1 2 Previous Next 17 Replies Latest reply on Nov 22, 2013 3:39 AM by cryptochrome

    Scheduled whitelistings?

    cryptochrome

      Hi,

       

      is it possible to schedule certain rule elements, suchs as whitelist entries? e.g. make a whitelist entry disable on a certain date?

       

      Thanks

      Sascha

        • 1. Re: Scheduled whitelistings?
          Jon Scholten

          Yes it is.

           

          You can just use the criteria:

          String.ToNumber(DateTime.Time.ToString("%YYYY%MM%DD"))

           

          This creates a number for which you can evaluate.

           

          time2013-11-11_172150.png

           

          The image above is a rule which will expire on December 1st, 2013.

           

          Best,

          Jon

          • 2. Re: Scheduled whitelistings?
            cryptochrome

            Awesome Jon, thank you.

             

            Let's say I have many different scheduled whitelistings that all end at different dates. Is there a more effective way? In this example, I'd need a new rule for each different schedule. I was thinking about having one whitelist and giving each entry in the list a different schedule. Probably not possible I guess?

             

            Thanks!

            • 3. Re: Scheduled whitelistings?
              Jon Scholten

              Hi Sasha,

               

              This is possible, but constraints must be applied.

               

              I have a rules which does this, I'm just trying to find the works to explain it properly...

               

              Best,

              Jon

              • 4. Re: Scheduled whitelistings?
                Jon Scholten

                Hi Sasha,

                 

                The example I have created uses the map type. The map type is a list type which contains keys and values.

                 

                In our use of this property, it is essential that the keys be unique. Is it also important to prevent overlapping keys, otherwise this will cause expiration times to match unexpectedly.

                 

                For example, I have a map type list with the following keys and values (the key would be URL.Host):

                *.mcafee.com    20131201    # Dec 1, 2013

                www.mcafee.com    20140101    # Jan 1, 2014

                 

                In this scenario we have keys that could overlap, which would result in all mcafee.com domains to be "expired" as per the first entry found in the list. We must not use the expiring whitelists in this way.

                 

                A more correct method would be to use a key which would not allow for overlapping keys, and also prevents you from adding unique keys which would mismatch. The key in this example would be URL.HostBelongsToDomains or URL.Domain:

                mcafee.com        20131201

                 

                Where "mcafee.com" is the site I'm interested in, and 20131201 is the expiration date.

                 

                Attached is a ruleset and screenshot.

                 

                expiring whitelists 2013-11-14_181947.png

                 

                It would also be important to clean out old entries, if this list has a ton of old entries, MWG is uncessarily evaluating a large list of expired entries.

                 

                Best,

                Jon

                1 of 1 people found this helpful
                • 5. Re: Scheduled whitelistings?
                  cryptochrome

                  Hi Jon, this is absolutely brilliant! Thanks a lot. It will do exactly what I want.

                   

                  Since we are already on 7.4, I suppose I can use the disabled 7.4 rule you have in the screenshot?

                   

                  Also, just making sure I get this right: I could use URL.Host or any other URL property as long I make sure there are not overlaps in the map list?

                   

                  Great stuff!

                  • 6. Re: Scheduled whitelistings?
                    asabban

                    Hi,

                     

                    you can use every property that makes sense for you :-)

                     

                    You need to pay attention on the type of the information you store. We have "strings" and we have "wildcards".

                     

                    When you have a wildcard that says

                     

                    "mcafee.com"

                     

                    this won't match a check such as

                     

                    URL matches "mcafee.com", as it is missing the required wildcards.

                     

                    On the other hand we have strings. If you have a STRING that says

                     

                    "*mcafee.com*"

                     

                    this would never match, because MWG will check for the character "*" in the URL and NOT interpret it as a wildcard. If you have a string which contains wildcards you need to convert it using String.ToWildcard before applying it to any "matches" operator.

                     

                    You need to note that in the MapType list you store STRINGS as key and value. So if you add a key

                     

                    "*.mcafee.com"

                     

                    you need to make sure to convert this value to a wildcard before it will work as a wildcard... otherwise you won't be happy with the results probably :-)

                     

                    It may work easier when using strings rather than wildcards as keys, and use a property such as belongstodomain as indicated by Jon above.

                     

                    Best,

                    Andre

                    • 7. Re: Scheduled whitelistings?
                      cryptochrome

                      Thanks Andre. If I use "contains" instead of "matches" as operator, then I don't have to worry about wildcards, I guess?

                       

                      I am a bit confused now. Let me try to recap: The map list type is a STRING list, so wildcard characters such as * are not treated as a wildcard but as a literal character. If I need to use wildcards, I would have to use String.ToWildcard to convert. Did I get that right?

                       

                      Is there a map list type that can use wildcard or RegEx keys?

                       

                      If not, how would I apply String.ToWildcard in this scenario? I guess I would have to put it in Jon's rule somehow, but I am not sure how.

                       

                      Thanks!

                      • 8. Re: Scheduled whitelistings?
                        asabban

                        Hi Sascha,

                         

                        MWG will assist you with type conversions (string -> wildcard). If you use the GUI and select an operator that requires a wildcard it won't let you choose a string, so you automatically have to use the String.ToWildcard property, otherwise you cannot select the appropriate properties :-)

                         

                        Unfortunately we do not have a wildcard MypType list. You won't have too much luck using Wildcards in the keys... I missed that out in my earlier post, but you won't be able to use *.mcafee.com* as a key I think... it would require something like "Take all keys from the MapType list, convert all of these entries to wildcards, then find a match, remember the match and finally find the key for this match". I have done something similar in the past using two lists, but I won't recommend this.

                         

                        I think your solution should be what Jon typed... use the "BelongsToDomain" property! This property does the wildcard stuff for you as it accepts a string as  the parameter (a URL) and it automatically finds out if there is a match.

                         

                        If you go to

                         

                        www.mcafee.com

                         

                        a list entry like this:

                         

                        mcafee.com -> 20131115

                         

                        will match. So you won't enter *.mcafee.com, but mcafee.com - the property finds out for you if the URL matches against a string in the list of keys.

                         

                        Do you think that is suitable?

                         

                        You picked a nice use case... sounds easy but can become quite complex :-)

                         

                        Best,

                        Andre

                        • 9. Re: Scheduled whitelistings?
                          cryptochrome

                          I would love to use the BelongsToDomain Property, but company policy kind of forbids it. In most cases, we have to whitelist exact hostnames, only in some cases we whitelist entire domains including their subdomains. As a middleground we are using URL.Host in most whitelists and use wildcards/RegEx when needed.

                           

                          So I guess if I want to use scheduled whitelist, I will have to live without wildcards for now.

                          1 2 Previous Next