McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Rule Structure |
For example, to monitor all the text files in C:\test\:
files { Include “C:\\test\\*.txt” }
and to monitor all the files except the text files in C:\test\:
files { Exclude “C:\\test\\*.txt” }
Combine the keywords to exclude values from a set of included values. To monitor all the text files in folder C:\test\ except file abc.txt:,
files { Include “C:\\test\\*.txt” }
files { Exclude “C:\\test\\acb.txt” }
Each time you add the same section with the same keyword, you add an operation. To monitor any text file in folder C:\test\ whose name starts with the string “abc”:
files { Include “C:\\test\\*.txt” }
files { Include “C:\\test\\acb*” }
A
Optional common sections
A rule’s common optional sections and their values include the item below. For optional sections relevant to the class section that is selected, see the class section under Windows, Unix, and Linux Custom Signatures. The keywords Include and Exclude are used for both dependencies and attributes. Include means that the section works on the value indicated, and Exclude means that the section works on all values except the one indicated.
Section | Value | Description |
|
|
|
dependencies | {Include/Exclude “id of | Defines dependencies |
| a rule”} | between rules and prevents |
|
| the triggering of dependent |
|
| rules. Only switches |
|
| are used. |
|
|
|
Use of the dependencies section
Add the optional section dependencies to prevent a more general rule from being triggering along with a more specific rule. For example, if there is one rule to monitor for a single text file in C:\test\
files { Include “C:\\test\\abc.txt” }
as well as a rule to monitor all the text files in C:\test\
files { Include “C:\\test\\*.txt” }
Add the section dependencies to the more specific rule, basically telling the system not to trigger the more general rule if the specific rule is triggered.
files { Include “C:\\test\\abc.txt” }
dependencies
Section value variables
Wildcards,
167
