Video Screencast Help

Use Customize IPS to Forbit the Access to Special Subsite

Created: 16 Jan 2012 • Updated: 18 Jan 2012 | 1 comment
Language Translations
yang_zhang's picture
+7 7 Votes
Login to vote

Thinking about this scenario:

There is a top website in your corporation, for example, wudi.com. Each BU/department obtain a subsite by themselves under this site, for example, the Finance Department obtains a subsite named wudi.com/finance, and, the Development Department obtains a subsite named wudi.com/development. Under each subsite, there are some pages/documents that cannot be reviewed by other department. For example, the employee of the Development Department cannot have the rights to see the pages/documents under wudi.com/finance. How could you archive this?

One of the solution is using Customize Intrustion Prevention Signatures (IPS) policy in SEP.

Just following the above example, the below steps are used to create the Cuszomize IPS policy to forbit the employee of the Development Department to access the wudi.com/finance:

1. On the endpoint desktop, run WireShark to capture the packages when access the wudi.com/finance, record the signature of the packages:

In our example, the signature of the package is just like: GET /finance/

2. Login to the SEPM, choose 'Policies' --> 'Intrusion Prevention' --> 'Customize Intrustion Prevention Signatures', click 'Add Customize Intrusion Prevention Signatures'.

3. Input the name of this signature, click 'Add' of the 'Signatures', input the name of the signature group:

4. Click 'Add' of the 'Signatures for this group':

5. In the 'Content' box, input the following signature content:

rule tcp, dest=(80), saddr=$LOCALHOST, msg="You are forbit to access the finance subsite!", regexpcontent="[Gg][Ee][Tt] .*[/][Ff][Ii][Nn][Aa][Nn][Cc][Ee][/].*"

Here are the meaning of this signature:

rule tcp, dest=(80), saddr=$LOCALHOST: a tcp traffic from localhost to access a destinate 80 port

msg="": the message display on the SEP client when this signature trigger

regexpcontent="": the regular expression of the content that following the C language syntax

6. Assign this signature to the group that the development located.

7. From the endpoint, try to access the wudi.com/finance, there will be a notification after the block:

Good Luck!

Comments 1 CommentJump to latest comment

JavaGuy's picture

Nice Article. Please can you let me know what would be the signature for the same scenario if the URL's are https://wudi.com/finance (i.e. SSL based URLs), The same regexpcontent is not working for port 443.

0
Login to vote