McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Rule Structure |
A
A rule to prevent a request to the web server that has “subject” in the http request query has the following format:
Rule {
Class Isapi Id 4001 level 4
query { Include “*subject*” } method { Include “GET” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives
}
See Windows Custom Signatures for an explanation of the various sections and values.
Mandatory common sections
A rule’s mandatory sections and their values include the items below. For mandatory sections relevant to the class section that is selected, see the class section under Windows, Unix, and Linux Custom Signatures.The keywords Include and Exclude are used for all sections except for Id, level, and directives. Include means that the section works on the value indicated, and Exclude means that the section works on all values except the one indicated.
Section Name | Value | Description | |
|
|
| |
Class | Depends on operating system. | Indicates the class this rule applies to. | |
|
| See: | |
|
| | Windows Custom Signatures |
|
| | Solaris Custom Signatures |
|
| | Linux Custom Signatures |
|
|
| |
Id | 4000 - 7999 | The unique ID number of the signature. | |
|
| The numbers are the ones available for | |
|
| custom rules. | |
|
|
| |
level | 0 | The security level of the signature: | |
| 1 | | 0=Disabled |
| 2 | | 1=White |
| 3 | | 2=Yellow |
| 4 | | 3= Orange |
|
| | 4= Red |
|
|
| |
time | {Include “*”} | This section has this one value only. | |
|
|
|
|