
McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
A
Windows Custom Signatures
This topic describes how to write Windows custom signatures.
Rules in the Windows class Files use double slashes and rules in the Solaris Class
UNIX_Files use a single slash.
The class section value depends on the nature of the security issue and on the protection the rules can offer. For Windows these value are available:
Class | When to use |
|
|
Files | For file or directory operations. See Class Files. |
|
|
Isapi | For monitoring request to IIS. See Class Isapi. |
|
|
Registry | For Registry key and value operations. See Class Registry. |
|
|
Services | For Services operations. See Class Services. |
|
|
Class Files
The following table lists the possible sections of the class Files.
Section | Values | Notes |
|
|
|
Class | Files |
|
|
|
|
Id | 4000 - 7999 |
|
|
|
|
level | 0, 1, 2, 3, 4 |
|
|
|
|
time | * |
|
|
|
|
user of system account |
| |
|
|
|
application | path + application name |
|
|
|
|
files | File or folders involved in the | See Note 1, 2 |
| operation |
|
|
|
|
dest_file | Destination file, if the operation | This section is optional. See Note |
| involves source and destination | 1, 2 |
| files |
|
|
|
|
directives | files:create | Create file directly, or move file |
|
| into directory |
|
|
|
| files:read | Open the file in Read mode |
|
|
|
| files:write | Open the file in Write mode |
|
|
|
| files:execute | Execute file (executing a |
|
| directory means that this |
|
| directory will become the current |
|
| directory) |
|
|
|
| files:delete | Delete file from a directory, or |
|
| move it to another directory |
|
|
|
| files:rename | Rename a file in the same |
|
| directory; see Note 2 |
|
|
|
| files:attribute | Change the file attributes. |
|
| Monitored attributes are |
|
| |
|
| “Archive” and “System”. The |
|
| Windows 2000 only attributes |
|
| “Index”, “Compress” and |
|
| “Encrypt” are not monitored. |
|
|
|