cancel
Showing results for 
Search instead for 
Did you mean: 
kenobe
Level 10

HIPS Expert Rule to Block URL?

Jump to solution

Hi, I'm trying to create an expert rule to block users from accessing a certain site with their browser.  Is this possible with HIPS rules?

For example, I used:

Rule {

Class Isapi

Id 4001

level 4

query {Include *yahoo*}

method {Include GET}

Execuable {Include *}

user_name {Include *}

directives isapi:request

}

thanks

Ken

0 Kudos
1 Solution

Accepted Solutions
fitchsoccer342
Level 13

Re: HIPS Expert Rule to Block URL?

Jump to solution

I've never done it via HIPS before as we have other products we utilize for web site filtering. However, I would use the firewall portion of HIPS before trying to write a custom signature for the IPS.

You should be able to create a rule within the firewall to do this. It would essentially block and drop DNS requests sent to whatever domain you want to block. Have you tried that?

4 Replies
fitchsoccer342
Level 13

Re: HIPS Expert Rule to Block URL?

Jump to solution

I've never done it via HIPS before as we have other products we utilize for web site filtering. However, I would use the firewall portion of HIPS before trying to write a custom signature for the IPS.

You should be able to create a rule within the firewall to do this. It would essentially block and drop DNS requests sent to whatever domain you want to block. Have you tried that?

kenobe
Level 10

Re: HIPS Expert Rule to Block URL?

Jump to solution

Yeah, we could do it that way buuuut.

We have numerous firewall rules.  I have a custom IPS policy applied to all my sitets which would have made this task easier.  Thanks anyway!

0 Kudos
shakira
Level 10

Re: HIPS Expert Rule to Block URL?

Jump to solution

From my limited understanding of this class of subrules, I don't think it's doing what you think it is. I believe these rules only apply to windows servers receiving http traffic via IIS. Check out page 113 of the "Host Intrusion Prevent 800 Product Guide for epo 450":

The following table lists the possible sections and values for the Windows class Isapi with IIS:


And

An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the “URL” part of the http request and {query} as the “query” part of the http request. Using this naming convention, we can say that the section “URL” is matched against {url} and the section “query” is matched against {query}. For example the following rule is triggered if the http request http:// www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS:

Rule {

tag "Sample6"

Class Isapi

Id 4001

level 1

url { Include “*abc*” }

Executable { Include “*”}

user_name { Include “*” }

directives isapi:request

}

This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (i.e. abc).

0 Kudos
McAfee Employee

Re: HIPS Expert Rule to Block URL?

Jump to solution
I'm trying to create an expert rule to block users from accessing a certain site with their browser.  Is this possible with HIPS rules?

No, this is not possible.  The HTTP IPS engine on works for Inbound HTTP requests to an IIS or Apache web server.  Use the SiteAdvisor Enterprise product to control outbound user requests.