cancel
Showing results for 
Search instead for 
Did you mean: 
cryptochrome
Level 7

Scheduled whitelistings?

Jump to solution

Hi,

is it possible to schedule certain rule elements, suchs as whitelist entries? e.g. make a whitelist entry disable on a certain date?

Thanks

Sascha

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Scheduled whitelistings?

Jump to solution

Yes it is.

You can just use the criteria:

String.ToNumber(DateTime.Time.ToString("%YYYY%MM%DD"))

This creates a number for which you can evaluate.

time2013-11-11_172150.png

The image above is a rule which will expire on December 1st, 2013.

Best,

Jon

0 Kudos
17 Replies
McAfee Employee

Re: Scheduled whitelistings?

Jump to solution

Yes it is.

You can just use the criteria:

String.ToNumber(DateTime.Time.ToString("%YYYY%MM%DD"))

This creates a number for which you can evaluate.

time2013-11-11_172150.png

The image above is a rule which will expire on December 1st, 2013.

Best,

Jon

0 Kudos
cryptochrome
Level 7

Re: Scheduled whitelistings?

Jump to solution

Awesome Jon, thank you.

Let's say I have many different scheduled whitelistings that all end at different dates. Is there a more effective way? In this example, I'd need a new rule for each different schedule. I was thinking about having one whitelist and giving each entry in the list a different schedule. Probably not possible I guess?

Thanks!

0 Kudos
McAfee Employee

Re: Scheduled whitelistings?

Jump to solution

Hi Sasha,

This is possible, but constraints must be applied.

I have a rules which does this, I'm just trying to find the works to explain it properly...

Best,

Jon

0 Kudos
McAfee Employee

Re: Scheduled whitelistings?

Jump to solution

Hi Sasha,

The example I have created uses the map type. The map type is a list type which contains keys and values.

In our use of this property, it is essential that the keys be unique. Is it also important to prevent overlapping keys, otherwise this will cause expiration times to match unexpectedly.

For example, I have a map type list with the following keys and values (the key would be URL.Host):

*.mcafee.com    20131201    # Dec 1, 2013

www.mcafee.com    20140101    # Jan 1, 2014

In this scenario we have keys that could overlap, which would result in all mcafee.com domains to be "expired" as per the first entry found in the list. We must not use the expiring whitelists in this way.

A more correct method would be to use a key which would not allow for overlapping keys, and also prevents you from adding unique keys which would mismatch. The key in this example would be URL.HostBelongsToDomains or URL.Domain:

mcafee.com        20131201

Where "mcafee.com" is the site I'm interested in, and 20131201 is the expiration date.

Attached is a ruleset and screenshot.

expiring whitelists 2013-11-14_181947.png

It would also be important to clean out old entries, if this list has a ton of old entries, MWG is uncessarily evaluating a large list of expired entries.

Best,

Jon

cryptochrome
Level 7

Re: Scheduled whitelistings?

Jump to solution

Hi Jon, this is absolutely brilliant! Thanks a lot. It will do exactly what I want.

Since we are already on 7.4, I suppose I can use the disabled 7.4 rule you have in the screenshot?

Also, just making sure I get this right: I could use URL.Host or any other URL property as long I make sure there are not overlaps in the map list?

Great stuff!

0 Kudos
asabban
Level 17

Re: Scheduled whitelistings?

Jump to solution

Hi,

you can use every property that makes sense for you :-)

You need to pay attention on the type of the information you store. We have "strings" and we have "wildcards".

When you have a wildcard that says

"mcafee.com"

this won't match a check such as

URL matches "mcafee.com", as it is missing the required wildcards.

On the other hand we have strings. If you have a STRING that says

"*mcafee.com*"

this would never match, because MWG will check for the character "*" in the URL and NOT interpret it as a wildcard. If you have a string which contains wildcards you need to convert it using String.ToWildcard before applying it to any "matches" operator.

You need to note that in the MapType list you store STRINGS as key and value. So if you add a key

"*.mcafee.com"

you need to make sure to convert this value to a wildcard before it will work as a wildcard... otherwise you won't be happy with the results probably :-)

It may work easier when using strings rather than wildcards as keys, and use a property such as belongstodomain as indicated by Jon above.

Best,

Andre

0 Kudos
cryptochrome
Level 7

Re: Scheduled whitelistings?

Jump to solution

Thanks Andre. If I use "contains" instead of "matches" as operator, then I don't have to worry about wildcards, I guess?

I am a bit confused now. Let me try to recap: The map list type is a STRING list, so wildcard characters such as * are not treated as a wildcard but as a literal character. If I need to use wildcards, I would have to use String.ToWildcard to convert. Did I get that right?

Is there a map list type that can use wildcard or RegEx keys?

If not, how would I apply String.ToWildcard in this scenario? I guess I would have to put it in Jon's rule somehow, but I am not sure how.

Thanks!

0 Kudos
asabban
Level 17

Re: Scheduled whitelistings?

Jump to solution

Hi Sascha,

MWG will assist you with type conversions (string -> wildcard). If you use the GUI and select an operator that requires a wildcard it won't let you choose a string, so you automatically have to use the String.ToWildcard property, otherwise you cannot select the appropriate properties :-)

Unfortunately we do not have a wildcard MypType list. You won't have too much luck using Wildcards in the keys... I missed that out in my earlier post, but you won't be able to use *.mcafee.com* as a key I think... it would require something like "Take all keys from the MapType list, convert all of these entries to wildcards, then find a match, remember the match and finally find the key for this match". I have done something similar in the past using two lists, but I won't recommend this.

I think your solution should be what Jon typed... use the "BelongsToDomain" property! This property does the wildcard stuff for you as it accepts a string as  the parameter (a URL) and it automatically finds out if there is a match.

If you go to

www.mcafee.com

a list entry like this:

mcafee.com -> 20131115

will match. So you won't enter *.mcafee.com, but mcafee.com - the property finds out for you if the URL matches against a string in the list of keys.

Do you think that is suitable?

You picked a nice use case... sounds easy but can become quite complex :-)

Best,

Andre

0 Kudos
cryptochrome
Level 7

Re: Scheduled whitelistings?

Jump to solution

I would love to use the BelongsToDomain Property, but company policy kind of forbids it. In most cases, we have to whitelist exact hostnames, only in some cases we whitelist entire domains including their subdomains. As a middleground we are using URL.Host in most whitelists and use wildcards/RegEx when needed.

So I guess if I want to use scheduled whitelist, I will have to live without wildcards for now.

0 Kudos