Managing custom intrusion prevention signatures
You can write your own network intrusion prevention signatures to identify a specific intrusion and reduce the possibility of signatures that cause a false positive. The more information you can add to a custom signature, the more effective the signature is.
You should be familiar with the TCP, UDP, or ICMP protocols before you develop intrusion prevention signatures. An incorrectly formed signature can corrupt the custom signature library and damage the integrity of the clients.
Table: Managing custom intrusion prevention signatures
Create a custom library with a signature group
You must create a custom library to contain your custom signatures. When you create a custom library, you use signature groups to manage the signatures more easily. You must add at least one signature group to a custom signature library before you add the signatures.
See Creating a custom IPS library.
Add custom IPS signatures to a custom library
You add custom IPS signatures to a signature group in a custom library.
See Adding signatures to a custom IPS library.
Assign libraries to client groups
You assign custom libraries to client groups rather than to a location.
See Assigning multiple custom IPS libraries to a group.
Change the order of signatures
Intrusion prevention uses the first rule match. Symantec Endpoint Protection checks the signatures in the order that they are listed in the signatures list.
For example, if you add a signature group to block TCP traffic in both directions on destination port 80, you might add the following signatures:
If the Block all traffic signature is listed first, the Allow all traffic signature is never enacted. If the Allow all traffic signature is listed first, the Block all traffic signature is never enacted, and all HTTP traffic is always allowed.
Firewall rules take precedence over intrusion prevention signatures.
See Changing the order of custom IPS signatures.
Copy and paste signatures
You can copy and paste signatures between groups and between libraries.
See Copying and pasting custom IPS signatures.
Define variables for signatures
When you add a custom signature, you can use variables to represent changeable data in signatures. If the data changes, you can edit the variable instead of editing the signatures throughout the library.
See Defining variables for custom IPS signatures.
Test custom signatures
You should test the custom intrusion prevention signatures to make sure that they work.
See Testing custom IPS signatures.