Website blocking via custom IPS signatures
I am curious if anyone has played with custom IPS signatures enough to explore some advanced functionality. I am trying to do the following:
- Allow one particular website (google.com in my test)
- Block ALL other HTTP/S traffic to any other websites.
I am well aware of the firewall policy ability to do so, but in my case firewall module is not installed with SEP and I would like to use IPS signature to do so.
I created two IPS policies, as shown below.
Syntax for the first ALLOW one is :
rule tcp, dest=(80), msg="GOOGLE ALLOWED", content="www.google.com"
Syntax for the second BLOCKone is:
rule tcp, dest=(80), msg="HTTP Blocked"
For some reason this is not working, however. Any website I go to, including Google.com is blocked with "HTTP Blocked" listed in Security log on the client. Anyone knows what I'm doing wrong here? Is IPS rulebase not designed to perform tasks like blanket "deny" with selective "allow"?
I've seen all the cases discussed here that BLOCK particular website or function; in my case I want to block almost everything and ALLOW particular website or content.
Thanks in advance!