I have read that $LOCALHOST is pre-defined in SEP's custom IPS.
However, it seems to me that in 11.xxx it used to be listed in the variables tab. I could see it there, but I MAY BE WRONG, I may be remembering SEP 11 incorrectly as that was a long time ago.
* Currently I see a pre-defined variable named "any" which I did not put it there in the variables tab list yet it exists.
$LOCALHOST does not exist in that Variables tab, while 'any' does.
So - What is meant by "predefined" ??
Does that mean I should see it in that variables list/tab along with "any",
or does predefined mean that it's hard-coded into SEP and needs no further definition?
And if it is not needed in the list we "see" in the variables tab - and it's hard-coded directly into SEP - then if I do not define either daddr=(xxxx) or saddr=(xxxx) in a custom IPS signature, does SEP automatically ASSUME "$LOCALHOST" or should I put it into the signature such as saddr=$LOCALHOST ?
If I do not specify a source address or destination address, do it assume ANY address at all? That seems to make more sense - if I don't specify an address for source or destination, and if I do not specify source or destination as LOCALHOST, can I assume that the sig will apply to ANY address at all?
I'm trying to figure out how so many people here are getting through to blocked things- it's almost as if the computer or user tries so hard they eventually over-run SEP's custom IPS and they get through anyway.
If I had a signature that said block and content="ebay.com" I would see some people STILL getting to ebay.com while others would not, and of those it appears to block, I see in their history that they still somehow end up getting to ebay.com/login or similar, JUST for an example I can think of fast!
If I block some cloud document or file sharing, again just as a fast example, googledocs - the sig will specifiy googledocs url, but in the computer history I see where they not only got there, but opened a shared document. How can that be?
I say that because I see in the logs where a person/computer triggered a rule, and it says it was blocked and it's listed in the logs, so I assume it was blocked, and yet I see in the web history of that computer that they successfully accessed the blocked site, logged in and actually used it for a while, dozens of hits in the history, and the sequence of pages proves they met with success getting there, yet SEP's custom IPS logs show that attempts were blocked. So I have to assume SEP blocks some attempts, but not all, and they eventually make it! Perhaps SEP logs blocking 10 attempts, but they tried 11 times and the 11th made it for example. IS that possible?
I'm trying to figure out where the problem is - are there so many rules defined in the custom IPS that SEP just plain can't keep up and so half the traffic is blocked, half can't be blocked and all it does is slow them down getting there?
Is there a problem with the "$LOCALHOST" variable - I no longer see it defined in the variables tab, I thought it USED to be years ago, but it sure isn't now. And if not there, why is an ANY definition in there? Why one and not the other as "ANY" is also predefined by someone! Not me.......
And if the rules DO block, why can some folks get through if they keep trying hard enough?