Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 12198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Pattern Updates and Existing Policies

JonathanBell

When the XG device updates IPS patterns, under what circumstances will those updates be applied to existing policies\rules? If we do a 'search' for SMB in the IPS policy, select all and create a rule off that, will it be updated with new SMB patterns, or would we need to redo the search every update? Im thinking the latter, as the XG doesnt save search terms it appears. This makes 'tuning' IPS impossible, and we are stuck with all or nothing if you want current patterns. Is best case to grab categories? Which means, if I have a specific need with 3 signatures, i have to grab the entire category of 3000?



This thread was automatically locked due to age.
Parents
  • 0

    Good question.

    At the moment there is no way to say "create an IPS rule where all signatures belog to SMB)". You have categories, OS types, etc...but maybe a custom category should be allowed. In this way we can add multiple "words", select this category and create the proper IPS Policy.

    Open a feature on ideas.sophos.com and post the link here. Users will be able to vote it then.

    Regards

Reply
  • 0

    Good question.

    At the moment there is no way to say "create an IPS rule where all signatures belog to SMB)". You have categories, OS types, etc...but maybe a custom category should be allowed. In this way we can add multiple "words", select this category and create the proper IPS Policy.

    Open a feature on ideas.sophos.com and post the link here. Users will be able to vote it then.

    Regards

Children
  • 0 in reply to JonathanBell

    If I'm not mistaken, this feature is coming in v17.  Alan posted a teaser in the v17 thread.  Here is the portion from his post that I believe would apply:

    "Here's another small teaser image. The new Smart Filter feature in IPS and App Control policies, allows dynamic selection of patterns by search terms. For example, if you're securing access to a sharepoint server, it's pretty trivial now, to use the smart filter, to dynamically select all sharepoint related attack patterns both now, and in future. You can do this statically today, but you would have to periodically edit your policy, and make sure to add any new patterns we may add, over time. This does that for you, automatically, every time there is a pattern update"

    Thanks,

    John

  • 0 in reply to axsom1
    Nice catch,John. So the ideas should be marked as planned soon. Thanks.