Loading...

Knowledge Center


How to interpret the Alert Result Status display in the Network Security Platform Manager
Technical Articles ID:   KB56436
Last Modified:  1/5/2018
Rated:


Environment

McAfee Network Security Platform Manager software

Summary

The Alert Result Status display, found in the Consolidated View as well as by drill-down action, is a determination of the result of detected attacks. Result determination is based on the parameters of the currently applied policy.

For example, if the DMZ is protected in Tap mode with the DMZ policy, and an attack is detected that matches the policy parameters, the attack is usually successful in impacting the target system. Similarly, if an attack targets a Windows operating system vulnerability, but the UNIX Server policy has been enforced for the UNIX environment, the attack fails.

For alert result status, both the Consolidated View and the drill-down Count View display the five result categories along with the matching number of alerts per category. In the Consolidated View, the Alert Result Status displays the count for all alerts within the present Alert Viewer session. For a drill-down, the resulting table displays alert count per result category for the alerts in a selected bar, rather than all alerts.

Alert Result Status categories for alerted attacks:
Alert Result Status Category Explanation
Successful,
Attack Successful
The attack was successful or possibly successful.
Unknown,
Inconclusive
The impact of the attack is not known. This is most likely due to a generic policy, such as the Default IDS or All-Inclusive policy where the policy rules are not environment specific.

For example, this may be the result if an attack occurs against an irrelevant node.
Failed The attack had no impact.
Suspicious,
n/a
The alert was raised for suspicious, but not necessarily malicious, traffic. This result is common for Reconnaissance attacks due to the nature of port scanning and host sweeping.
Blocked,
Attack Blocked
Attacks blocked by the Drop Packets sensor response. See Customizing Responses for an Attack (policy configuration - Exploit response), Customizing Denial of Service (DoS) Modes (policy configuration - DoS Learning Mode response), and Blocking Further DoS Packets for Statistical Attacks (Alert Viewer - DoS attack response) for more information.
Blocking Activated,
DoS Blocking Activated

This applies to DoS traffic and indicates that the Sensor has identified traffic that is suspicious in nature that is exceeding its learned threshold or is not recognized based on its profile. The Sensor has started blocking unknown traffic, while attempting (on a packet-by-packet basis) to block only DoS traffic from a trusted source. The Sensor attempts to allow legitimate traffic to flow from the trusted source.

However, because of the nature of DoS attacks, one cannot be certain that 100% of bad traffic was blocked, nor that 100% of 'good' traffic was permitted. For more in-depth description of Network Security Platform's DoS handling, see "Denial of Service" in the Network Security Platform IPS Administration Guide.

For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.