McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Rule Structure

„Use of wildcards

„Use of environment variables

„Use of predefined variables

A

Use of wildcards

You can use wildcards for some of the section values.

Character

What is represents

 

 

? (question mark)

A single character.

 

 

* (asterisk)

Multiple characters.

 

user_name { Include “*” }

 

 

& (ampersand)

Multiple characters except / and \.. Use to match the

 

root-level contents of a folder but not any subfolders.

 

files { Include “C:\\test\\&.txt” }

 

 

! (exclamation mark)

Wildcard escape.

 

files { Include “C:\\test\\yahoo!!.txt” }

 

 

Use of environment variables

Use environment variables, the iEnv command with one parameter (the variable name), as a shorthand to specify Windows file and directory path names.

Environment

What is represents

variable

 

 

 

iEnv SystemRoot

C:\winnt\, where C is the drive that contains the Windows System folder.

 

For example:

 

files {Include “[iEnv SystemRoot]\\system32\\abc.txt” }

 

 

iEnv SystemDrive

C:\ where C is the drive that contains the Windows System folder.

 

For example:

 

files {Include “[iEnv System Root]\\system32\\abc.txt”}

 

 

Use of predefined variables

Host Intrusion Prevention provides pre-defined variables for rule writing. These variables, are preceded by “$,” and are listed below.

Windows IIS Web Server

Variable

Meaning

 

 

IIS_BinDir

Directory where inetinfo.exe is located

 

 

IIS_Computer

Machine name that IIS runs on

 

 

IIS_Envelope

Includes all files that IIS is allowed to access

 

 

IIS_Exe_Dirs

Virtual directories that allow file execution including system root and IIS

 

root"

 

 

IIS_Ftp_Dir

FTP site root directories

 

 

IIS_FTP_USR

Local ftp Anonymous user account name

 

 

IIS_FtpLogDir

FTP log files directory

 

 

IIS_IUSR

Local web anonymous user account name

 

 

168

Page 168
Image 168
McAfee 6.1 manual Use of wildcards, Use of environment variables, Use of predefined variables, Windows IIS Web Server