I use a lot of custom IPS sigs to block certain web sites when IP addresses won't work, or when they use proxies, etc- as the content of the packet can be defined in the sig.
For example, if I want to block traffic to phony-av.com no matter where it's hosted I create a rule with
rule tcp, dest=(80), msg="phony-av site",content="phony-av.com"
as content.
HOWEVER, it has come up that we need to allow 1 single person in one office to access such a site, while preventing anyone else from accessing this site. They have good reason to (no it's not the phony-av.com thing, but another site we normally block, but one person needs it badly for their job, it's legit for them)
SO, is it possible to create a rule in the Custom Intrusion Prevention Signatures area that will do
rule tcp, dest=(80), msg="phony-av site",content="phony-av.com"
but maybe have some qualifier in it - like block this unless the request comes from or goes to IP 123.321.33.32/27 for example??
That would allow that one office in, or even narrow it down farther........
I need to use these rules, they are handy, they work, they are simple, and it's in some ways better than a firewall where the resolution of the IP address of the blocked site can change, like some porn and fake av sites do - different host, different country, different IP address, but the URL is almost always the same. That's where custom IPS shines! Can I put a qualifier in there to block it in general, UNLESS it's a certain IP or range or even computer name involved??
Please? Thanks.