Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Types of custom Intrusion Prevention rules in Deep Security

    • Updated:
    • 18 Feb 2015
    • Product/Version:
    • Deep Security 7.5
    • Deep Security 8.0
    • Deep Security 9.0
    • Platform:
    • N/A N/A
Summary

Deep Security allows you to customize Intrusion Prevention, Integrity Monitoring, Log Inspection, and Firewall rules according to your needs.

This article outlines the creation of custom Intrusion Prevention rules.

Details
Public

You can create three (3) types of custom Intrusion Prevention rules:

Custom DPI rule - Simple signature

A simple signature is a straight pattern match against what’s going on the wire. If you want to look for keywords such as "confidential", "company name" or offensive words in a user’s web traffic, create a custom rule with such a pattern.

This has very limited use, being restricted to just one pattern. This is useful in emergency situations wherein a pattern needs to be pushed to all computers in the network to prevent malware from spreading.

A simple signature pattern could cause a false positive. It might be necessary to check for multiple patterns in one rule.

Custom rules allow you to specify a start and end pattern, and to look for anything in between. You could do the following:

  • Check for multiple patterns (all of them)
  • Check for multiple patterns (any of them)
  • Look for the absence of specified patterns

Custom IPS rule - Signature with start and end patterns

Only one pattern should be entered per line.

If you select All Patterns Found with "START" as the start pattern and "END" as the end pattern, and then enter "MUST SEE THIS" and "MUST SEE THIS TOO" in the pattern, the rule will match if all patterns are found in the correct order. This means "START" should come first, followed by all of the patterns, and then the "END" pattern.

The rule processor will stop matching after the "END" pattern and will resume if it spots the "START" pattern again.

These are more advanced patterns that could cause performance issues if created without review and approval from Trend Micro. It is not recommended to create your own XML pattern rules.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1103153
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.