Endpoint Protection

SEPM - Manager console running on a notebook, pointed to one of our management servers.

Java console, Monitors, Logs tab, Network Threat Protection for log type, Attacks, time range past week, severity minor, 200 entries, all else set to default or *

Under Intruction Prevention, I have a set of custom "rules" to block most radio use (checking packets for the common streaming apps and locations)  IT was doing a great job - found dozens of employees not only listening to web radio, then complaining that they couldn't get to other things as the "network was slow", online buying and selling, etc. Really showed up a hornets nest of misuse of computers. I was monitoring the logs as in the first paragraph here, so I could write up a report to management, naming names, computers, locations and times. Every few minutes there was another hit show up in the log on the SEPM console.

Then suddenly yesterday, at 13:04 there was a hit, then nothing - no more log entries came up with the next refresh. It was as if no one was using their computers. I also noted that the email alerts I got from instrusion prevention stopped! No more email alerts after 13:57 (I call them firewall alerts)

This AM, I restarted the 2 SEPM servers, reconnected to them via the console on my notebook, and ALL the entries that were in the intrusion prevention logs I had on display after 11/24/2010 were gone! Nothing was there from the 29th - yesterday, it all stopped after the 24th, even though I saw several on the screen yesterday. What happened??

Where did those entries that were on the screen before I restarted the SEPM servers go? Why did the logs stop showing hits after 13:04 yesterday, and why did I stop getting firewall email alerts?

Ooookkkkaay - we seem to have hit a stumper here.

Let me ask this, as I think I see what was really happening - it's not so much the logs necessarily, although there ARE issues there, I found that when I edited our custom intrusion prevention signature and added another "signature" in the group (I only have 1 group in the custom intrusion prevention signatures that everyone uses) when I added another sig to that one and only group, the whole firewall went down!

So it wasn't just that the logs weren't showing, it's that the firewall was allowing free-flow of all traffic in and out and blocking nuttin'.

I removed the last 2 that I'd added yesterday and it seems to be going again, sort of.

First, though, I'd created a sub group, unchecked inherit, then unchecked one of the sigs I'd added yesterday. When I moved computers into that sub-group, things started working for each computer as I added it. So, I thought, ok, let's delete a couple of sigs from the custom IPS  - and I wonder if that's it.

DOES that have a maximum size? IS there a maximum number of things you can add to the custom IPS before it breaks and just stops doing anything at all???

Should I create multiple signature groups inside the custom IPS, would that help??

LOL  - or, have I stumped the few TAs in the security area?

(my spelling was horrible - I've edited and tried to correct a few, sorry)

Check the System log file to make sure the IPS library is getting applied and not failing.

I had something similar happen with the IPS, I couldn't figure out why my sigs were not working, turns out the IPS library was never getting applied.

I'm not sure if there is a size limit.

I usually create multiple groups though but some groups have a lot of signatures and they seem to work fine.

I do know that if the SEP client doesn't like the format, the IPS library load will fail.

I don't think Custom IPS would have limitation unless its hundreds of them.

The Custom rules you recently added was there any Syntax error in them.Does it work when applied as a different policy

Can you define "a lot"? My idea might be 40, where your idea of a lot of signatures is 20, for example.

I know it's getting applied - here's how I tested:
I had a subgroup, and moved all clients to the subgroup. I went into the signature, and unchecked one of the sigs I added yesterday. I then removed inheritance, and found the clients now were blocked from certain sites. The parent group I put myself in, and I was not blocked. When I unchecked another sig I added yesterday, then it started working, when i checked it again, it stopped working.

Weird, I thought that inheritance wouldn't apply to the custom IPS, but it seems to have impact somehow.

I checked the format of the recently added signatures...

These are examples so others can proof my work:
rule tcp, dest=(80), msg="IBIBO online games Website",content="ibibo.com"
rule tcp, dest=(80), msg=kvik radio streaming",content="kvikradio.com/streaming"
rule tcp, dest=(80), msg="MySpace music",content="myspacecdn.com"
rule tcp, dest=(80), msg="generic flash radio",content="flash/radio"
 

WAIT - I think I see it - Could the lack of a " be the issue??  Check the second one down, that's the one I added about the time it "broke".  It wasn't until I pasted them here, one right above the other, no spaces, that I noted one seemed to be "shorter" than the others..

Anyway, use of radio streaming and other "junk" has become SO prevalant here, I've had to "do something" about it, and came up with a list of ways that WMP and other things like FLASH stream radio without blocking port 80 for everyone. There's a multitude of sites and players, but as I find 'em, I block them.

I may have just solved the mystery thanks to some prompting.

Check above-  I have to wonder now - look closely at my list. Anyone want to "play" with those and see if you can break it by leaving something out, something simple??

I'd also like to see how large a number we're talking about - anyone else have a LARGE list in thier custom IPS ?

And anyone use multiple lists or groups when creating a custom IPS?

Yes, you need the quotes in there, that may have been the issue.

The scary thing to my boss was that when there's a simple error, or in the past as we've seen, POLICY CORRUPTION, the whole IPS opens up and everything was allowed. 

I need to let it ride a bit, not about to make another change and have things "break" since it "appears" to be working since I deleted the last 2 or 3 lines or signatures, but I have to guess now seeing it in print that the missing " was perhaps the thing that took down all IPS.

So does anyone use multiple "signature groups" (left side, custom IPS) and how are they using it?

I don't use multiple groups. I create multiple libraries

ie. one for blocking Botnet traffic, one for blocking websites, one for blocking spyware, etc, etc.

Just so we're on the same page - libraries? I see "signature groups" here - do you have multiple groups on the left where I have EVERYTHING I block or monitor in a single group (see left side of this pic please)

I have multiple libraries setup, each contain one specific group for one specific purpose, here's a few ones for testing:

I don't know if library is the proper term, I saw it used once before so I've just stuck with it

Not that i think you are wrong or are doing it wrong, but I see at least two possible ways here and I've LOVE to have a Symantec regular who is well-versed in SEP and IPS to chime in on what's the best or most efficient way, or that they had planned on us doing.

I see you have multiple custom IPS, where i have 1 custom IPS and everything in one place.

What about 1 custom IPS, but multiple groups in that IPS? Say a group of blocked sites, a group for trojans, etc. and a group just to "monitor" all inside the 1 single custom IPS signature where I have 'em all lumped together?

Is your way more efficient? I didn't even know you could have multiple custom intrusion prevention signatures. And until today, never paid much attention to the area on the left showing where a person could have multiple GROUPS of signatures defined in the custom IPS.

I agree :-) I've been searching all over for info on custom IPS sigs but have come up empty. I doubt if I called Symantec to talk to an engineer they would spend time chatting with me about it so I'm just learning on the fly here. I have no idea what is wrong or right.

I did it the way I did it so I could manage it easier and apply multiple libraries to a group but even with your way, you can still enable/disable individual sigs.....so honestly, I have no clue what's wrong or right or if there is a wrong or right way...I guess it's just what works best the individual

The one thing I did though was post some custom IPS rulesets to the download page in hopes that they might be reviewed before getting posted and someone would report back to me if they were incorrect/correct. It's been over a week so I don't know what the outcome was/is but maybe someone will contact me so I can ask questions.