Create Symantec Endpoint Protection Custom IPS Rule

Orhan Öztaş
3 min readOct 15, 2023

If you use Symantec Endpoint Protection you may need custom IPS rule for prevent your endpoints from attackers. SEP client has default IPS rules. SEP IPS following your endpoint package traffic and review for threats according to their rules.

These custom rules are packet-based . Packet-based signatures examine a single packet that matches a rule. The rule is based on various criteria, such as port, protocol, source or destination IP address, TCP flag number, or an application.

This IPS signatures updating with Symantec LiveUpdate for new threats.

Today we will create custom IPS rule for blocking particular website.

If packet traffic match with Firewall rule and Custom IPS rule, Firewall rule will be action for this packet. Because Firewall has more priority against custom IPS.

To create new Custom IPS rule for Endpoints

  • In the console, on the Policies page, under Policies, click Intrusion Prevention.
  • Click the Custom Intrusion Prevention tab. Under Tasks, click Add Custom Intrusion Prevention Signatures.
  • In the Custom Intrusion Prevention Signatures dialog box, type a name and optional description for the library.
  • You can delete delete NetBios custom IPS rule for create new one.
  • To add a new group, on the Signatures tab, under the Signature Groups list, click Add.
  • In the Intrusion Prevention Signature Group dialog box, type a group name and optional description, and then click OK.
  • The group is enabled by default. If the signature group is enabled, all signatures within the group are enabled automatically. To retain the group for reference but to disable it, uncheck Enable this group.
  • Add a custom signature.

After that we will create signature. Click default signature and edit.

For block particular website we will write below rule.

rule tcp, dest=(80,443), msg=”Your Administrator Blocked website.com”, content=“website.com”

At the Action field we will click block option. At default block log is active.

We will block http and https request for facebook.com . You can apply this template for blok any website.

After write our Custom IPS rule we will apply on SEP Client. When you click OK, SEP Manager ask you “You want to assign this rule to any group”.

We will assign to some group this rule.

For applied policy we can check at SEP Manager Clients tab Policy Number.

After this we check SEP Client Policy Number from Help -> Troubleshooting -> Management

You can aware After adjust IPS rule Custom IPS Serial Number appearing SEP Client Management Field.

For testing your custom IPS rule we are opening new private window for not affect browser cache. After that type blocked website address.

SEP notify you with our adjusted message.

And you can not connection at facebook.com

Thank you for read all article. If you liked article please clap for keep going this type of information.

--

--

Orhan Öztaş

Cyber Security Consultant. Writing articles for helping you about cyber security.