Endpoint Protection

Hi,

I'm trying to create a custom signature copied from Snort's ET and I always get an error.

The signature is as follows:

rule tcp, dest=$ANY, tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a"

I have 2 variables defined:

ANY (0.0.0.0/0)

LOCALHOST (127.0.0.0/8)

Can anyone help?

Set the dest variable to dest(0)

The full signature should be:

rule tcp, dest=(0), tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a"

Whats the error you are getting?

failed to apply a new IPS library . The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.

I am still getting the error.

Interesting. I added it in my test box and applied the custom IPS signature without errors.

I do know that dest(0) is how it should be. The syntax that SEP uses is very close to Snort but not exact.

Hi,

The error is Category: 0,Smc,FATAL: failed to apply a new IPS library . The client may not restart properly if it is stopped. Please see file debug.log for detailed information. Correct the error in the IPS library in the management server before restarting the client.

I don't have debugging active.

$LOCALHOST is predefined. It's the address of the computer running the client. See the custom IPS online help in SEPM (Syntax for custom IPS signatures/IP protocol arguments). There may be a conflict with your own one.

According to this article, you have to put a wildcard (.*) before and after a regular expression.

So the signature should be:

rule tcp, dest=(0), tcp_flag&ack, saddr=$LOCALHOST, msg="BHEK Landing URI Format", regexpcontent=".*\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php\x0d\x0a.*"

Keep in mind that this is case sensitive. Perhaps you have to change it for covering capitals too.

###EDIT

I don't think the "{32}" syntax is working. Of course it should work in every RE idiom, but the SEP incarnation is poor

Jorge, 

are you trying this from SEPM or from SEP interface?

Hi

Please refer the article below and let me know if this helps

http://www.symantec.com/business/support/index?page=content&id=HOWTO80885

Regards

Have you gotten this working?

You stated that $LOCALHOST is pre-defined in SEP's custom IPS.

However, it seems to me that in 11.xxx it used to be listed in the variables tab.
Currently, I see a pre-defined "any" variable - I did not put it there, yet it exists.
$LOCALHOST does not exist i that Variables tab, any does.

I'm trying to figure out how so many people here are getting through to blocked things-  it's almost as if the computer or user tries so hard they eventually over-run SEP's custom IPS and they get through anyway.

I say that because I see in the logs where a person/computer triggered a rule, and it says it was blocked and it's listed in the logs, so I assume it was blocked, and yet I see in the web history that they successfully accessed the blocked site, logged in and actually used it for a while, dozens of hits in the history, and the sequence of pages proves they met with success getting there, yet SEP's custom IPS logs show that attempts were blocked.  So I have to assume SEP blocks some attempts, but not all, and they eventually make it!

I'm trying to figure out where the problem is - are there so many rules defined in the custom IPS that SEP just plain can't keep up and so half the traffic is blocked, half can't be blocked and all it does is slow them down getting there?

Is there a problem with the "$LOCALHOST" variable - I no longer see it defined in the variables tab, I thought it USED to be years ago, but it sure isn't now. And if not there, why is an ANY definition in there? Why one and not the other as "ANY" is also predefined by someone! Not me.......

So - should I "see" LOCALHOST being defined anywhere, or is it a hidden, built-in thing that isn't listed but it's there anyway? Sort of hard-coded into SEP?

And if the rules DO block, why can some - even most folks get through if they keep trying hard enough?