本帖最后由 jxfaiu 于 2013-8-15 23:38 编辑
McAfee Host Intrusion Prevention 8.0更新规则:
去除了6条官方默认规则:灰色无法修改、停用、删除;
1,受信任的应用程序(防火墙可信任)
2,VM桥接流量-入站
3,VM桥接流量-出站
4,允许不受支持的协议
5,TrustedSource-允许Host IPS
6,TrustedSource-获取评级
需虚拟机连网的用户请使用以前规则包:http://bbs.kafan.cn/thread-1526828-1-1.html
默认规则:灰色无法修改、停用、删除;
1,允许ARP规则,方向:二选一,操作:允许,协议与地址:非IP:806;
2,Allow EAPOL,方向:二选一,操作:允许,协议与地址:非IP:888E;
3,IP欺骗,方向:出站,操作:阻止,,协议与地址:IP协议,选IPV4、IPV6,协议与端口:全部协议;
自定义规则:
1,Block IPv6 over IPv4 (ISATAP),方向:二选一,操作:阻止,协议与地址:非IP;输:41;
2,Block 原始帧中继 (0x6559),方向:二选一,操作:阻止,协议与地址:非IP;输:6559;
3,TrustedSource-获取评级,方向:入站,操作:阻止,协议与地址:IPV4、IPV6;远程IP地址添加范围:
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
192.254.0.0-192.254.255.255,
224.0.0.0-224.0.0.255
单个:
0.0.0.0
95.163.88.209
本地子网:224.0.0.0-239.255.255.255
255.255.255.255
协议与端口:全部协议;
4,Allow ICMP Echo request,方向:出站,操作:允许,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Echo request;
5,Allow ICMP Source Quench,方向:入站,操作:允许,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Source Quench;
6,Block all ICMP,方向:二选一,操作:阻止,协议与地址:任何协议;协议与端口:ICMPv4,消息类型:全部;
7,Block TCP All Inbound,方向:入站,操作:阻止,协议与地址:任何协议;协议与端口:TCP,本地端口:0-65535;远程端口:0-65535;
8,Block TCP Local port,方向:出站,操作:阻止,协议与地址:任何协议;协议与端口:TCP,本地端口:分6次输入以下端口号至本地端口用户自定义下框中,每次输入后点添加;
0-1030,1033,1042,1045,1057,1090,1095,1097,1098,1099,1158,1170,1234,1243,1245,1345,1349,1433,1434,1492,1521,1524,1560,1600,1807,1831,1981,1999,2000,2001,2002,2003,2004,2005,2023,2100,2115,2140,2565,2583,2701,2702,2703,2704,2773,2774,2800,2801,2869,3000
3024,3128,3129,3150,3389,3700,4092,4267,4567,4590,4899,5000,5001,5168,5321,5333,5357,5358,5400,5401,5402,5151,5550,5554,5555,5556,5557,5569,5742,6267,6400,6670,6671,6711,6771,6776,6883,6939,6969,6970,7000,7001,7080,7215,7300,7301,7306,7307,7308,7410,7597,7626
7789,8080,8081,9080,9090,9400,9401,9402,9408,9535,9872,9873,9874,9875,9898,9989,10067,10167,10168,10520,10528,10607,11000,11051,11223,12076,12223,12345,12346,12348,12349,12361,12362,12363,12631,13000,14500,14501,14502,14503,15000,15094,15382,16484,16772,16969
17027,17072,17166,17569,19191,19864,20000,20001,20002,20023,20034,21544,22222,23005,23006,23023,23032,23456,23476,23477,25685,25686,25982,26274,27374,29104,30001,30003,30029,30100,30101,30102,30103,30133,30303,30947,30999,31337,31338,31339,31666,31785,31787
31788,31789,31791,31792,32100,32418,33333,33577,33777,33911,34324,34555,35555,40421,40422,40423,40424,40425,40426,41337,41666,43210,44445,47262,49301,50130,50505,50766,51996,53001,54283,54320,54321,55165,57341,58339,60000,60411,61348,61466,61603,63485,65000
65390,65432 远程端口:0-65535;
9,Allow bootp,方向:出站,操作:允许,协议与地址:IPV4、IPV6;协议与端口:UDP,本地端口:68,远程端口:67;在应用程序浏览到安装目录下的C:\WINDOWS\system32\svchost.exe(此规则适合局域网,如下面有阻止UDP本地低端口0-1024出入站的规则,请放至Block DUP Local port规则上)
10,Block UDP All Inbound,方向:入站,操作:阻止,协议与地址:任何协议;协议与端口:UDP,本地端口:0-65535;远程端口:0-65535;
11,Block UDP Local port,方向:出站,操作:阻止,协议与地址:任何协议;协议与端口:UDP,本地端口:分4次输入以下端口号至本地端口用户自定义下框中,每次输入后点添加
0-67,69-1025,1027,1033,1042,1170,1234,1243,1245,1434,1492,1560,1561,1600
1807,1981,1999,2000,2001,2023,2115,2140,2583,2701,2702,2703,2704,2801,2989,3129,3024,3072,3150,3333,3700,3996,4006,4011,4060,4092,4321,4500,4590,5000,5001,5151,5168,5321,5355,5357,5358,5400,5401,5402,5550,5569,5742,6267,6400,6670,6671,6711,6771,6776,6883
7000,7028,7300,7301,7306,7307,7410,7626,7789,8225,9400,9401,9402,9696,9872,9873,9874,9875,9989,10067,10167,11000,11223,12076,12223,12345,12346,12348,12349,12361,15094,16969,17569,19191,20000,20001,20034,21554,22222,22226,23456,26274,27374,30100,30303,30999
31237,31337,31338,31339,31666,31785,31787,31788,31789,31791,31792,33333,33390,34324,34555,40412,40421,40422,40423,40425,40426,43210,44445,47262,50766,54320,54321,60000,61466,65000 远程端口:0-65535;
12,Allow DNS,方向:出站,操作:允许,协议与地址:IPV4、IPV6;协议与端口:UDP,本地端口:1024-65535,远程端口:53;在应用程序浏览到安装目录下的C:\WINDOWS\system32\svchost.exe
13,Block csrss.exe,方向:二选一,操作:阻止,协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\system32\csrss.exe
14,Block explorer.exe,方向:二选一,操作:阻止,协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\explorer.exe
15,Block ntoskrnl.exe,方向:入站,操作:阻止;协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\system32\ntoskrnl.exe
16,Block rundll32.exe,方向:二选一,操作:阻止;协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\system32\rundll32.exe
17,Block services.exe,方向:二选一,操作:阻止,协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\system32\services.exe
18,Block scvhost.exe,方向:二选一,操作:阻止,协议与地址:任何协议;协议与端口:全部协议;在应用程序浏览到安装目录下的C:\WINDOWS\system32\svchost.exe
19,TrustedSource-允许Host IPS,方向:出站,操作:阻止,,协议与地址:所有协议,协议与端口:全部协议;应用程序:
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
20,Allow McAfee VSE1 Outbound,方向:出站,操作:允许,协议与地址:IPV4、IPV6;协议与端口:UDP,本地端口:1024-65535,远程端口:53;在应用程序浏览到安装目录下的
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
21,Allow McAfee VSE2 Outbound,方向:出站,操作:允许,协议与地址:IPV4、IPV6;协议与端口:全部协议;在应用程序浏览到安装目录下的
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
22,Allow McAfee VSE3 Outbound,方向:出站,操作:允许,协议与地址:IPV4、IPV6;协议与端口:全部协议;在应用程序浏览到安装目录下的
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
另ICMPv4规则可以写成:
1,Block incoming pings,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Echo request;
2,Block ICMP Timestamp,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Timestamp;
3,Block ICMP Addr Mask,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Address Mask Requst;
4,Block ICMP Info Req,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Information Requst ;
5,Block ICMP Router Solicit,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Router Solicitation;
6,Block ICMP Redirect,方向:入站,操作:阻止,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:Redirect;
7,Allow all ICMP,方向:二选一,操作:允许,协议与地址:IP协议,选IP4、IPV6;协议与端口:ICMPv4,消息类型:全部;
1-7规则为:ICMPv4协议规则,使用ICMPv6协议的可参照上面ICMPv4协议规则,只需在协议与端口改为:ICMPv6,消息类型:参照上面;
McAfee HIP8.0XP系统规则包:
指定程序规则,为XP32位系统途径;其它windows系统请在规则编辑应用程序界面浏览至你当前程序所在目录
其它windows版本系统根据你当前系统途径修改注册表文件:
McAfee HIP8.0XP系统最新规则包: |