Comware V7 IPS通过Snort规则过滤淘宝网站

通过IPS自定义Snort规则过滤访问淘宝网站。

1.定义Snort规则文件

在PC上新建“taobao.rules”,编辑增加如下四条规则。编辑完成的文件见附件。

Snort规则共四条，分别检测DNS,HTTP,HTTPS协议请求:

（1）alert udp any any -> any 53 (msg:"DNS Query for *.***.***"; flow:established,to_server; content:"|06|taobao|03|com"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016001; rev:1;)
      
检测UDP传输DNS协议请求域名字段是否含有|06|taobao|03|com

（2）alert tcp any any -> any 53 (msg:"DNS Query for a *.***.***"; flow:established,to_server; content:"|06|taobao|03|com"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016002; rev:1;)
检测TCP传输DNS协议请求域名字段是否含有|06|taobao|03|com

（3）alert tcp any any -> any 80 (msg:"HTTP Request for *.***.***"; flow:established,to_server; content:".***.***"; fast_pattern:only; nocase; http_header; pcre:"/Host\x3A\x20[^\n]{0,16}\x2Etaobao\x2Ecom/Hi"; classtype:not-suspicious; sid:2016003; rev:1;)
检测HTTP请求host字段是否含有.***.***

（4）alert tcp any 443 -> any any (msg:"HTTPS Request for *.***.***"; flow:established,to_client; content:"|24|Alibaba (China) Technology Co., Ltd"; fast_pattern:only; nocase; classtype:not-suspicious; sid:2016004; rev:1;)
检测https证书字段是否含有$Alibaba (China) Technology Co., Ltd

2.导入Snort文件至设备

[H3C]ips signature import snort tftp://10.88.8.196/taobao.rules（或者先通过tftp或者ftp方式上传至设备）

3.在自定义IPS策略上使能规则

<H3C>dis ips signature user-defined
 User-defined signatures total:4         failed:0

Flag:
  Pre: predefined   User: user-defined

Type Sig-ID    Direction Severity Fidelity Category      Protocol
  User 538886913 To-server Low      Low             UDP     
  User 538886914 To-server Low      Low             TCP     
  User 538886915 To-server Low      Low             TCP     
  User 538886916 To-client Low      Low             TCP

[H3C]ips policy test
   [H3C-ips-policy-test]signature override user-defined 538886913 enable reset logging
   [H3C-ips-policy-test]signature override user-defined 538886914 enable reset logging  
   [H3C-ips-policy-test]signature override user-defined 538886915 enable reset logging  
   [H3C-ips-policy-test]signature override user-defined 538886916 enable reset logging 

4.在域间策略中调用IPS策略

5.激活策略

[H3C]inspect activate
   Rule&＃39;s activity begin:100%