I am testing customized IPS to drop some traffic.
there is a software using UDP to send login info to server, and if UDP is blocked, then it uses TCP to send login info.
I can block UDP port it uses because it is not a common port, but the tcp ports 80/443 it uses which can not be blocked.
and it is not a good solution to block the server's DNS name or IP, because the server list always changes.
so i think if i can use customized IPS to drop the login info package.
and I do succeed to drop TCP package but fail to drop UDP package.
my test:
If I use default firewall policy, and apply customized IPS, the software can login.
If I use default firewall policy but just add a BLOCK ALL UDP rule ahead Allow ALL APPS rule, and apply customized IPS, then the software fail to login. and i can see in IPS logs that drop the TCP login info package.
so i am confused what is the priority of firewall policy, IPS and customized IPS?
if firewall policy is higher, customized IPS will do nothing.
if customized IPS is higher, i should be able to see in IPS logs that drop UDP and TCP package.
my customized IPS are:
------------------------------
rule udp, dest=(xxxx),msg="DROP XXX UDP LOGIN",content="\x01\x01\x01"
rule tcp, dest=(80,443),msg="DROP XXX TCP LOGIN",regexpcontent="\x01\x01\x01" (58,3)
------------------------------
so if there is someone can give me an answer?
thanks in advanced.