical faults
Fault
Severity
Description/Cause
Action
Cluster software mismatch status
Critical
The software versions on the cluster primary and cluster secondary are not the same. The ISM is unable to communicate with the Update Server. Any connectivity issues with the Update Server will generate this fault, including DNS name resolution failure, Update Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the ISM server. The ISM is unable to communicate with the proxy server. (This fault can occur only when the ISM is configured to communicate with a proxy server.)
Debug and upgrade the sensor software.
Communication failure with the Intrushield Update Server
Critical
This fault clears when communication with the Update Server succeeds. If your ISM is connected to the Internet, ensure it has connectivity to the Internet. Contact McAfee Technical Support if you lost your Update Server authentication information.
Communication Critical failure with the proxy server
This fault clears when communication to the Update Server through the proxy succeeds.
Conflict in MDR Status
Critical
Sensor found a conflict with There is a problem with MDR MDR Status; ISM IP address configuration. Check your MDR / MDR status as ... settings.
Conflict in MDR Mode
Critical
Sensor found a conflict with MDR Mode; ISM IP address / MDR status as ...
There is a problem with MDR configuration. Check your MDR settings.
Conflict in MDR Pair IP address
Critical
Sensor found a conflict with MDR-Pair IPAddress; ISMIP address / MDR action.
You may need to correct the MDR configuration
Conflict in MDR IP address type
Critical
Sensor found a conflict with MDR IP AddressType.
You may need to correct the MDR configuration.
Database backup failure
Critical
A manual attempt to backup the database failed.
This can indicate insufficient disk space for storage of the backup file. Check your disk capacity and clear enough space to accommodate the backup file, and then attempt the backup again.
32
Critical faults
Fault
Severity
Description/Cause
Action
Database Connectivity Problems Database System Integrity
Critical
Problems in communicating to the database A warning is displayed: Unable To Locate Index File For Table ISM is not communicating with the database; the alert and packet logs overflowing queues. As with the Approaching alert capacity threshold fault message, this message indicates the percentage of space occupied by alerts in the database. This message appears once you have exceeded the alert threshold specified in ISM > Maintenance. Indicates a failure to create a secure connection between the ISM and the sensor. Can be caused by loss of synchronisms between the system time of the ISM server and the sensor. Can also indicate that the sensor is not completely on-line after a reboot. Communication has timed out between the Fail Open Controller in the sensors Compact Flash port and the Fail Open Bypass Switch. This situation has caused the sensor to move to Bypass mode and traffic to bypass the sensor. This fault indicates whether the sensor peer is up or down.
Check if the database service is running and connectivity is present Repair the corrupt Database tables
Critical
Dropping alerts and packet logs
Critical
Perform maintenance operations to clean and tune the database.
Exceeding alert capacity threshold
Critical
Perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days. Failure to create additional space could cause undesirable behavior in the ISM.
Failed to create command channel association
Critical
Restart the ISM. Check the sensors operating status to ensure that the sensors health is good and status is good.
Fail Open Control Module Timeout
Critical
The fault could be the result of a cable being disconnected, or removal of the Bypass Switch. This fault clears automatically when communication resumes between the Fail Open Controller and Fail Open Bypass Switch.
Failover peer status
Critical
This fault clears automatically when the sensor peer is up.
33
Critical faults
Fault
Severity
Description/Cause
Action
Fan error
Critical
One or more of the fans inside the sensor have failed. For the I-4000 and 4010, the ISM indicates which fan has failed. For the I-2600, the fan number is not specified.
On the I-4000, you can also check the sensors front panel LEDs to see which fan has failed. If a fan is not operational, McAfee strongly recommends powering down the sensor and contacting Technical Support to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the replacement is completed.
Fail-Open Bypass Switch timeout
Critical
The sensor is not This fault indicates that the Bypass communicating with the Fail- Switch did not receive a signal from Open Bypass Switch. the Fail-Open Controller, and could possibly indicate sensor port failure. The connectivity between the sensor and the firewall is down. This fault can occur in situations where, for example, the firewall machine is down, or the network is experiencing problems. Ping the firewall to see if the firewall is available. Kindly contact your IT department to troubleshoot connectivity issues.
Firewall connection failure
Critical
ICC UDS signature synchronization failed
Critical
Port conflict in ICC UDS Free this port for ICC synchronization synchronization. Port to succeed. already in use by UDS. Free this port for ICC synchronization to succeed. The sensor is configured to operate with an external Fail-Open Module hardware component, but cannot detect the hardware. This error applies only to sensors running in in-line mode with a gigabit port in fail-open mode (using the external Fail Open Module). When this fault is triggered, the port will be in bypass mode and will send another fault of that nature to the ISM. When appropriate configuration is sent to the sensor (either the hardware is discovered or the configuration changes), and the sensor begins to operate in in-line-fail open mode.
Illegal In-line, FailOpen configuration
Critical
34
Critical faults
Fault
Severity
Description/Cause
Action
Incompatible UDS signature
Critical
A user-defined signature (UDS) is incompatible with the current signature set.
You will need to edit your existing UDS attacks to make them conform to the new signature set definitions. Bring up the UDS Editor (Policies > Policies > UDS) and manually performing the edit / validation. This fault clears when a subsequent UDS compilation succeeds.
Invalid SSL decryption key
Critical
The sensor detects that a particular SSL decryption key is no longer valid; for example, it may be failing to decrypt traffic. Unsupported configuration upgrade/downgrade, default configurations are used. Indicates that your IntruShield license is about to expire; this fault first appears 7 days prior to expiration. Indicates that your IntruShield license has expired.
Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid. This is an internal error. Check the sensor status to see that the sensor is online and in good health. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Contact your IT department to troubleshoot connectivity issues: check the cabling of the specified Monitoring port and the device connected to it; check the speed and duplex mode of the connection to the switch or router to ensure parameters such as port speed and duplex mode are set correctly; check power to the switch or router. This fault clears when communication is re-established.
Image downgrade detected Licence expires soon
Critical
Critical
Licence expired
Critical
Link failure
Critical
The link between a Monitoring port on the sensor and the device to which it is connected is down, and communication is unavailable. The fault indicates which port is affected.
Low JVM Memory
Critical
The ISM is experiencing high memory usage. Available system memory is low. The ISM is experiencing high memory usage. Available system memory is low.
Reboot the ISM server.
Low Tomcat JVM Memory
Critical
Reboot the ISM server.
35
Critical faults
Fault
Severity
Description/Cause
Action
MPE Certificate download failure
Critical
Cannot push MPE Certificate to sensor. See log for details
Occurs when the Manager cannot push the MPE Certificate to a sensor. This could result from a network connectivity issue For more information on using Fully Qualified Domain Name, see Foundstone Installation, Administrative Domain Configuration Guide.
On-demand scan failed because connection was refused to FoundScan engine Packet log update failed
Critical
This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown. An attempt to save packet log data to the database failed, most likely due to insufficient database capacity. This fault could indicate a problem with the setup or configuration of the 10/100 Ethernet ports or devices connected to those ports. It could also indicate a compatibility issue between the sensor and the device to which it is connected. There is a mismatch in the media or connector type on the port that says "copper and uses fiber or vice versa". There is a mismatch in the McAfee Certified SFP. The configuration says 'use McAfee certified', but the SFP is not McAfee certified. This fault indicates that the indicated GBIC ports are unable to remain in In-line Mode as configured. This has caused fail-open control to initiate and the sensor is now operating in Bypass Mode. Bypass mode indicates that traffic is flowing through the Fail Open Bypass Switch, bypassing the sensor completely.
Critical
Ensure that the disk space allocated to the database is sufficient, and try the operation again.
Port late collision
Critical
The sensor may be detecting an issue with another device located on the same network link. Check to see if there is a problem with one of the other devices on the same link as the sensor. This situation could cause traffic to cease flowing on the sensor and may require a sensor reboot.
Port media type mismatch
Critical
Replace the media according to the configured value.
Port certification mismatch
Critical
Replace with a McAfee certified SFP.
Port pair is in Bypass Mode
Critical
Check the health of the sensor and the indicated ports. Check the connectivity of the Fail Open Control Cable to ensure that the Fail Open Control Module can communicate with the Fail Open Controller in the sensors Compact Flash port.
36
Critical faults
Fault
Severity
Description/Cause
Action
Port pair back to In- Critical line, Fail-Open Mode
Sensor is back to In-line, Fail-Open Mode
This message indicates that the ports have gone from Bypass Mode back to normal. If the power supply is in place and plugged in to a power source, check power to the outlet providing power to the power supply. If the fault indicates that there is no power and a power interruption is not the cause, replace the failed power supply. Contact McAfee Technical Support to schedule a replacement unit.
Power supply error
Critical
(Seen only with sensors with a redundant power supply). This fault indicates a loss of power in one of the two power supplies in the sensor (primary or secondary). This fault can indicate that the power supply has failed; that supply has been inserted, but there is no power to the supply; or that the power supply has been removed. This message indicates that the vulnerability data import by the Scheduler from Foundstone database has failed.
Scheduled Foundstone vulnerability data import failed
Critical
Sensor changes to a Critical different model
A sensor was replaced with a different model type (for example, an I-1200 was replaced with an I-1200-FO (failover only) sensor). The alert channel will be unable to make a connection. The ISM cannot push original sensor configuration to sensor during sensor reinitialization, possibly because the trust relationship is lost between ISM and sensor. This can also occur when a failed sensor is replaced with a new unit, and the new unit is unable to discover its configuration information.
When replacing a sensor, ensure that you replace it with an identical model (for example, replace an I-1200 with an I-1200, do not attempt to replace a regular sensor with a failover-only model, and vice-versa). The link between ISM and sensor may be down, or you may need to reestablish the trust relationship between sensor and ISM by resetting the shared key values.
Sensor configuration Critical download failure
37
Critical faults
Fault
Severity
Description/Cause
Action
Sensor discovery failure
Critical
The sensor failed to discover its configuration information, and thus is not properly initialized. Typically, the ISM will be unable to display the sensor. Could indicate an old sensor image on the sensor.
If this fault is triggered because the sensor is temporarily unavailable, the ISM will clear this fault when the sensor is back on-line. If the fault persists, check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server. You must manually clear this fault. This error may cause a reboot of the sensor, which may resolve the issue causing the fault. If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in Uploading a diagnostics trace from a sensor to your ISM, Sensor Configuration Guideusing ISM, and submit the trace file to Technical Support for troubleshooting.
Sensor internal configuration error
Critical
An internal communication error occurred within the sensor.
Sensor model has changed
Critical
A sensor has been replaced with a different model (for example, an I-4000 sensor and I-4010 sensor has been replaced by an I-2600 sensor, or a regular sensor is replaced by a failover model). User-configured SSL decryption settings for a particular sensor changed, requiring a sensor reboot.
A sensor can be replaced only by a similar model. Check to ensure that the configuration information matches the model type. For instructions on replacing a sensor, see Replacing a Sensor, Sensor Configuration Guide using CLI. Reboot the sensor to cause the changes to take effect.
Sensor reboot Critical required for SSL decryption configuration change
38
Critical faults
Fault
Severity
Description/Cause
Action
Sensor re-discovery failure
Critical
This fault occurs as a second part to the Sensor discovery failure fault. If the condition of the sensor changes such that the ISM can again communicate with it, the ISM again checks to see if the sensor discovery was successful. This fault is issued if discovery fails, and thus the sensor is still not properly initialized.
Check to ensure that the sensor has the latest software image compatible with the ISM software image. If the images are incompatible, update the sensor image via a TFTP server.
Sensor reports a signature set error
Critical
Indicates that an error has occurred with a signature set that has been successfully applied on a sensor.
Re-import the signature set onto the sensor. This can indicate a problem within the signature set itself that was not detected during download; if reimporting the same set does not solve the problem, providing a new signature set may clear the fault. If this does not solve the issue, reboot the sensor. If the fault persists, contact Technical Support. The fault will clear when the signature set is successfully applied on the sensor and continues to be error-free after application.
Sensor switched to Layer2 Bypass mode
Critical
Sensor is now operating in Layer2 Bypass mode. Intrusion detection/prevention is not functioning
The sensor has experienced multiple errors, surpassing the configured Layer2 mode threshold. Check the sensor's status
Sensor switched to Layer 2 mode
Critical
The sensor has moved from The sensor will remain in Layer 2 detection mode to Layer 2 mode until Layer 2 is disabled and (Passthru) mode. This the sensor is rebooted indicates that the sensor has experienced the specified number of errors within the specified timeframe and Layer 2 mode has triggered.
39
Critical faults
Fault
Severity
Description/Cause
Action
Sensor is unreachable
Critical
Indicates that the sensor cannot communicate with the ISM, indicating that the connection between the sensor and the ISM is down, or that the sensor has been administratively disconnected.
Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor exists; check the sensors status using the status command in the sensor command line interface or ping the sensor or the sensor gateway to ensure connectivity to the sensor. This fault clears when the ISM detects the sensor again.
Signature set update Critical not successful
The attempt to update the A valid signature set must be present signature set on the ISM before any action can be taken in was not successful, and thus IntruShield. signature set is not available in the ISM. Occurs when the ISM cannot push the signature set file to a sensor. Could result from a network connectivity issue. Indicates a recoverable software error within the sensor. Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor. This error may cause a reboot of the sensor, which may resolve the issue causing the fault. If the fault persists, McAfee recommends that you perform the following steps to help assist McAfee Technical Support with troubleshooting: execute a logstat on the sensor as described in the sensor CLI command reference, perform a Diagnostic Trace as described in the Sensor Configuration Guideusing ISM, and submit the trace file to Technical Support for troubleshooting.
Signature set download failure
Critical
Software error
Critical
Signature set update Critical not successful
The attempt to update the signature set on the ISM was not successful, and thus signature set is not available on the ISM.
You must re-import a signature set before performing any action on the ISM. A valid signature set must be present before any action can be taken in IntruShield. Contact your IT department to troubleshoot connectivity issues: check that a connection route between the ISM and the sensor.
SSL decryption key download failure
Critical
Occurs when the ISM cannot push a decryption key file to a sensor. Could result from a network connectivity issue.
40
Critical faults
Fault
Severity
Description/Cause
Action
The ISM is not reachable
Critical
Indicates that the IntruShield Command Center and ISM cannot communicate each other, the connection between these two may be down, or the ISM has been administratively disconnected.
1) Check that a connection route exists between the IntruShield Command Center and the ISM. 2) Access the ISM/IntruShield Command Center directly. This fault clears when the ISM detects the sensor again.
Temperature error
Critical
Indicates that the temperature of the sensor is abnormal. The sensor will raise a temperature alert when the internal temperature of the sensor crosses 50 degrees Centigrade. The fault is removed only when the temperature falls below 40 degrees Centigrade.
Check for a Fan Status fault, and also check the sensors front panel LEDs to see if the sensors fans are operational. If a fan is not operational, McAfee strongly recommends contacting Technical Support as soon as possible to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the sensor) to prevent the sensor from overheating until the repair is completed. If a fan is not the issue, please ensure that the room where the sensor is located cool enough for the sensor to operate without overheating.
VIDS creation failure Critical
This fault generally occurs in situations where the port in question is configured incorrectly. For example, a pair of ports is configured to be in different operating modes (1A is in-line while 1B is in SPAN). An IntruShield sensor sends this fault to ISM when it is not able to communicate with the McAfee NAC server to which it has been configured.
Check the configuration of the port pair to see if there is an inconsistency, and make the port pair run in the same operating mode.
IntruShield Sensor McAfee NAC Server Communication Status
Critical
Check the Condition Type field in the Fault Detail page to know the probable reason for this communication failure.
41
Critical faults
Fault
Severity
Description/Cause
Action
The Manager <ISM Critical name><IP address> is not reachable
No communication exists between ICC and ISM.
Indicates that the ICC server and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected. 1) Check that a connection route exists between the ICC and ISM; 2) Access the ISM directly. This fault clears when the ISM detects the sensor again.
Trust request has failed
Critical
No communication exists between ICC and ISM. ICC may not be configured. ISM failed to establish trust with ICC server. ICC could not be configured onto ISM or ICC server is not reachable.
Indicates that the ICC and ISM cannot communicate with each other. The connection between these two may be down, or ICC has been administratively disconnected.
The ISM IP address is not configured.
Check whether ISM is configured in ICC.
ICC may already been configured with an ISM.
Delete the previous configuration and establish a new trust with ICC.
Bring any ICC MDR pair into Active state. The ICC is in MDR mode and no Manager is in Active state. Check the log for details. The trust request failed due an internal error.
42
Error faults
Fault
Severity
Description/Cause
Action
The Manager <ISM Critical name> has moved to MDR mode, and this manager cannot handle the change
The ICC server is in Standby mode. The ISM server which is configured by ICC goes into secondary Standby mode after MDR creation or before data dump from primary to secondary takes place. The ISM server configured by ICC is in Active mode but is in a disconnected state and therefore cannot communicate with ICC. If ISM is reconnected and ICC is in Standby mode, then the Peer ICC does not have ISM configuration.
If the ICC server has moved to Standby ,then the ICC with latest ISM information is moved to Active mode or recreate MDR pair. If the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data.
The Manager <ISM Critical name> has moved to MDR mode, and this manager cannot handle the change
The ISM server is in Standby mode(MDR action) and active peer ISM does not have ICC information
If the ISM server has moved to Stand by ,then make ICC with latest ISM information as Active or reform MDR; if the ISM has moved to Standby, then make the ISM with ICC information as Active or make sure that active ICC or ISM has latest configuration data. Dissolve and recreate an MDR pair.
There is conflicts in the MDR configuration for the Manager <name>.
Critical
The configuration between an existing MDR pair (ISM 1 and ISM 2 - both ISMs are ICC configured) is disabled and a new MDR pair configuration has been created with ISM 2 and ISM 3. ISM 2 is in Standby mode and ISM 3 does not have ICC configuration.
The Manager info is deleted
Critical
If two ISMs, ISM 1 and ISM The Standby ISM information is 2 are configured to ICC, and deleted from ICC. MDR pair has to be established between them, then, ICC considers the active ISM configuration. The Standby ISM information is deleted from ICC.
Error faults
The faults listed in the following table have a severity of Error.
43
Error faults
Fault
Severity
Description/Cause
Action
Alert channel is down
Error
Indicates a failure to communicate with the sensor via the channel on which the ISM listens for sensor alerts. Displays the percentage of space occupied by alerts in the database. As available space decreases, this message will continue to appearat 50%, 70%, 90% and 100%. Once youve exceeded this threshold, an Exceeding fault will appear.
This fault clears when the alert channel is back up.
Approaching alert capacity threshold
Error
Please perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days.
Firewall filter Error application error
Error, while applying firewall filter. An attempt to apply this firewall filter from the sensor to the firewall has failed.
Check your firewall configuration. If possible, increase the maximum number of available filters. Ensure connectivity between the Sensor and the firewall.
Get peer DoS profile failure
Error
The ISM was unable to obtain the requested profile from a peer sensor. This was likely due to the requested profile or a valid, saved version being unavailable The ISM is unable to accept more incidents. You have reached the maximum number of incidents that can be accepted by the ISM. Sensor is dropping packets due to extreme traffic load
See the ems.log file for details on why the error is occurring. The fault will clear when the ISM is able to obtain a valid DoS profile.
Incident update failed
Error
Delete old incidents to provide room for incoming incidents. The fault clears when the ISM can accept incoming incidents.
Internal packet drop error
Error
Mailer unreachable
Error
This fault indicates that the SMTP mailer host is unreachable, and occurs when the ISM fails to send an email notification or a scheduled report.
This fault clears when an attempt to send the email is successful.
44
Error faults
Fault
Severity
Description/Cause
Action
Packet log Error channel is down
Indicates a failure to communicate with the sensor via the channel on which the ISM receives packet logs.
This fault clears when the pktlog channel is back up.
Put peer DoS profile failure
Error
The sensor was unable to push See the ems.log file for details on a requested profile to the ISM. why the error is occurring. The fault will clear when the sensor is able to push a valid DoS profile. The ISM alert queue has reached its maximum size (default 200,000 alerts), and is unable to process alerts until there is space in the queue. Packets are being detected by your sensor(s) faster than the ISM can process them. This is evidence of extremely heavy activity. Check the packets you are receiving to see what is causing the heavy traffic on the sensor. Also see the suggested actions for the alert Unarchived, queued alert count full.
Queue size full
Error
Scheduled realtime update from Update Server to ISM failed
Error
This fault can indicate problems This fault clears when a signature with network connectivity update is applied successfully. between the Update Server and the ISM, invalid update sets, or update sets that were not properly signed.
Scheduled realtime update from Update Server to ISM failed
Error
Unable to make scheduled update of ISM signature sets. This fault can indicatefor example, problems with network connectivity between the Update Server and the ISM or between the ISM and the sensor; invalid update sets; or update sets that were not properly signed.
This fault clears when a signature update is applied successfully.
Scheduled update from ISM to sensor failed
Error
Unable to make scheduled This fault clears when an update is update of sensor. This fault can sent to sensor successfully. indicatefor example, problems with network connectivity between the ISM and the sensor, incompatibility between the update set and the ISM software, compilation problems with the signature update set, or invalid update set.
45
Error faults
Fault
Severity
Description/Cause
Action
Sensor is in bad Error health
This fault occurs with any type of sensor software failure, and usually occurs in conjunction with a Software error fault.
If this fault persists, McAfee recommends that you execute a logstat from the sensor CLI twice (1 minute apart), then perform a Diagnostic Trace and submit the trace file to McAfee Technical Support for troubleshooting. Ensure that the sensor is online and in good health. The ISM will make another attempt to push the file to the sensor. This fault is cleared when the avdat file is successfully pushed to the sensor.
Sensor reports a anti-virus dat file error
Error
The sensor has detected an error on av-dat file segment
Sensor reports that the packet log channel is down
Error
Sensor reports Pktlog channel between the EMS and sensor is DOWN, but the EMS detects that the link(socket) is up. This inconsistency may cause by channel heartbeat timeout.
The sensor will typically recover on its own. If you are receiving alerts and your sensor is otherwise functioning normally, you can ignore this message. Check to see if trust is established between the sensor and ISM, by issuing a show command in the sensor CLI. The sensor will typically recover on its own. If you are receiving alerts with packet logs and your sensor is otherwise behaving normally, you can ignore this message. Check to see if trust is established between the sensor and ISM by issuing a show command in the sensor CLI. If this fault persists, contact McAfee Technical Support.
Sensor reports Error that the alert channel is down
This fault indicates that the sensor is reporting that the alert channel is down, but the physical channel is actually up.
Sensor reports an out-of-range configuration
Error
The ISM received a value from the sensor that is invalid. The additional text of the message contains details.
This fault does not clear automatically; it must be cleared manually. Contact McAfee Technical Support for assistance.
Sensor configuration update failed
Error
The sensor configuration Please see ems.log file to isolate update failed to be pushed from reason for failure. the ISM Server to the sensor.
46
Error faults
Fault
Severity
Description/Cause
Action
SSL decryption key invalid
Error
The ISM detects that a particular SSL decryption key is no longer valid. The detailed reason why the fault is occurring is shown in the fault message. These reasons can range from the sensor reinitializing itself with a different certificate to an inconsistency between the decryption key residing on a primary sensor and its failover peer sensor. Maintenance is not able to clean alerts and packet logs
Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid.
Unable to clean alerts and packet logs Unarchived, queued alert count full
Error
Error
Indicates that the ISM has reached the limit (default of 100,000) of alerts that can be queued for storage in the database. Also indicates the number of dropped alerts.
Alerts are being detected by your sensor(s) faster than the ISM can process them. This is evidence of extremely heavy activity. Try the following: Check the alerts you are receiving to see what is causing the heavy traffic on the sensor(s). You may be under a heavy attack. Check your policies. You may have enabled a very verbose policy (for example, All-Inclusive with Audit) which is causing too many alerts/packet logs to be sent to the ISM, or packet logging is excessive (for example, packet logging is enabled for entire flow for all alerts). Your ISM server may not have sufficient disk space/processing power to accommodate the number/rate of alerts your sensors are generating. Rectify the situation in your policies and let the queue drain and write to the database.
Unarchived, queued packet log count full
Error
Indicates that the ISM has reached the limit (default of 100,000) of packet logs that can be queued for storage in the database. Also indicates the number of dropped packet logs.
See the suggestions for the fault Unarchived, queued alert count full.'
47
Warning faults
Warning faults
The faults listed in the following table have a severity of Warning.
Fault Severity Description/Cause Action
Attempt to disable failover failed
Warning
The ISMs attempt to disable failover on the sensor failed. This is likely due to the sensor being unavailable, or down.
Ensure that the sensor is on-line. The ISM will make another attempt to disable failover when it detects that the sensor is up. The fault will clear when the ISM is successful. Shutdown the ISM and execute the Database Tuning Utility at the earliest
DB Tuning Required
Warning
Database Tuning is needed. "..." days have passed since the last database tuning.
Disabled scheduled Report Template
Warning
Report Generation has failed for Schedule Report Template due to unavailability of resource(s) in the ISM. Failed to backup Policy.
Edit and save the disabled template in Report Generation.
Failed to backup IDS Policy
Warning
Delete previous versions or please contact technical support or local reseller.
Failed to backup Recon Policy
Warning
Failed to backup Policy.
Delete previous versions or please contact technical support or local reseller.
Firewall connection status inconsistent on failover sensor pair
Warning
The firewall connection
Ensure that both sensors of the failover pair are connected to the firewall and status on the failover pair is that both sensors are online and in good inconsistent. This may cause health. the firewall function to be inconsistent for the pair.
48
Warning faults
Fault
Severity
Description/Cause
Action
Initiating Audit Log Warning file rotation
The Audit Log capacity of the ISM was reached, and the ISM will begin overwriting the oldest records with the newest records (i.e. first in first out). The fault indicates the number of records that have been written to the audit log; and equal number of audit log records are now being overwritten.
This fault will be raised after a configured number of records written. No action is required. The capacity is configured in the iv_emsproperties table in MySQL; this option can be turned off. If this feature is enabled, when disk capacity is reached or audit log capacity is reached, then Audit Log rotation is initiated.
ISM shutdown was not graceful
Warning
The ISM experienced an abrupt shutdown, such as a crash.
Perform database tuning (dbtuning) to fix possible database inconsistencies that may have resulted. Tuning may take a while, depending on the amount of data currently in the database. Uninstall and try to update the McAfee NAC- installation-related configuration.
McAfee NAC channels are already Installed
Warning
This warning denotes the failure to update the McAfee NAC-installation-related configuration. Pluggable interface in port.
Pluggable interface certification status
Warning
Pluggable interface absent
Warning
Pluggable interface in port.
Policy Synchronization aborted because concurrent processes are running on the ISM Server
Warning
Unable to synchronize policy due to concurrent processes are running on the ISM Server.
Policy Synchronization aborted because concurrent processes are running on the ISM Server.
49
Warning faults
Fault
Severity
Description/Cause
Action
Problems Warning Communicating to Database: Syntax error or access violation: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '<text>')' at line 1
In McAfee ISM 1.8 or 1.9 it was possible to enter an apostrophe when creating an Alert Filter. However in version 2.1 having an apostrophe in the Alert Filter became invalid. Any attempt in the McAfee ISM 2.1 to add an apostrophe will prompt the user with a popup error warning that invalid characters were entered. You may be unable to push updated policies to sensors. After a policy update, the ISM still shows a policy update is required.
You must delete the alert filter with the apostrophe and recreate it without an apostrophe. To delete an alert filter: In the ISM, click on the <Domain Name> which has the error. Click the Policies node. It is not already selected, click the Policies tab. Click Alert Filter Editor. In the Alert Filter Name section, select the alert filter with the apostrophe. Click Delete. A Confirmation dialog box displays with the question, Do you want to delete the selected item? Click Yes. The alert filter no longer displays in the list.
Physical configuration changed
Warning
This warning could be caused by the physical configuration of the MFA chassis changing. This occurs when the sensor connects to the ISM with a different physical configuration.
Signature segments out of sync
Warning
An attempt to update the signature set on both sensors of a failover pair was unsuccessful for one of the pair, causing the signature sets to be out of sync on the two sensors.
The ISM will make another attempt to automatically push the signature file down to the sensor on which the update operation failed. Ensure that the sensor in question is online and in good health. The fault will clear when the ISM is successful. If the operation fails a second time, a Critical Signature set download failure fault will be shown as well. Both faults will clear when the signature set is successfully pushed to the sensor.
Scheduled backup Warning failed
Unable to make a scheduled backup of the ISM Configuration. This fault can indicate problems such as SQL exceptions, database connectivity problems, or outof-disk space errors.
Check your Backup configuration settings. This fault clears when a successful backup is made.
50
Informational faults
Fault
Severity
Description/Cause
Action
Sensor not initialized
Warning
The sensor is not properly initialized. Either it is in the process of starting up and is not ready, or the signature set is missing on the sensor.
The sensor may have just been rebooted and is not up yet. Wait a few minutes to see if this is the issue; if not, check to ensure that a signature set is present on the sensor. A resetconfig command may have been issued, and the sensor not yet been reconfigured.
Sensor power up
Warning
The sensor has just This message is informational. completed booting and is onAcknowledge or delete the fault to clear line. it. The ISM was unable to update the decryption key on one sensor in a failover pair, causing the key on one sensor to be out of sync with the one on its failover peer System startup restored alerts from the archive file. Alert Manager may not show all alerts. The ISM will make another attempt to update the key. Ensure that the sensor is online and in good health. The fault will clear when the ISM successfully pushes the key to the sensor and both keys are in sync. Alert Manager may not show all alerts.
SSL decryption keys out of sync
Warning
System startup in progress; alerts being restored
Warning
`The faults listed in the following table are Informational in nature. These faults indicate system status, for example. An Action type of n/a indicates that no action is required-the message is informational.
Fault
Severity
Description/Cause
Action
Alert archival in progress Alert Archival state has changed Cluster software initialization status Conflict in MDR Pair IP address
Informational Informational Informational
ISM is archiving the alerts, and this is in progress The alert archival process has started. Sensor software has initialized correctly Sensor found a conflict with MDR pair IP address; ISM IP address / MDR status as ... Daily scheduled report generation process successfully completed
Wait for the Alert archival to complete n/a n/a
Informational
There is a problem with MDR configuration. Check your MDR settings. n/a
Daily scheduled report generation complete
Informational
51
Fault
Severity
Description/Cause
Action
Daily scheduled report generation in progress Data dump retrieval from peer has been completed successfully Data dump retrieval from peer is in progress Database archival in progress
Informational
Daily scheduled report generation process in progress
n/a
Informational
n/a
Informational Informational The database archival process is in progress.
n/a Do not attempt to tune the database or perform any other database activity such as a backup or restore until the archival process successfully completes. n/a
Database archival successful Database backup failure.
Informational Informational
The database archival was successful.
Unable to backup database This message indicates tables. that an attempt to manually back up the database backup has failed. The most likely cause of failure is insufficient disk space on the ISM server; the backup file may be too big. Check your disk capacity to ensure there is sufficient disk space, and try the operation again. A manual or scheduled Do not attempt to tune database backup process is the database or perform in progress. any other database activity such as an archive or restore until the backup process successfully completes. The database backup was successful. n/a
Database backup in progress.
Informational
Database backup successfully completed
Informational
52
Fault
Severity
Description/Cause
Action
Database tuning in progress
Informational
The database tuning process is in progress.
The user cannot do the following operations during tuning process (1) Viewing / Modifying alerts from alert viewer (2) Generating IDS reports on alerts (3) Backing up / Restoration of all tables OR alert and packet log tables. (4) Archiving alerts and packet logs into files Shutdown the ISM and execute the Database Tuning Utility at the earliest
Database Tuning Required
Informational
Database Tuning is needed. "..." days have passed since the last database tuning.
Database tuning successful Deleted ICC Policy is applied on resources
Informational
The database tuning process successfully completed. Policy <policy name> is applied on resources. Creating clone <policy name> before delete.
n/a
Informational
Deleted ICC policy is applied to components.
ISM Request is not from Informational Trusted IP Address
The ISM Request is not from Trusted IP Address.
Ensure the Peer ISM is not already in MDR with other Manager.
ISM version mismatch. Primary ISM has latest version
Informational
The two ISMs in an MDR Ensure the two ISMs run configuration must have the the same software same ISM software version version. installed. The Primary ISM software is more recent than that of the Secondary ISM.
53
Fault
Severity
Description/Cause
Action
ISM version mismatch. Secondary ISM has latest version
Informational
The two ISMs in an MDR Ensure the two configuration must have the Managers run the same same ISM software version software version. installed. The Secondary ISM software is more recent than that of the Primary ISM. An IntruShield-defined UDS has been incorporated in a new signature set and has been removed from the UDS Editor. This message is informational and indicates that an emergency McAfeeprovided UDS signature has been appropriately overwritten as part of a signature set upgrade.
IntruShield-defined UDS Informational overridden by signature set.
MDR manual switchover successful; Secondary ISM is in control of sensors
Informational
Manager Disaster Recovery n/a initiated via a manual switchover, is successfully completed. Secondary ISM is now in control of sensors.
MDR automatic switchover has been completed; Secondary ISM is in control of sensors
Informational
Manager Disaster Recovery switchover has been completed; the Secondary Manager is in control of sensors.
Failover has occurred; the Secondary ISM is now in control of the sensors. Troubleshoot problems with the Primary ISM and attempt to bring it online again. Once it is online again, you can switch control back to the Primary.
MDR configuration information retrieval from Primary ISM successful
Informational
Manager Disaster Recovery n/a Secondary ISM has successfully retrieved configuration information from the Primary ISM. Manager Disaster Recovery n/a is completed via a manual switchover. Secondary ISM is now in control of sensors. Manager Disaster Recovery n/a has been cancelled Manager Disaster Recovery n/a has been successfully configured
MDR force switch has been completed; Secondary ISM is in control of sensors MDR has been cancelled MDR has been configured
Informational
Informational
Informational
54
Fault
Severity
Description/Cause
Action
MDR operations have been resumed
Informational
Manager Disaster Recovery n/a functionality has been resumed. Failover functionality is again available. Manager Disaster Recovery n/a functionality has been suspended. No failover will take place while MDR is suspended. Manager Disaster Recovery n/a switchback has been completed; the Primary ISM has regained control of sensors. No Syslog server has been configured to accept ACL logs for the Admin Domain <Admin Domain Name>. Configure a Syslog server This message will appear until a Syslog server has been configured for use in forwarding ACL logs. n/a
MDR operations have been suspended
Informational
MDR switchback has been completed; Primary ISM is in control of sensors
Informational
No Syslog Forwarder configured
Informational
Packet Log Archival state has changed
Informational
Packet Log archival in progress
Informational
ISM is archiving the Packet Logs
Kindly wait for the Packet Log archival to complete.
Problem retrieving the data dump from peer
Informational
The data import process is aborted as there was a problem while retrieving the dump from peer. This fault is generated for MDR pairs.
Check whether the peer ISM machine is reachable from this machine
Real-time signature file Informational update from ISM to Sensor(s) is in progress
A real-time signature file update to sensor(s) is in progress. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled.
n/a
55
Fault
Severity
Description/Cause
Action
Real-time signature file update from ISM to Sensor(s) successful
Informational
A real-time signature file update to sensor(s) is successful. This action is attempted after a scheduled signature set update to the ISM, and if real-time signature file updates are enabled. Report creation successfully complete Report generation process in progress
n/a
Report creation complete Report generation in progress
n/a n/a
Reset to standalone has Informational been invoked; Primary ISM is in control of sensors Reset to standalone has Informational been invoked; Secondary ISM is in control of sensors Reset to standalone has Informational been invoked; This Manager is in control of sensors Reset to standalone has Informational been invoked; Peer ISM is in control of sensors
A Reset to Standalone has been invoked; the Primary ISM is standalone and is in control of sensors
n/a
A Reset to Standalone n/a has been invoked; the Secondary ISM is standalone and is in control of sensors A "Reset to Standalone" has been invoked; the current ISM is standalone and in control of sensors. n/a
A "Reset to Standalone" n/a has been invoked; the Peer ISM is standalone and in control of sensors. Unable to create backup for This fault indicates scheduled database problems such as SQL exceptions, database connectivity problems, or out-of-disk space errors. Check your backup configuration settings. This fault clears when a successful backup is made.
Scheduled backup failed
Informational
Scheduled signature set Informational download from Update Server to ISM in progress
A scheduled signature set update is in the process of downloading from the McAfee Update Server to the ISM server
n/a
56
Fault
Severity
Description/Cause
Action
Scheduled signature set Informational download from Update Server to ISM is successful Scheduled signature file Informational update from ISM to sensor(s) is in progress
A scheduled signature set download from the McAfee Update Server to the ISM server is Successful. A scheduled signature file update from the ISM to sensor(s) is in progress.
n/a
n/a
Scheduled signature file Informational update from ISM to Sensor(s) successful Scheduler - Signature download from ISM to Sensor failed Informational
A scheduled signature file update from the ISM to sensor(s) is successful. Scheduler - Signature download from ISM to Sensor has failed
n/a
n/a
Sensor configuration update failed
Informational
Sensor configuration update failed while transferring from the ISM server to the sensor. A sensor configuration update is in the process of being pushed from the ISM server to the sensor.
n/a
Sensor configuration update in progress
Informational
n/a
Sensor configuration update successful
Informational
Sensor configuration n/a update successfully pushed from the ISM server to the sensor. The ISM is attempting to discover the sensor. Sensor software image failed to download from the McAfee Update Server to the ISM server. n/a n/a
Sensor discovery is in progress Sensor software image download failed
Sensor software image download in progress
Informational
Sensor software image is in n/a the process of downloading from the McAfee Update Server to the ISM server. Sensor software image successfully downloaded from the McAfee Update Server to the ISM server. n/a
Sensor software image download successful
Informational
57
Fault
Severity
Description/Cause
Action
Sensor software image or signature set import in progress
Informational
A sensor software image or n/a signature set file is in the process of being imported from the McAfee Update Server to the ISM server. A sensor software update is n/a in the process of being pushed from the ISM Server to the sensor. Sensor software update is successfully pushed from the ISM Server to sensor. n/a
Sensor software update Informational is in progress
Sensor software update Informational successful
Signature set download successful
Informational
Signature set successfully downloaded from the McAfee Update Server to the ISM server.
n/a
Signature set update failed
Informational
Signature set update failed while transferring from the ISM server to the sensor. A signature set is in the process of being pushed from the ISM server to the sensor. The attempt to update the signature set on the ISM was not successful, and thus no signature set is available on the ISM.
n/a
Signature set update is in progress
Informational
n/a
Signature set update not successful.
Informational
You must re-import a signature set before performing any action on the ISM. A valid signature set must be present before any action can be taken in IntruShield. n/a
Switchback has been completed, the primary ISM has got the control of sensors now System startup in process; alerts being restored
Informational
Informational
Alert Manager may not show all alerts.
You need to restart ISM, to view the restored alerts in Alert Manager.
58
Fault
Severity
Description/Cause
Action
Syslog Forwarder is not Informational configured for the Admin Domain: <Admin Domain Name> to accept the ACL logs. The Sensor to ISM communication IP do not match with the peer ISM's peer IP configured in the MDR set up. Informational
ACL logging is enabled, but Configure a Syslog no Syslog server has been server to receive configured to accept the log forwarded ACL logs. messages. The Sensor to ISM communication IP does not match with the peer ISM's peer IP. The peer IP configured in the peer ISM is the IP of this ISM, and this IP should match with the Sensor- ISM Communication IP set in this ISM during installation. Ensure that the sensorISM communication IP matches with the peer ISM's peer IP in MDR configuration.
The MDR pair is changed, <ISM name>
Informational
ICC has a MDR pair Dissolve and recreate an created and the ISM is in MDR pair. disconnected mode.If ICC MDR pair is dissolved, and recreated,making the existing primary manager as secondary manager and existing secondary manager as primary manager,the fault is raised . One or more UDS is in the process of being exported from the UDS Editor to the ISM server. n/a
UDS export to the ISM in progress
Informational
UDS export to the ISM successful
Informational This message indicates that the vulnerability data import from Foundstone database is successful. For more information on importing vulnerability data reports in ISM, see Importing Vulnerability Scanner Reports, Policies Configuration Guide.
n/a
Vulnerability data import Informational from Foundstone database was successful
Weekly scheduled report generation complete Weekly scheduled report generation in progress
Informational
Weekly scheduled report generation process successfully completed Weekly scheduled report generation process in progress
n/a
Informational
n/a
59
M-series sensor faults
M-series sensor faults

Fault Severity Description/Cause Action
<Port name> configured media type is <Optical / Copper / Unknown>, inserted media type is <Optical /Copper /Unknown>. <Port name> McAfee Certified pluggable interface status is <Matched /Mismatched>.
Critical
This fault occurs when there is a mismatch between the configured port media type and the inserted port media type.
Configure the correct port media type.
Critical
This fault occurs when Configure the correct port. there is a mismatch while using a McAfee certified pluggable interface status port with a non McAfee certified pluggable interface status port. This fault occurs when the scheduled report template is disabled. Enable and save the template to generate the report.
Report Generation Warning failed for Schedule Report Template <template name> due to unavailability of resource(s) in ISM. Sensor <sensor Informational name> discovered with license that will expire on <expiry date>. Sensor <sensor Critical name> discovered without license, sensor may not detect attacks. Sensor <sensor name> device license expired, sensor may not detect attacks. Sensor <sensor name>support license expired, sensor may not detect attacks Critical
This is an informational fault occurs when the sensor discovers that it has a license. This fault occurs when a sensor does not have a license.
Renew the license before it expires.
Contact Technical Support or your local reseller to obtain a permanent license.
This fault occurs when the license has expired.
Critical
This fault occurs when the support term license has expired.
60
Other faults
Fault
Severity
Description/Cause
Action
Sensor discovered Critical with cluster secondary license
Sensor discovered with cluster secondary license, and must not be connected to ISM directly. This fault occurs when temperature of XLR chip/module in the sensor is abnormal.
To obtain a standard license now, kindly contact Technical Support or your local reseller.
< XLR A die / XLR Critical B die /XLR C die> temperature is <Normal / Abnormal / Critical / Unknown>. Critical This fault occurs when temperature of XLR chip/module in the sensor is abnormal. Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.
Check the Fan LEDs on the front of the sensor to ensure all internal sensor fans are functioning.
Other faults
Host Quarantine and Remediation
In the case of Host Quarantine and Remediation, an error message is raised when the number of quarantine rules exceed the permitted limit. The sensor raises a fault message to the ISM when the number of quarantine rules exceeds the maximum permitted limit. The fault is displayed as IP: host quarantine block nodes exhausted. This can be viewed as an alert in the Alert Manager. For more information, see Fault messages for Host Quarantine, Alerts & System Health Monitoring Guide. Note 1: You can have up to 1000 host quarantine rules for an IPv4 addresses, and up to 500 host quarantine rules for IPv6 addresses. For more information on using quarantine from Alert Manager, see Using Host Quarantine, Alerts & System Health Monitoring Guide. Note 2: For more information on quarantine and remediation functionality, see Host Quarantine and Remediation, Sensor Configuration Guideusing ISM.
61
CHAPTER 6
Error Messages
This section lists the error messages displayed in ISM.
Error messages for RADIUS servers

The table lists the error messages displayed in the ISM.
Error Name
Description/Cause
Action
RADIUS Connection Successful RADIUS Connection Failed No RADIUS server configured
RADIUS server is up and running RADIUS server is up and running Network failure, congestion at servers or RADIUS server not available No server available Try after sometime, check IP address and Shared Secret key Configure at least one RADIUS server Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address Enter a valid host name /IP address
Server with IP address IP address and port connection and port already exists not unique for RADIUS server RADIUS server host IP Field cannot be blank address/host name is required Shared Secret key is unique in case of RADIUS server Field cannot be blank
RADIUS server host IP Invalid host name /IP address address/host name cannot be resolved as entered
The table lists the error messages displayed in the User Activity Audit report.
62
Error Messages
Error messages for LDAP server
Error Name
Description/Cause
Error Type
RADIUS Authentication
User <user name> with login Id <login Id> failed to authenticate to RADIUS server <RADIUS server host name /IP address> on port <port number> due to server timeout/ network failure
User
Add Radius Server
Added RADIUS server IP Manager Address/Host <IP address or host name> , port <port number> enable <Yes/No> IP Address/Host <IP address or Manager host name> set port <port number> ,set Enabled <Yes/No> Deleted RADIUS Server IP Manager Address/Host <IP address or host name> , port <port number>
Edit RADIUS server
Delete RADIUS server

The table lists the error messages displayed in the ISM.
Error Name Description/Cause Action
Server with IP address IP address and port connection and port already exists not unique for LDAP server LDAP server host IP address/host name is required LDAP server host IP address/host name cannot be resolved as entered LDAP Connection Successful LDAP Connection Failed No LDAP server configured Field cannot be blank
Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address
Invalid host name /IP address
LDAP server is up and running Network failure, congestion at servers or LDAP server not available No server available
LDAP server is up and running Try after sometime, check IP address Configure at least one LDAP server
The table lists the error messages displayed in the User Activity Audit report.
63
Error Messages
Error Name
Description/Cause
Error Type
LDAP Authentication
User <user name> with login Id <login Id> failed to authenticate to LDAP server <LDAP server host name /IP address> on port <port number> due to server timeout/ network failure. Added LDAP server IP Address/Host <IP address or host name> , port <port number>, enable <Yes/No>
User
Add LDAP server
Manager
Edit LDAP server
IP Address/Host <IP address or Manager host name> set port <port number> ,set Enabled <Yes/No> Deleted LDAP Server IP Address/Host <IP address or host name" , port<port number> Manager
Delete LDAP server
64
CHAPTER 7
Using the InfoCollector tool

Introduction
InfoCollector is an information collection tool, bundled with ISM that allows you to easily provide McAfee with IntruShield-related log information. McAfee can use this information to investigate and diagnose issues you may be experiencing with the ISM. InfoCollector can collect information from the following sources within the IntruShield system:
Information Type Description
Ems.log Files
Configurable logs containing information from various components of the ISM. The current ems.log file is renamed when its size reaches 1MB, using the current timestamp. Another ems.log is created to collect the latest log information. A collection of database information containing all IntruShield configuration information. XML and property files within the IntruShield config directory. A table in the IntruShield database that contains generated fault log messages. A file containing various sensor-related log files. A file containing signature information and policy configuration for a given sensor.
Configuration backup Configuration files Fault log Sensor Trace Compiled Signature
InfoCollector is a tool that can be used both by you and by McAfee. McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via email. This file is configured by McAfee to automatically choose information that McAfee needs from your installation of IntruShield. You simply open the definition file within the InfoCollector and it will automatically select the information that McAfee needs from your installation of the ISM. Alternatively, a manual approach can also be used with InfoCollector, and you can select information yourself to provide to McAfee. For example, McAfee may ask you to select checkboxes that correspond to different sets of information available within IntruShield.
65
Running the InfoCollector
Running the InfoCollector

To run InfoCollector, follow the following steps: 1. If you do not already have InfoCollector installed, download the InfoCollector.zip file from the McAfee website and extract it to the following location: C:\[INTRUSHIELD_INSTALL_DIR]\diag
Files related to InfoCollector, such as infocollector.bat should be in the following location: C:\[INTRUSHIELD_INSTALL_DIR]\diag\InfoCollector
2. Run the following batch file: C:\[INTRUSHIELD_INSTALL_DIR]\diag\InfoCollector\infocoll ector.bat
Using InfoCollector
To use InfoCollector, follow these steps: 1 After you run InfoCollector, do one of the following:
i.
If McAfee provides you with a definition file: After you run InfoCollector, open the File menu and click Open Definition.
Figure 2: Diagnostic information collector Open definition
ii.
Select the definition file that McAfee sent you via email and click Select. If McAfee instructs you to select InfoCollector checkboxes:
66
Using InfoCollector
After you run InfoCollector, select the checkboxes as instructed by McAfee. iv. Select a Duration. Select Date to specify a start and end date, or select Last X Days and v. Select the number of days from which InfoCollector should gather information. vi. Click Browse and select the path and filename of the output ZIP file. Click Run.
iii.
Figure 3: Diagnostic information Collector - Run
Provide the output ZIP file to McAfee as recommended by McAfee Technical Support. You can send the file via email or through FTP.
Caution: The output ZIP file contains the toolconfig.txt file, which lists the information that you have chosen to provide McAfee.
67
CHAPTER 8
Automatically restarting a failed ISM with ISM Watchdog

Introduction
The ISM Watchdog feature is designed to restart the ISM if the ISM crashes, potentially bringing the ISM back online before MDR enables. The ISM Watchdog monitors the ISM process on the ISM server periodically for availability. If ISM Watchdog detects that the ISM has gone down unexpectedly, it restarts the service automatically. (It does not restart the ISM if the ISM has been shut down intentionally.)
How the ISM Watchdog Works

ISM Watchdog runs as a separate process and monitors ISM through the Windows OS Services model. ISM Watchdog polls ISM every 10 seconds. If the ISM Watchdog does not detect the ISM during a polling period, it waits 30 seconds and then restarts the ISM service automatically. ISM Watchdog will make five attempts to restart the ISM and then, if it has not succeeded, it will exit. ISM Watchdog, by default, is a manual service; you must explicitly start it. Caution 1: You can instead change this setting to be automatic if you wish the service to start automatically after a system reboot. Caution 2: If you have chosen to change the ISM service setting from its default (Auto) to "Manual," (during a troubleshooting session, for example) then consider doing the same for ISM Watchdog. This will prevent the ISM Watchdog from restarting ISM automatically.
Installing ISM Watchdog

ISM Watchdog is installed automatically during ISM installation, and a new OS service called "IntruShield Watchdog Service" is created to enable you to start and stop the ISM Watchdog service. Caution: ISM Watchdog monitors only the "IntruShieldMgr" service; it does not monitor services like MySQL or Apache.
68
Starting ISM Watchdog
Starting ISM Watchdog

The ISM watchdog process is, by default, not started after installation; you must start the ISM watchdog process manually. To start/stop ISM Watchdog: 1. Select Start > Settings > Control Panel. Double-click Administrative Tools, and then double-click Services. 2. Click IntruShield Watchdog Service. 3. Do one of the following: To start the service, select Action > Start. To stop the service, select Action > Stop.
Using ISM Watchdog with ISM in an MDR configuration

When using ISM Watchdog on an ISM that is part of an MDR configuration, consider whether you want the ISM Watchdog to restart the ISM before failover can occur. If so, you must ensure that the value set for the MDR setting "Downtime Before Switchover" is greater than the ISM Watchdog setting of 30 seconds. This prevents the initiation of MDR, wherein the peer ISM takes over if the primary ISM fails. McAfee suggests retaining the default value of 5 minutes or greater to allow the ISM Watchdog time to restart the ISM. If the ISM Watchdog brings up a primary ISM after MDR has initiated, note that the primary ISM does not come back Active; it checks first to determine whether the secondary is Active and if so, remains as standby.
Tracking ISM Watchdog activities

The ISM Watchdog logs all controlled activities in a log file. Log files can be found at /<IntruShield install directory>/ named with the filename convention wdout_<<time stamp>>.log. A sample log file entry follows:
Sample ISM Watchdog Log
---------------------------------------------------------------------------------------------------------------------------------Restarting server at Mon Jun 09 14:48:53 GMT+05:30 2006 SERVER STDOUT: The IntruShield Manager Service is starting. SERVER STDOUT: The IntruShield Manager Service was started successfully. SERVER STDOUT: SERVER STDOUT: ----------------------------------------------------------------------------------------------------------------------------------
69
If the ISM Watchdog fails after five attempts to restart ISM, the following line will appear in the log file: SERVER STDOUT: Failed to restart Manager after five attempts. Exiting. [kl]
70
CHAPTER 9
Sensor capacity by model number

The following table lists the sensor limitations by category and by sensor model.
Maximum Type
I-1200
I-1400
I-2600
I-2700
I-3000
I-4000
I-4010
Concurrent connections Connections established per sec. Concurrent SSL Flows (2.1.x and later) Number of SSL keys that can be stored on the sensor Virtual Interfaces (VIDS) VLANS / CIDR Blocks VLANS / CIDR Blocks per Physical Port Customized attacks Alert filters Default number of supported UDP Flows Supported UDP Flows DoS Profiles SYN rate (64-byte packets per second) ACL Rules (refer to note below)
40,000 80,000 250,000 250,000 500,000 1,000,000 1,000,000 1,000 NA NA 16 32 32 2,000 NA NA 32 64 64 6,250 25,000 64 100 300 254 6,250 25,000 64 100 300 254 10,000 50,000 64 1000 3000 254 25,000 100,000 64 1000 3000 254 25,000 100,000 64 1000 3000 254 100,000 128,000 100,000 750,000 5000
20,000 40,000 100,000 100,000 100,000 100,000 16,000 32,000 64,000 5,000 6,000 25,000 64,000 25,000 128,000 128,000 100,000 100,000
30,000 60,000 187,500 187,500 750,000 750,000 100 120 300 300 5000 5000
83,000 64,000 250,000 250,000 500,000 1,000,000 1,000,000 50 100 400 400 1000 1000 1000
71
I-Series Sensor Capacity M-Series Sensor Capacity

Maximum Type M-6050 M-8000
Concurrent connections 2,000,000 Connections established per sec. Concurrent SSL Flows (2.1.x and later) Number of SSL keys that can be stored on the sensor 60,000 Not Supported Not Supported
4,000,000 120,000 Not Supported Not Supported 1000 3000 254 100,000 128,000 400,000 3,000,000 5000 3,900,000 1000
Virtual Interfaces (VIDS) 1000 VLANS / CIDR Blocks VLANS / CIDR Blocks per Physical Port Customized attacks Alert filters Default number of supported UDP Flows Supported UDP Flows DoS Profiles SYN rate (64-byte packets per second) 3000 254 100,000 128,000 400,000 1,500,000 5000 2,000,000
ACL Rules (refer to note 1000 below)
For more information on computing ACL, see Viewing ACL descriptions using Effective ACL rules, Sensor Configuration guideusing ISM.
Note for customized attacks

The signature set push from ISM to a sensor will fail if the number of customized attacks on the sensor exceeds the customized attack limit. The number of customized attacks can increase due to: Modifications done to attacks on a policy by users Recommended for blocking (RFB) attacks User created asymmetric policies Example: How numerous customized attacks are created in asymmetric policies.
72
a. b. c.
Create a new policy. Set the Inbound rule set to "File Server rule set". Set the Outbound rule set to "All-inclusive with Audit rule set".
You will see that: The File Server rule set has 166 exploit attacks. The All-inclusive with Audit rule set has 2204 exploit attacks. The total number of customized attacks for this policy is 2204 116 = 2038 customized attacks.
73
CHAPTER 10
Utilizing the McAfee Knowledge Base

The McAfee Knowledgebase (KB) contains a large number of useful articles designed to answer specific questions that might not have been addressed elsewhere in the documentation set. We suggest checking to see if a question you have is answered in a KB article. To access the McAfee Knowledgebase: Go to http://mysupport.mcafee.com/Eservice/ and click Search the KnowledgeBase. The following list contains some of the more commonly accessed KB articles.
Old Number New Number Topic
KB38000 KB38001 KB38002 KB38003 KB38004 KB38005 KB37553 KB37773 KB38041 KB38365 KB38487 KB39232 KB39353 KB39888
KB55446 KB55447 KB55448 KB55449 KB55450 KB55451 KB55318 KB60660 KB55470 KB55549 KB55568 KB55723 KB55743 KB55908
All signature set releases with links to signature set release notes All UDS releases and release notes of the UDSs (this is a restricted article and requires the user to log into service portal or be internal) Table displaying the current versions for IntruShield Listing of IntruShields response to high profile public vulnerabilities How to request coverage for a threat that isn't already covered List of all McAfee Recommended for Blocking (RFB) attacks Sensor heat dissipation rates (BTUs per hour) Verify MySQL Database Tables IntruShield maximum number of CIDR blocks using VIDS Collecting a diagnostics trace from the IntruShield sensor VLAN limitations for IntruShield Maximum number of SSL keys for an ISM or sensor Submitting IntruShield incorrect identifications (false positive/incorrect detection) to support Support for legacy versions
KB40570 KB40571
KB55364 KB56069
Asymmetric traffic and TCP flow violation options. "Login failed: Unable to get the IntruShield Security Manager license information"
74
Utilizing the McAfee Knowledge Base
Old Number
New Number
Topic
KB40582
KB56071
Configuring authentication on the ISM for the update server
KB41752 NAI32011
KB56364 KB59347
3rd Party Recommended Hardware for IntruShield Sensors Sensor is reporting false DOS attacks / New network device is added and sensor is now reporting DOS attacks Recover the password for the ISM
NAI32008
KB59344
75
S
Sensor capacity by model number......................... 77
Index
A
auto-negotiation and speed configurations ...... 15, 20
sensor failover status ............................................. 22 system health......................................................... 21
W
warning faults......................................................... 51
C
connectivity issues ................................................. 15 critical faults ........................................................... 32
D
duplex mismatches ................................................ 15
F
false positives......................................................... 28
H
hardening the ISM server......................................... 7 hardening the MySQL installation ............................ 7
I
InfoCollector tool .................................................... 71 informational faults ................................................. 55 ISM Watchdog........................................................ 74
M
management port configuration ............................. 14 MySQL issues ........................................................ 27
O
other faults ............................................................. 67
P
problems with sensor reboot ............................ 23, 24
R
rolling back changes .............................................. 10

INTR Troubleshooting 4.1

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

INTR Troubleshooting 4.1

Enviado por

Direitos autorais:

Formatos disponíveis

IntruShield Troubleshooting Guide

McAfee IntruShield IPS

McAfee Network Protection

LICENSE AND PATENT INFORMATION License Agreement

Issued JUNE 2009 / IntruShield Troubleshooting Guide

Before You Install.......................................................................................... 1

Hardening the ISM Server ............................................................................ 7

Troubleshooting IntruShield IPS ............................................................... 12

Determining False Positives ...................................................................... 27

System Fault Messages.............................................................................. 31

Error Messages ........................................................................................... 62

Using the InfoCollector tool ....................................................................... 65

Automatically restarting a failed ISM with ISM Watchdog...................... 68

Introducing McAfee IntruShield IPS

About this Guide

McAfee IntruShield IPS 4.1

IntruShield Troubleshooting Guide

Conventions used in this guide

Conventions used in this guide

Select My Company > Admin Domain > View Details.

McAfee IntruShield IPS 4.1

IntruShield Troubleshooting Guide

Contacting Technical Support

McAfee IntruShield IPS 4.1

IntruShield Troubleshooting Guide

Contacting Technical Support

Information requested for Troubleshooting

McAfee IntruShield IPS 4.1

IntruShield Troubleshooting Guide

Contacting Technical Support

Signature set issues

Before You Install

Planning for installation

McAfee IntruShield IPS 4.1

Before You Install

IntruShield Troubleshooting Guide

Install a desktop firewall

Default SNMPv3 command channel

8503 8504 8555 443 80

TCP TCP TCP TCP TCP

McAfee IntruShield IPS 4.1

Before You Install

IntruShield Troubleshooting Guide

Additional communication ports

25/TCP 49/TCP 162/UDP 389/TCP 443/TCP 443/TCP 514/UDP 636/TCP 1812/UDP

SMTP TACACS+ Integration SNMP Forwarding LDAP Integration (without SSL)

ISM-->SMTP server Sensor-->TACACS+ server ISM-->SNMP server ISM-->LDAP server

Using anti-virus software with the Manager

McAfee VirusScan 8.0i and SMTP notification

User interface responsiveness

McAfee IntruShield IPS 4.1

Before You Install

IntruShield Troubleshooting Guide

Hardening the ISM Server

Install a desktop firewall

Harden the MySQL installation

McAfee IntruShield IPS 4.1

Hardening the ISM Server

IntruShield Troubleshooting Guide

Harden the MySQL installation

Remove test database

mysql> show databases;

Remove local anonymous users