Combination Custom IPS Signature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Combination Custom IPS Signature

Not applicable

Hello all.

quick question as to combination customer signature.

would you please give me your advise please?

- one of potential customer want their employee to forcely use company email server (when sending..) not thru the hotmail, gmail etc..

- I found that one of web email service change their URL when  it's time to 'write' the email content.

e.g

http://mail2.daum.net/hanmailex/Top.daum?#cmd_ComposeMail

in the custom IPS signature .

1. event name : mail1_send
http-req-uri-path : hanmailex/Top.daum

action : alert

2. event name : mail2_send

http-req-uri-params : cmd_ComposeMail

action : alert

3. event name : daum_bocking.

in event 3. I chose the 'combination'  and add upper 2 signature(mail1_send, mail2_send) in a row.

action : block.

will this work as my intention?(I failed.. firstly).. e.g) after alerting mail1_send, daum_blocking is populated on the fly, so just accessing that page also denied..

my intention is combined matching event daum_blocking was supposed to generated right after mail1_send and mail2_send event popped up..

I really apprecaite for this in advaces..

thank you very much.

2 REPLIES 2

L4 Transporter

Your logic is correct in that you should be able to create individual custom signatures and use the combination signature to combine the 2 events together with an and operator. I can't comment whether or not your signatures are good enough to match the event that you want though. Did you also check/uncheck the ordered match criteria to enforce the order in which the signatures are triggered or not?

yes I tried that.

would you please review the test procedure?

thank you very much.

  • 2341 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!