Endpoint Protection

I am in the process of deploying IPS to our environment.  Before I can go further, I need to be able to prove that IPS is functioning as it should.  My idea, is to create a custom IPS to block a specific website.  I have followed some guidance here in the forum (blocking google.com is always the example), and like others, it seems to be failing.

Can someone provide some cut and dried directions to add a specific website to a custom IPS signature so that a specific website is blocked?  Once I can prove that IPS is doing it's thing, I will then just go with the default IPS, as the things we want to achieve from having IPS running are already included with the default signatures (which is block Cryptolocker/Ransomlocker).

Many Thanks!!

A few guys in the community have written the below on using custom IPS.  Have you tried these?

https://www-secure.symantec.com/connect/articles/block-mp3-downloads-using-ips-signatures-sepm

https://www-secure.symantec.com/connect/articles/use-customize-ips-forbit-access-special-subsite

Dont know why this would fail for you, This only always worked for me during customer Demo.

How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature policy

In addition to SMLatCST, if you want to prove the functioning of the Symantec signatures, try to download the Eicar testfile (eicar.com) from http://www.eicar.org.

IPS should detect it. You can see the event and the blocking in the client's security log. If you have activated automatic blocking (can be adjusted in Firewall policy), the client won't be able to commect to www.eicar.org for the next 10 minutes (default setting).

Hello,

Try and download EICAR from the EICAR website - it will trigger IPS.

You can also try something like Metasploit or similar.

Check this Thread with similar query - 

https://www-secure.symantec.com/connect/forums/how-verify-ips-working

https://www-secure.symantec.com/connect/forums/how-intrusion-prevention

Hope that helps!!

Rafeeq - those are the steps I have taken, exactly.  I cannot figure it out.  But - maybe something is happening now.  I notice in the console, all the machines in my test group are showing that they need a reboot.  Will reboot and hope my sample website is blocked now...  I'll keep you all advised.

let us know if your IPS is working :) will be Happy to see that.

I don't what is wrong then, it will not block my sample website (which i have chosed to be www.msn.com).  The EICAR samples are blocked just fine, just as they should be.

To sum it all up;

Prior to trying this, our environment was AV and AS, and PTP.  The get the features of IPS added, I have added NTP and enabled IPS and did not load the Firewall.

Systems have rebooted (these test systems, many times).  The default IPS policy is enabled.  A custom signature is created (using the guidelines I have found on this forum, except doing it for Google, I did it for MSN).  Custom signature is enabled.

MSN opens right up.  It is not supposed to, right?  Did I miss a step?

Thanks again....

Disregard this one - it is a duplicate of above, by accident.

Hello,

Not sure what tests you are implementing and why; IPS works and blocks several threats every day, it is not in beta testing since long time...  If you want to test it, ensure it is set to detect a port scan attack and then use one of the several port scanners to trigger a detection.

I firmly beleive that IPS is working just as advertised.  I do not need to prove it to myself - I need to prove it to my boss.  You know, those proper testing procedures that one normally does before going live with a change in a production environment.

I'll look into attempting to prove it with a port scan.

Thanks!

Hello,

any update?

Other than the Eicar string, file download, or zip extraction being detected immediately, no.  I will use that example to "prove" that IPS is functioning.  It would be nice to be able to figure out the ability to block a web site via a custom IPS signature.  Here is the text of the custom IPS I am trying to get working;

rule tcp, dest=(80), msg="MSN Blocked", content="www.msn.com"

I have also tried;

rule tcp, dest=(80), saddr="$LOCALHOST", msg="MSN Blocked", content="www.msn.com"

I did not come up with either one of the strings above on my own, I have just copied them (and modified from Google to MSN) based on posts I have seen/read here on this forum.  I could very well have something incorrect in the strings above.  Every post I have read, indicates to me that blocking a website via a custom IPS did not work for others as well.

I am afraid, I don't have direct experience in setting custom IPS rules.

Remember to flag the most useful post for you as solution.

Do you have any test/VM systems? There are many sites out there which detail malicious URLs. Using a test system, you could navigate to these sites to test the IPS functionality.

You can also use metasploit to throw exploits at a system. Certain Nmap scans will also trigger IPS alerts.

Tomahawk is also a good IPS stress tester:

http://tomahawk.sourceforge.net/

Try $LOCALHOST without quotation marks.

You can check in the Client System log if you have made a syntax error: Client > Logs > Client Management > System logs.