This article is the tenth installment in an on-going series of articles on how to utilize SEP for Incident Response. The complete index to my SEP Incident Response articles can be found here:
How to utilize SEP for Incident Response - Complete Index
In this article, I will demonstrate the steps needed to use the custom IPS feature to detect inbound network connections on clients running SEP.
Note: This applies to both SEP 12.1 and SEP 14
To start using custom IPS, login to the SEPM and go to Policies >> select the Custom Intrusion Prevention Signatures tab:
Select Add Custom Intrusion Prevention Signatures...
On the Signatures select Add... to add a new group and give it a name:
On your newly created group select Add... to build your signature like so:
To detect inbound network connections attempts, enter in the following syntax:
rule tcp, dest=(0), tcp_flag&ack, daddr=(0.0.0.0/0), msg="Inbound Connection Attempt Detected", content="SYN"
Click OK twice to save your changes and make sure you enable Custom Intrusion Prevention from the Clients page:
Once the client has received the new policy, custom IPS signature detections are logged to the Security Log on the SEP client:
You can also view them from the SEPM using the Network and Host Exploit Mitigation Log:
As always, please leave feedback, comments, or questions. Or you can reach out to me directly.