Endpoint Protection

Is it better to have fewer custom rules and have some of the rules have several content="xxxxx" arguments, or better to have more rules, and the rules have fewer content="xxxxx" arguments?

For example, say I want to block some of the sub-domains or pages of a site, but not ALL of it, I could create a custom IPS rule for each page to block, or create a single rule for that site and define each individual page or funtion using a content=  argument

Some sites have various features and such, and maybe we want to allow the main page, but not a login area, or a shopping feature, we could define a rule for ASITE.COM and have arguments in that rule like   content="ASITE.COM/LOGIN", content="ASITE.COM/SHOPPING", content="ASITE.COM/FORUM"
and so on.

What is SEPs limit on custom IPS rules? How many "rules" or definitions can it handle in each library, assuming each collection of custom IPS is a library, and in each library are signature groups. Any practical limit to signature groups in each collection or library, and any practical limit as to the number of individual rules in each group?
Can I set a custom IPS library, 10 signature groups in that library and 100 signatures in the groups in that library? Or will it CHOKE?

And that reminds me of question number 2 directly related - when using multiple content arguments, should there be a SPACE after the comma, or the argumentcommacontent=

Should it look like this:
content="ASITE.COM/LOGIN", content="ASITE.COM/SHOPPING", content="ASITE.COM/FORUM"

or this:
content="ASITE.COM/LOGIN",content="ASITE.COM/SHOPPING",content="ASITE.COM/FORUM"

for example.  I ask because it seems to vary within the rules themselves. There's a comma and a space between the various argument types, like protocol argument, port argument, message argument, and content argument, but inside the saddr for example, there's a comma and NO space between addresses, same for ports - it's portcommaport and not portcommaspaceport. So should there be a space like my first example line, or no spaces like the second example line? I assume if the comma is there immediately after the content argument that is keeps looking assuming another one is down the line, but no comma, it stops?  So my guess - the top line with argument, comma, space, argument is correct.

Wow, hope I catch a SEP custom IPS guru away here - this is going to take someone who really truly knows what they are doing in SEP's IPS area, not a place for the weak of heart!   ;-)

Thanks!!!

By the way - I hope this part of SEP lives forever - it's one of the most handy tools ever created, besides the application and hardware control parts. I can handle things in those areas that are 'life-saving' and have saved us from risks many times because I watched for things in certain areas, and blocked specific words and URLs. It's POWERFUL..
 

I've never heard of a hard limit. General rules apply where the more signatures, the slower it can become. How many we talking about? It's probably better managemenmt to have one rule for each "action" you want the IPS to take.

Not sure how you write your rules but generally most malware is found within the first 500 bytes so you use regexpcontent to cut down on the IPS searching thru the entire packet(s):

regexpcontent="string value" (offset , depth) opt

offset Specifies the start of the bytes in the packet data, from which the IPS engine matches the signature pattern.

depth Specifies the length of the packet data in which the IPS engine matches the signature pattern.

Also, you need a space, so your first one is correct:

content="ASITE.COM/LOGIN", content="ASITE.COM/SHOPPING", content="ASITE.COM/FORUM"

I've not learned or taken to the more complex rules - for malware, for example, I use this for blocking access to sites, pages or files/downloads. The firewall can't be used as with the state having an AKAMAI server, it means if you block the IP address for eBay, you also block for WalMart, Symantec, etc. It really screws things up and messes with firewall rules - block an address today and tomorrow someone can't get to a legit work-related site.
I know that the site names or URLs will remain unchanged - and I can not only block but block only a specific page or service or file this way.

Malware - yeah, would be nice but that's complex code I'd need to learn - and hope that Symantec includes the malware in their definitions or IPS rules!

I use application control to block known adware - webcake for example, coupon and ad sites or free downloads that people want so badly -but are bundled with garbage we do NOT want here, so the application control lets me block things that SEP ignores because, well, it's only advertising, it's ONLY browser hijacking and redirecting, nothing important..... app control to the rescue. For downloads and specific sites or pages, I simply use custom IPS and can block playboy.com with a simple single rule. I guess it's a pseudo-web filter that way.

But hey, you did bring up a question - does SEP nab blackshades/domains or does SEP ignore anything associated and rely on us to do it? Is there any IPS for that? I've got a list of a few thousand known blackshades domains - and I've been asked to BLACKLIST all of them. Well, SEP won't read a text file or a CSV so I guess I sit and type all of these into SEP manually?  13,676 domain names I've got to type into SEP or resolve the IP addresses and make a bazillion firewall rules?
OR, are we covered and these thousands of domains blocked already?

Is there something for SEP's IPS to cover that? Here's a tiny tiny sampling of the over thirteen thousand domains I've got a list of........

SEP will have an IPS sig for domains it detects an intrusion coming from (fakewebapps, malicious downloads, exploit kits, etc). I doubt every single of them will be blocked.

You could obviously do it with custom IPS or firewall rules but for 13k+...no way.

Best off using a proxy/content filter as SEP *can* do it but probably considered outside the scope for the advanced stuff you do with it...