Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Use of Include and Exclude, Name/domain user name

Models: 6.1

1 201

Download 201 pages 13.13 Kb

Page 166

McAfee® Host Intrusion Prevention 6.1 Product Guide	Writing Custom Signatures
	Rule Structure

A

Section Name	Value	Description

user_name	{Include/Exclude “user or	The users to whom the rule applies.
	system account”}	Specify particular users or all users.
		Remarks for Windows:
		For local user: use <machine
		name>/<local user name>.
		For domain user: use <domain
		name>/<domain user name>.
		For local system: use Local/System;
		this is equivalent to NT
		Authority/System in Windows NT, and
		<domain>/<machine> in Windows
		2000.
		Some remotely initiated actions do not
		report the ID of the remote user, but
		use the local service and its user
		context instead. You need to plan
		accordingly when developing rules.
		When a process occurs in the context of
		a Null Session, the user and domain are
		‘Anonymous’. If a rule applies to all
		users, use *. On Solaris this section is
		case sensitive.

application	{Include/Exclude “path	The full path of the process that
	and application name”}	performed the operation that created
		the instance. When the operation is
		remote, the application is the local
		service/server that handles the
		operation.
		Some local operations are handled as if
		they were remote. For example, for
		Windows the application name will be
		the local service/server that handles the
		operation. If a rule applies to all
		applications, use *. On Solaris this
		section is case sensitive.

directives -c -d	operation type	The operation types are class
		dependent, and are listed for each class
		in the later sections. Note that the
		switches –c and –d must be used.

You can create a signature with multiple rules by simply adding one rule after another. Keep in mind that each rule in the same signature must have the same value for its id and level sections.

Use of Include and Exclude

When you mark a section value as Include, the section works on the value indicated; when you mark a section value as Exclude, the section works on all values except the one indicated. When you use these keywords, they are enclosed in brackets { ... } and their value in quotes “ ... “.

166

Image 166

McAfee 6.1 manual Use of Include and Exclude, Name/domain user name

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion What’s new in this release New featuresChanges from the previous release Using this guide AudienceBold Condensed ConventionsThis guide uses the following conventions ExampleGetting product information Standard documentationProfessional Services Customer ServiceContact information Basic Concepts IPS featureSignature rules Reactions Behavioral rulesEvents Exception rulesFirewall rules Firewall featureClient firewall rules General feature Application Blocking featureClient application blocking rules Policy enforcement Policy managementPolicies and policy categories Policy ownership Policy inheritance and assignmentPolicy assignment locking Adaptive and Learn mode Preset protectionDeployment and management Tuning ReportsUsing ePolicy Orchestrator „ Deploy Host Intrusion Prevention clientsEPolicy Orchestrator console EPolicy Orchestrator consolePolicy management Assign PoliciesAssigning owners to policies Installing the Host Intrusion Prevention serverHost Intrusion Prevention operations Generating notificationsDeploying Host Intrusion Prevention clients Viewing and working with client dataPlacing clients in Adaptive or Learn mode Configuring policies Policy viewing alertsFine-tuning Active X control security warningUsing Help Help navigation proceduresIPS Exception Rules Help in the user interfaceIPS Events/Signatures IPS Signature RulesIPS Policies OverviewHost and network IPS signature rules Benefits of Host IPSBehavioral rules Preset IPS policiesBenefits of Network IPS Quick access Configuring the IPS Options policyTo configure the IPS Options policy IPS Options dialog box appears Click ApplyTo create a new IPS Options policy Select the needed optionsConfiguring the IPS Protection policy To configure the IPS Protection policy To create a new IPS Protection policyIPS Protection dialog box appears Select the type of reaction for each severity levelTo assign IPS Rules policies Configuring the IPS Rules policyTo create a new IPS Rules policy IPS Rules policy details Creating exception rules To create an exceptionYou can view and edit details of an existing exception Editing exception rulesTo edit an exception rule Deleting exception rules To disable/enable an exceptionEnabling and disabling exception rules Moving exception rules to another policyHost signatures SignaturesTypes of signatures Custom host signaturesViewing signatures IPS Rules-Signatures tabCreating custom signatures To modify default signaturesModifying host and network signatures To modify the view of signaturesUsing the wizard to create signatures To create signatures using the wizardUsing the standard mode to create signatures To create a signature with the standard modeNew Custom Signature-General tab To use Standard Method To use Expert Method Editing custom signaturesDeleting custom signatures To edit a custom signatureApplication Protection Rules 11 Application Protection Rules analysisTo create an application protection rule 12 IPS Rules-Application Protection Rules13 New Trusted Application dialog box-General tab Enabling and disabling Application Protection Rules IPS EventsEditing Application Protection Rules Deleting Application Protection RulesViewing events To view IPS eventsFiltering events Configuring the event viewTo change the event view To mark an event as unread Marking eventsTo mark an event as read To hide an event„ Agent „ Signatures „ User „ Process „ Severity Level Marking similar eventsTo mark similar events HiddenCreating event-based exceptions and trusted applications Viewing event detailsTo view event details To create an event-based exception To create an event-based trusted applicationSearching for related exceptions IPS Client RulesTo search for a related exception Regular View To migrate client rules to an IPS Rules policyTo aggregate client rules Aggregated ViewClick the Aggregate View tab on the IPS Client Rules tab Search IPS Exception Rules To search for exceptions and manage the list of exceptions22 Search IPS Exception Rules tab Firewall Policies HIP 6.0 rules HIP 6.1 rulesStateful packet filtering State tableStateful packet inspection How firewall rules work Ordering the firewall rule listHow stateful filtering works Stateful filtering processStateful protocol tracking How stateful packet inspection worksProtocol Description of handling Firewall rule groups and connection-aware groups TCPOverview Firewall Learn and Adaptive modes Stateful filteringQuarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policiesTo migrate rules Select For these settings Off McAfee Default Configuring the Firewall Options policyTo configure the Firewall Options policy LearnCreate New Policy dialog box appears „ Select New PolicyCreating new Firewall Rules policies Configuring the Firewall Rules policyTo create a Firewall Rules policy Include Local Subnet Automatically selected Select this For this protection Policy Server Medium Server HighTo view and edit a firewall rule Viewing and editing firewall rulesDo any of the following Add Policy or Duplicate PolicyCreating a new firewall rule or firewall group Select the appropriate settings Click OKTo create a firewall rule To create a connection-aware group To create a new rule groupFirewall Rule Group dialog box appears Type a name for this group in the Name fieldTo add predefined rules Deleting a firewall rule or groupTo delete a firewall rule or group To view all firewall client rules Viewing firewall client rulesTo modify the view, do any of the following To view aggregated firewall client rules To view details of an aggregated firewall ruleTo configure the Quarantine Options policy Configuring the Quarantine Options policySelect New Policy Creating new Quarantine Rules policies Configuring the Quarantine Rules policyQuarantine Rules policy provides access for To create a Quarantine Rules policyTo view and edit a quarantine rule Viewing and editing quarantine rulesClick Properties To create a quarantine rule Creating a new quarantine rule or groupDeleting a quarantine rule or group To delete a quarantine rule or groupApplication Blocking Policies Application creationApplication Blocking feature contains two policy categories Preset Application Blocking policiesApplication hooking Select this policy For these settings Off McAfee Default Configuring the Application Blocking Options policyTo apply an Application Blocking Options policy Application Blocking Options Creating new Application Blocking Rules policies Configuring the Application Blocking Rules policyTo create an Application Blocking Rules policy Viewing and editing Application Blocking Rules To view and edit an application blocking ruleApplication Rule dialog box appears Creating new Application Blocking RulesTo create a new application blocking rule 100To delete an application blocking rule Deleting an application blocking ruleViewing application client rules To view all client application rulesTo view aggregated client application rules To view details of an aggregated client application ruleGeneral Policies Preset General policies General feature contains four policy categoriesTo change the policy setting Configuring Enforce PoliciesConfiguring the Client UI policy Regular UserCreating and applying a Client UI policy Administrator UserTo configure a Client UI policy Disconnected UserSetting passwords 107Click the Advanced Options tab in the Client UI policy To create an administrator password108 Tray icon control To create a time-based passwordTo provide tray icon control of Windows UI To configure trusted network options Configuring the Trusted Networks policy110 Remove Select To do this AddEdit Include Local SubnetTo create a new policy Configuring the Trusted Applications policyCreating and applying Trusted Applications policies Trusted Application tab appearsCreating trusted applications To create a trusted applicationEnabling and disabling trusted applications To disable/enable a trusted applicationEditing trusted applications Deleting trusted applicationsAnalyzing IPS events MaintenanceFine-tuning a deployment 115Creating and applying new policies Creating exception rules and trusted application rulesWorking with client exception rules For details on working with client rules, seePolicies tab Policy maintenance and tasksTo view and reset broken inheritance below a specific node Policy inheritance and assignmentTo copy and paste policy assignments of a node Click Copy policy assignmentsViewing policy information To view nodes where a policy is assignedPolicy Catalog To view all policies that have been createdTo view assignments where policy enforcement is disabled To view the settings and owner of a policyEditing policy information To edit a policy Event Archiver Running server tasksDirectory Gateway Property TranslatorHow notifications work Setting up notifications for eventsCreating rules Host Intrusion Prevention notifications 124Pre-defined reports Running reportsReport repository Summary information and details Report content controlHost Intrusion Prevention reports IPS Events Summary by SignatureNetwork Intrusion Summary by Source IP IPS Event Summary by TargetSignature Blocked Application Summary Top 10 Attacked Nodes for IPSTop 10 Triggered Signatures Filters on platform and signature typeTop 10 Blocked Applications Failed Quarantine UpdatesInitial View Drill Down Host Name Updating Checking in the update packageTo add update packages automatically From the Task type list, select Repository PullTo have a client request an update To add update packages manuallyTo run an update task Updating clientsHost Intrusion Prevention Client Windows clientClient console System tray icon133 To unlock the Host Intrusion Prevention interface Setting optionsUnlocking the client interface To customize client optionsShow tray icon Error Reporting Error ReportingTroubleshooting Select For thisTo set Firewall logging options To set IPS logging optionsSecurity Violations Intrusion alerts Alerts137 138 To respond to a firewall Learn Mode alertFirewall alerts Has the Treat rule match as an intrusion option selectedApplication Blocking alerts Spoof Detected alerts Quarantine alerts„ The IP address that the traffic pretends to come from 140 141 IP Spoof Detected Alert dialog boxTo customize IPS Policy options IPS Policy tabIPS Policy options 142To edit the exception rules IPS Policy exception rulesException rules list 143To customize Firewall Policy options Firewall Policy tabFirewall Policy options 144Firewall rules list Firewall Policy Rules145 To customize Application Policy options Application Policy tabApplication Policy options 146Application rules list Application Policy rules147 148 Blocked Hosts tabBlocked Hosts list Column What it shows149 To edit the Blocked Hosts listUntil removed This list shows all monitored processes on the client Application Protection tabApplication Protection list 150To customize Activity Log options Activity Log tabActivity Log options 151Select Create Sniffer Capture... Activity Log list152 McAfee Host Intrusion Prevention OptionsSolaris client TroubleshootingClient installation issues Policy enforcement with the Solaris client154 Client operations issuesRun this command To do this File/Directory Name DescriptionTo restart a Solaris client To stop a Solaris client155 Linux client Policy enforcement with the Linux clientVerifying the client is running File Name DescriptionTroubleshooting tool 158To restart a Linux client Run the command hipts agent offTo stop a Linux client 159What is the McAfee Default policy? Frequently Asked QuestionsWhat is a policy? 160161 How do I view IPS events triggered by clients? How do I create an exception based on an IPS Event?How do I create custom signatures for an IPS Policy? How do I find existing policies that match a given profile?Basic structure of a rule is the following Writing Custom SignaturesRule Structure 164165 Mandatory common sectionsSection Name Value Description Use of Include and Exclude Name/domain user nameSection value variables Optional common sectionsUse of the dependencies section Use of predefined variables Use of wildcardsUse of environment variables Windows IIS Web ServerSolaris Apache and iPlanet MS SQL Database Server169 Class Files This topic describes how to write Windows custom signaturesWindows Custom Signatures 170171 Advanced Details GUI name ExplanationClass Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Class Services Section Values Meaning/remarksGUI Name Explanation Possible Values Windows Custom Signatures Class UNIXfile This topic describes how to write Solaris custom signaturesSolaris Custom Signatures 181Relevant X directives per section Directive File Source File permission New permissionClass UNIXapache Advanced Details183 Solaris Custom Signatures Linux Custom Signatures 185List of directives according to type Summary of parameters and directivesList of parameters according to type 186Glossary 187188 Blocked host189 Console tree190 EPolicy Orchestrator database server191 See also minimal properties192 Inactive agent193 Policy enforcement interval194 Severity level195 SYN floodIndex Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com