Video Screencast Help

Block MP3 Downloads Using IPS Signatures In SEPM

Created: 29 Jul 2009 • Updated: 17 Sep 2009 | 8 comments
Rafeeq's picture
+8 8 Votes
Login to vote


Last week there was a request from our client to domonstrate IPS functionality of SEP in blocking web downloads, as the systems are in test environment they did not say anyting in particular to block, the popular one is to block streaming media , decided to go with blocking MP3 downloads.

Here is how we went with using IPS to achieve this task.

Important concern was in understanding the flow of communication between a client and server during the session is necessary if custom signatures are to be created. Various pieces of information are sent back and forth between these two systems, contained in TCP packets destined for the appropriate service (port 80 for HTTP, and 21 for FTP) on the server. Within these packets is a payload component containing the required information.

First we did a packet capture of HTTP and FTP with respect to MP3 Download because its important to know how it works in first place ( i'm just a begineer with respect to IPS signatures) 

Packet captures of both HTTP and FTP requests for an MP3 file would give us the frequently used commands  ( you have lot of free tools for it )

The HTTP GET and FTP RETR commands utilized by browsers and FTP clients when downloading files

The FTP command is also used when multiple files are retrieved using the MGET command. The file name, including the mp3 extension, is present in
both requests, and both protocols insert [CR][LF] characters to mark the end of the request. This provides sufficient information to create custom signatures to prevent these requests from being transmitted.

The signatures will need to contain several parameters, including a regular expression that identifies the specific commands that should be blocked. Regular expressions are patterns of characters that are compared against data, in this case, the contents of the packet. The
commands we wish to block are clearly contained in these packets.

As we do not know the filename, we need to use a wildcard to match the unknown number of characters between the command and the filename. We also need to consider the possibility that the command may not be issues in upper case, and also that the file extension may be capitalized. With this knowledge, we  built the signature syntax as follows:

  In order to apply this rule to tcp packets : rule tcp (what protocal ?) 

  Packet must contact tcp-ack flag (reduces false positives) : tcp_flag&ack

  Request must originate on the host : saddr=$LOCALHOST

For the FTP rule we need to

limit to destination port 21 (FTP) : dest=(21)
descriptive name for rule in logs : msg=”MP3 in FTP” :
match ASCII text “RETR [.*].mp3[CR][LF]” – not case sensitive
regexpcontent="[Rr][Ee][Tt][Rr] .*[Mm][Pp]3\x0d\x0a"

Goes same for HTTP too 

 limit to destination ports 80 and 443 : dest=(80,443)
descriptive name for rule in logs : msg=”MP3 in HTTP” :
ASCII text “GET [.*].mp3[CR][LF]” – not case sensitive
regexpcontent="[Gg][Ee][Tt] .*[Mm][Pp]3 .*\x0d\x0a

So the final content would look like this

rule tcp, dest=(21), tcp_flag&ack, saddr=$LOCALHOST, msg="MP3 detected",
regexpcontent="[Rr][Ee][Tt][Rr] .*[Mm][Pp]3\x0d\x0a"

rule tcp, dest=(80,443), tcp_flag&ack, saddr=$LOCALHOST, msg="MP3 GET in HTTP detected",
regexpcontent="[Gg][Ee][Tt] .*[Mm][Pp]3 .*\x0d\x0a"

Once we have this, its easier to add the same in our SEPM under IPS signature Polices

1. Click on the Policies button.
2. Under View Policies, click Intrusion Prevention.
3. Click Add Custom Intrusion Prevention Signatures. The Custom Intrusion Prevention Library
dialog box appears.

By default An example signature group and signature are listed. To view the signature content,
select the signature and click Edit below the Signatures table.

4. Type a name for the custom library, and optionally add a description.
5. At the bottom of the Signature Groups pane (on the left of the dialog box), click Add to add a
new signature group.
6. Type a name for the signature group, and optionally add a description.
7. The group you added is listed in the Signature Groups box and is automatically enabled. If you
do not want it enabled yet, clear the Enable this Group checkbox.
8. Below the Signatures table, click Add. The Add Signature dialog box is displayed. Fill in the

Type a Name and Description (optional) for the signature.
Indicate the Severity from 0 (most critical) to 15 (informational only).
Indicate the direction of traffic to be checked for the signature.

9.Type the syntax of the signature in the Content fied (the one we have above , for HTTP and FTP)
    if you want any applications to trigger the option you can do so by selecting application tab and mention the application

10.Select action Block or allow or write to packet log, we selected Write to packet log and blocked it

Now we need to test if its working or not

we tried with browser and it was timed out after few seconds, saying internet explorer cannot download , connection with server was reset,
the same would happen with FTP also It does not matter if the client is command-line or GUI based, the same RETR command is used by all clients the command will time-out, and the remote server will reset the connection, effectively disconnecting the client.

The event can be viewed in the Console in the Firewall Attacks Logs, and the msg parameter provided in the signature syntax allows easy identification
of these events.

On test environment it was successfull, i was able to achive this after reading custom signature help file from SEP client help menu,

hope this was informative and you guys have good time in using all the features of SEP..

Comments 8 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Nice info..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Login to vote
steffen910's picture

thanks for u r article

Login to vote
marcosavelino's picture

como fazer

Marcos Avelino

Login to vote
SAM_SHAIKH's picture

Hi Rafeeq,

Thank you for the above document. Just want to know if we want to block " .avi, .mpeg, .mpg, .mp4, .wav, .ogg, " how can we add these extensions in the aboev signatures.

Also whether the same will work if the users are trying to send the MP3 files over the WAN  (Copy/Paste) on another system.

Thank you.



Login to vote
kishor58's picture

hi can you please provide the signatures for .avi, .mkv, .mp4 as you provided for mp3. 

and i need to know actually i blocked, is there any other way to open it.


Login to vote
ShadowsPapa's picture

can one specifiy a RANGE of ports?

I know you can do 80,443 for example, but could one do say 20-25 or 8000-8080 ??

I hate to list them ALL one by one, and want to cover all bases and some how, some are getting by on what looks like alternative ports some sites use instead of 80 and 443 for HTTPS and HTTP with privacy.

Login to vote
MarkBrab's picture


Thank you VERY MUCH for sharing this!!!


Login to vote