Greetings to all,
I am trying to implement a custom IPS policy to block potentially harmful websites. The idea is to block URLs based on domain (for tests I am using *.wikipedia.org). And eventually also punctual rules on harmful files (wikipedia.org/malicious.php).
I already saw some articles regarding IPS but i didn't find anything where the rules are explained (eventually with all the variables/parameters to insert within the custom rule). Can you help me find something?
I have implemented Firewall-based rules, but I'm not able to use them since FW detects only the proxy URLs, so I'll have to implement only IPS-based rules on the packets.
The rule i am implementing is the following, but the site is not blocked via IPS custom rules:
rule tcp, dest=(80,8080,443,3128) msg="wikipedia.org", content="*.wikipedia.org"
Is there something I'm missing? If i omit the destination ports does it take them all?
I appreciate any feedback you can provide,
Thanks