Endpoint Protection

Does anyone have any experience with custom IPS signatures in SEP? Per Symantec's article (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008070803545448), I created a test IPS signature as shown below and applied it to my test machine.
Upon updating policy, the following error shows up in Client Management Log:

FATAL: failed to apply a new IPS policy.
The client may not restart properly if it is stopped.
Please see the file debug.log for detailed information.
Correct the error in the IPS library in the management server before restarting the client.

Debug log shows no useful information about IPS signature, and this is a vanilla Symantec's example, not a custom signature I would create, but for some reason it doesn't work worth a damn. Any ideas?

 

I am unable to reproduce the behavior you are describing using our documented procedure for setting up a custom intrusion prevention signature to block www.google.com.

Please verify that you have not accidently put in any extra spaces at the end or used invalid characters in the creation of your signature. I noticed in your screenshot that the quotations character " that is used on GOOGLE BLOCKED and www.google.com are different from each other. It seems like a little thing, but possibly that is what is causing you trouble? Also, please check to see if you have any other custom signatures enabled that may be using a incorrect syntax and disable them. In my tests www.google.com is blocked without issue and the "GOOGLE BLOCKED" message is displayed as expected. (SEP MR4 MP2)

Hope that helps!

Hi Dimitri,

Check if this Doc helps you

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007101708052548

David-Z wins a prize on this one, quotes around "msg" function that I copied from Symantec link above were wrong, and as a result the signature could not be processed properly.
However, even though I am now loading the signature successfully, it's not blocking Google, like I thought it would. Can anyone confirm that above signature (with regular quotes) is working and effectively blocking Google.com in your browser?
Thank you! 

P.S. Here's a screen of the signature with proper quotes. Nothing else seems to be wrong, there are no other custom signatures that would conflict with it.

do you see the conditions are logged with this severity. You may copy the information here.

Hope the syntax is proper one.

good luck
Pete

Hey Pete,
Syntax is definitely correct, I can see the custom IPS signature loading every time I update the policy in System log. 
Not sure about severity condition, where would I find these? I thought severity is for your own sake, you specify how severe the signature is and it will be logged (where??) with this severity level that you can refer to at a later time for reporting purposes..

Hi Dimitri,

I have tried this in my network and after a long troubleshooting I came to a conclusion that it will Block Google.com but you nned to take care of the spaces in the Content. It should be like this

rule tcp, dest=(80), msg="GOOGLE BLOCKED", content="www.google.com" 

There should be space after every ",".

Try this & let me know if this works?

Hi kavin,
I too played around with spaces after commas. My syntax is exactly like yours, with spaces after each comma.
Again, signature loads, it just doesn't do anything as far as blocking www.google.com 

Hi Dimitri,

This is a complex way of blocking the website you can use the firewall rule to block it.

Check this Doc.

http://service1.symantec.com/support/ent-security.nsf/docid/2009072816443448

Well, this is just a test in my book. I was planning to use custom IPS signatures for much more then just blocking a website. :-) Once I can get this simple policy working, I will move on to better, more advanced signatures.. 

I have tried the same in my test network It is blocking the website Google.com

Plase recheck the syntax.

what I mean is the log, since I could see the traffic is logged, see if the logs are generated with respect to this event ....

kavin, can you paste your signature syntax here? I'll copy and paste it into mine and see if indeed there's something wrong with my fat hands. 

I figured it out. You can NOT have custom IPS signature without main IPS policy in place. Even though two seem to be separate visually under Clients->Policies area, you must create and configure an IPS policy and only then you can add your own IPS signature. 
Kinda makes sense now. Thanks to all who replied!

thank for sharing this useful and informative posting with us. its really very useful for me.

i agree with websmsmessages. its really very useful for us. because it contain avery helpful information in it.