4 Replies Latest reply on Jan 6, 2015 11:35 AM by Kary Tankink

    HIPS Expert Rule to Block URL?

    kenobe

      Hi, I'm trying to create an expert rule to block users from accessing a certain site with their browser.  Is this possible with HIPS rules?

       

      For example, I used:

       

      Rule {

      Class Isapi

      Id 4001

      level 4

      query {Include *yahoo*}

      method {Include GET}

      Execuable {Include *}

      user_name {Include *}

      directives isapi:request

      }

       

       

      thanks

       

      Ken

        • 1. Re: HIPS Expert Rule to Block URL?
          fitchsoccer342

          I've never done it via HIPS before as we have other products we utilize for web site filtering. However, I would use the firewall portion of HIPS before trying to write a custom signature for the IPS.

           

          You should be able to create a rule within the firewall to do this. It would essentially block and drop DNS requests sent to whatever domain you want to block. Have you tried that?

          • 2. Re: HIPS Expert Rule to Block URL?
            kenobe

            Yeah, we could do it that way buuuut.

             

            We have numerous firewall rules.  I have a custom IPS policy applied to all my sitets which would have made this task easier.  Thanks anyway!

            • 3. Re: HIPS Expert Rule to Block URL?
              shakira

              From my limited understanding of this class of subrules, I don't think it's doing what you think it is. I believe these rules only apply to windows servers receiving http traffic via IIS. Check out page 113 of the "Host Intrusion Prevent 800 Product Guide for epo 450":

               

               

              The following table lists the possible sections and values for the Windows class Isapi with IIS:


              And

               

              An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the “URL” part of the http request and {query} as the “query” part of the http request. Using this naming convention, we can say that the section “URL” is matched against {url} and the section “query” is matched against {query}. For example the following rule is triggered if the http request http:// www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS:

              Rule {

              tag "Sample6"

              Class Isapi

              Id 4001

              level 1

              url { Include “*abc*” }

              Executable { Include “*”}

              user_name { Include “*” }

              directives isapi:request

              }

              This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (i.e. abc).

               

               

               

              • 4. Re: HIPS Expert Rule to Block URL?
                Kary Tankink
                I'm trying to create an expert rule to block users from accessing a certain site with their browser.  Is this possible with HIPS rules?

                No, this is not possible.  The HTTP IPS engine on works for Inbound HTTP requests to an IIS or Apache web server.  Use the SiteAdvisor Enterprise product to control outbound user requests.