McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Rule Structure |
Use of wildcards
Use of environment variables
Use of predefined variables
A
Use of wildcards
You can use wildcards for some of the section values.
Character | What is represents |
|
|
? (question mark) | A single character. |
|
|
* (asterisk) | Multiple characters. |
| user_name { Include “*” } |
|
|
& (ampersand) | Multiple characters except / and \.. Use to match the |
| |
| files { Include “C:\\test\\&.txt” } |
|
|
! (exclamation mark) | Wildcard escape. |
| files { Include “C:\\test\\yahoo!!.txt” } |
|
|
Use of environment variables
Use environment variables, the iEnv command with one parameter (the variable name), as a shorthand to specify Windows file and directory path names.
Environment | What is represents |
variable |
|
|
|
iEnv SystemRoot | C:\winnt\, where C is the drive that contains the Windows System folder. |
| For example: |
| files {Include “[iEnv SystemRoot]\\system32\\abc.txt” } |
|
|
iEnv SystemDrive | C:\ where C is the drive that contains the Windows System folder. |
| For example: |
| files {Include “[iEnv System Root]\\system32\\abc.txt”} |
|
|
Use of predefined variables
Host Intrusion Prevention provides
Windows IIS Web Server
Variable | Meaning |
|
|
IIS_BinDir | Directory where inetinfo.exe is located |
|
|
IIS_Computer | Machine name that IIS runs on |
|
|
IIS_Envelope | Includes all files that IIS is allowed to access |
|
|
IIS_Exe_Dirs | Virtual directories that allow file execution including system root and IIS |
| root" |
|
|
IIS_Ftp_Dir | FTP site root directories |
|
|
IIS_FTP_USR | Local ftp Anonymous user account name |
|
|
IIS_FtpLogDir | FTP log files directory |
|
|
IIS_IUSR | Local web anonymous user account name |
|
|
