Creating a Custom System Defense filter using PowerShell

first_imgIndicates the name of the class or the subclass used in the creation of an instance Specifies whether an Event should be created in the Event Manager when this filter is matched FilterDirection HdrSrcAddress is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a source IP address HdrProtocolID8021 PolicyName The scoping ComputerSystem’s Name AMT_IPHeadersFilter Supported Fields Name Name ActionEventOnMatch Policy Supported Fields PolicyPrecedence RxDefaultCount Specifies whether the TX packet should be dropped on filter match TxDefaultMatchEvent AntiSpoofingSupport TCPFlagsOn HdrDestAddress is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a destination IP address Anti Spoofing has the highest priority for blocking FilterProfile FilterDirection HdrSrcMask is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a mask to be used in comparing the source address in the IP header with the value represented by the HdrSrcAddress property TxDefaultDrop SystemCreationClassName HdrDestPortStart AMT_Hdr8021Filter Supported Fields The name of the policy that this filter will be used in. 8-bit unsigned integer, representing an IP protocol type PolicyName The name of the policy that this filter will be used in. Represents the lower end of a range of UDP or TCP source ports Tx DefaultCount Specifies the traffic direction (transmit or receive) that the filter governs IPFilter belongs to the class AMT_IPHeadersFilter. This filter contains the most commonly required properties for performing filtering on IP, TCP or UDP headers. Properties in an instance of the IPHeadersFilter are treated as ‘all values’. Indicates the name of the class or the subclass used in the creation of an instance Identifies the version of the IP addresses for IP header filters SystemName HdrSrcPortEnd Specifies the type of behavior exhibited by the filter Specifies the type of behavior exhibited by the filter A list of Filter Creation Handles to be included in the Policy FilterProfileData RxDefaultMatchEvent The scoping ComputerSystem’s CreationClassName HdrProtocolID CreationClassName Specifies whether to count filter matches InstanceID Defines the label by which the Filter Entry is known and uniquely identified So what is in the XML file?Here is a look at a sample policy –    defaultBlock    defaultPolicy    http://intel.com/wbem/wscim/1/amt-schema/1/AMT_Hdr8021Filter    n/a    n/a    n/a    1    0    false    2048                          defaultPolicy                        0                        3                        false                        false                        true                        false                        true                        false                        true            A System Defense policy contains a set of filters that are applied to incoming and outgoing network packets, combined with actions to take when a packet matches or does not match the conditions in the filter. PolicyName FilterCreationHandles In case multiple policies are being activated simultaneously, the policy with the highest precedence value takes effect TCPFlagsOff RxDefaultDrop The scoping ComputerSystem’s Name The scoping ComputerSystem’s CreationClassName Specifies whether an Event should be created in the Event Manager when this filter is matched SystemCreationClassName HdrSrcAddress Let us go over how to use the Intel vPro Technology Module for PowerShell to create a custom Intel vPro System defense filter and policy.This functionality is new in version 3.2.5!First, let’s verify that no System Defense data is set using Get-AMTSystemDefenseNothing set – so let’s just call Set-AMTSystemDefense. This maintains the previous behavior, and sets a demo System defnse up that block all traffic except management traffic to the vPro AMT!Now to clear it using Clear-AMTSystemDefenseWhat about a custom policy? Well, just pass in an xml file! An extra data parameter which is used depending on the FilterProfile: It is left blank for Drop/Pass/Statistics filters, but is required for Rate Limit filters HdrIPVersion HdrDestAddress HdrSrcMask Specifies whether the RX packet should be dropped on filter match SystemName HdrDestMask is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a mask to be used in comparing the destination address in the IP header with the value represented in the HdrDestAddress property Specifies the traffic direction (transmit or receive) that the filter governs Specifies whether an Event should be created in the Event Manager when this filter is matched FilterProfileData HdrDestMask Defines the label by which the Filter Entry is known and uniquely identified System Defense has two types of filters that can be created, an Ethernet Filter and an IP Filter.Ethernet Filter belongs to the class AMT_Hdr8021Filter. The 8021Filter allows 802.1.source and destination MAC addresses, as well as the 802.1 protocol ID, priority, and VLAN identifier fields, to be expressed in a single object to classify and identify traffic. HdrDestPortEnd Represents the lower end of a range of UDP or TCP destination ports This property is a 16-bit unsigned integer, representing an Ethernet protocol type A set of flags whose effective value in the TCP header of each packet must be ON for filter to take effect Represents the upper end of a range of UDP or TCP source ports “ExamplePolicy” – Enter a meaningful name that you can use later to search for this instance. Maximum length 16. Represents the upper end of a range of UDP or TCP destination ports FilterProfile Specifies whether to count filter matches Specifies whether an Event should be created in the Event Manager when this filter is matched HdrSrcPortStart A set of flags whose effective value in the TCP header of each packet must be OFF for filter to take effect Enter any value (the value is overridden) ActionEventOnMatch CreationClassName An extra data parameter which is used depending on the FilterProfile: It is left blank for Drop/Pass/Statistics filters, but is required for Rate Limit filterslast_img