Video Screencast Help

Use Customize IPS to Forbit the Access to Special Subsite

Created: 16 Jan 2012 • Updated: 18 Jan 2012 | 3 comments
Language Translations
yang_zhang's picture
+7 7 Votes
Login to vote

Thinking about this scenario:

There is a top website in your corporation, for example, Each BU/department obtain a subsite by themselves under this site, for example, the Finance Department obtains a subsite named, and, the Development Department obtains a subsite named Under each subsite, there are some pages/documents that cannot be reviewed by other department. For example, the employee of the Development Department cannot have the rights to see the pages/documents under How could you archive this?

One of the solution is using Customize Intrustion Prevention Signatures (IPS) policy in SEP.

Just following the above example, the below steps are used to create the Cuszomize IPS policy to forbit the employee of the Development Department to access the

1. On the endpoint desktop, run WireShark to capture the packages when access the, record the signature of the packages:

In our example, the signature of the package is just like: GET /finance/

2. Login to the SEPM, choose 'Policies' --> 'Intrusion Prevention' --> 'Customize Intrustion Prevention Signatures', click 'Add Customize Intrusion Prevention Signatures'.

3. Input the name of this signature, click 'Add' of the 'Signatures', input the name of the signature group:

4. Click 'Add' of the 'Signatures for this group':

5. In the 'Content' box, input the following signature content:

rule tcp, dest=(80), saddr=$LOCALHOST, msg="You are forbit to access the finance subsite!", regexpcontent="[Gg][Ee][Tt] .*[/][Ff][Ii][Nn][Aa][Nn][Cc][Ee][/].*"

Here are the meaning of this signature:

rule tcp, dest=(80), saddr=$LOCALHOST: a tcp traffic from localhost to access a destinate 80 port

msg="": the message display on the SEP client when this signature trigger

regexpcontent="": the regular expression of the content that following the C language syntax

6. Assign this signature to the group that the development located.

7. From the endpoint, try to access the, there will be a notification after the block:

Good Luck!

Comments 3 CommentsJump to latest comment

JavaGuy's picture

Nice Article. Please can you let me know what would be the signature for the same scenario if the URL's are (i.e. SSL based URLs), The same regexpcontent is not working for port 443.

Login to vote
Viper5's picture

The contect should start like this to add support for https:

rule tcp, dest=(80,443), saddr=$LOCALHOST

Login to vote
ArpitBadwaik's picture

This is not a particularly effecting way of blocking access to a website. IPS scans the content of each packet - this method of blocking relies on finding the "" string inside one of the packets going between the browser and the web server, which doesn't necessarily have to be the case. And with HTTPS traffic IPS will only see the encrypted data stream, not the decrypted bytes (the secure channel is between the browser and the web server).

Arpit Badwaik

Sr.Technical Support Engineer | Endpoint Security Advanced Team


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you

Login to vote