Thinking about this scenario:
There is a top website in your corporation, for example, wudi.com. Each BU/department obtain a subsite by themselves under this site, for example, the Finance Department obtains a subsite named wudi.com/finance, and, the Development Department obtains a subsite named wudi.com/development. Under each subsite, there are some pages/documents that cannot be reviewed by other department. For example, the employee of the Development Department cannot have the rights to see the pages/documents under wudi.com/finance. How could you archive this?
One of the solution is using Customize Intrustion Prevention Signatures (IPS) policy in SEP.
Just following the above example, the below steps are used to create the Cuszomize IPS policy to forbit the employee of the Development Department to access the wudi.com/finance:
1. On the endpoint desktop, run WireShark to capture the packages when access the wudi.com/finance, record the signature of the packages:
In our example, the signature of the package is just like: GET /finance/
2. Login to the SEPM, choose 'Policies' --> 'Intrusion Prevention' --> 'Customize Intrustion Prevention Signatures', click 'Add Customize Intrusion Prevention Signatures'.
3. Input the name of this signature, click 'Add' of the 'Signatures', input the name of the signature group:
4. Click 'Add' of the 'Signatures for this group':
5. In the 'Content' box, input the following signature content:
rule tcp, dest=(80), saddr=$LOCALHOST, msg="You are forbit to access the finance subsite!", regexpcontent="[Gg][Ee][Tt] .*[/][Ff][Ii][Nn][Aa][Nn][Cc][Ee][/].*"
Here are the meaning of this signature:
rule tcp, dest=(80), saddr=$LOCALHOST: a tcp traffic from localhost to access a destinate 80 port
msg="": the message display on the SEP client when this signature trigger
regexpcontent="": the regular expression of the content that following the C language syntax
6. Assign this signature to the group that the development located.
7. From the endpoint, try to access the wudi.com/finance, there will be a notification after the block: