Windows Custom Signatures, Class Files, 170 | McAfee 6.1 manual

McAfee® Host Intrusion Prevention 6.1 Product Guide	Writing Custom Signatures
	Windows Custom Signatures

A

Windows Custom Signatures

This topic describes how to write Windows custom signatures.

Rules in the Windows class Files use double slashes and rules in the Solaris Class

UNIX_Files use a single slash.

The class section value depends on the nature of the security issue and on the protection the rules can offer. For Windows these value are available:

Class	When to use

Files	For file or directory operations. See Class Files.

Isapi	For monitoring request to IIS. See Class Isapi.

Registry	For Registry key and value operations. See Class Registry.

Services	For Services operations. See Class Services.

Class Files

The following table lists the possible sections of the class Files.

Section	Values	Notes

Class	Files

Id	4000 - 7999

level	0, 1, 2, 3, 4

time	*

user-name	user of system account

application	path + application name

files	File or folders involved in the	See Note 1, 2
	operation

dest_file	Destination file, if the operation	This section is optional. See Note
	involves source and destination	1, 2
	files

directives -c -d	files:create	Create file directly, or move file
		into directory

	files:read	Open the file in Read mode

	files:write	Open the file in Write mode

	files:execute	Execute file (executing a
		directory means that this
		directory will become the current
		directory)

	files:delete	Delete file from a directory, or
		move it to another directory

	files:rename	Rename a file in the same
		directory; see Note 2

	files:attribute	Change the file attributes.
		Monitored attributes are
		“Read-only”, “Hidden”,
		“Archive” and “System”. The
		Windows 2000 only attributes
		“Index”, “Compress” and
		“Encrypt” are not monitored.

170

Image 170

McAfee 6.1 manual Windows Custom Signatures, Class Files, This topic describes how to write Windows custom signatures, 170

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Using this guide Audience Bold Condensed ConventionsThis guide uses the following conventions Example Getting product information Standard documentation Contact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Reactions Behavioral rulesEvents Exception rules Client firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Tuning Reports Using ePolicy Orchestrator „ Deploy Host Intrusion Prevention clients EPolicy Orchestrator console EPolicy Orchestrator console Policy management Assign Policies Assigning owners to policies Installing the Host Intrusion Prevention serverHost Intrusion Prevention operations Generating notifications Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Active X control security warning Using Help Help navigation procedures IPS Exception Rules Help in the user interfaceIPS Events/Signatures IPS Signature Rules IPS Policies Overview Host and network IPS signature rules Benefits of Host IPS Benefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access IPS Options dialog box appears Click ApplyTo create a new IPS Options policy Select the needed options Configuring the IPS Protection policy To configure the IPS Protection policy To create a new IPS Protection policy IPS Protection dialog box appears Select the type of reaction for each severity level To create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details Creating exception rules To create an exception To edit an exception rule Editing exception rulesYou can view and edit details of an existing exception Deleting exception rules To disable/enable an exceptionEnabling and disabling exception rules Moving exception rules to another policy Host signatures SignaturesTypes of signatures Custom host signatures Viewing signatures IPS Rules-Signatures tab Creating custom signatures To modify default signaturesModifying host and network signatures To modify the view of signatures Using the wizard to create signatures To create signatures using the wizard Using the standard mode to create signatures To create a signature with the standard mode New Custom Signature-General tab To use Standard Method To use Expert Method Editing custom signaturesDeleting custom signatures To edit a custom signature Application Protection Rules 11 Application Protection Rules analysis To create an application protection rule 12 IPS Rules-Application Protection Rules 13 New Trusted Application dialog box-General tab Enabling and disabling Application Protection Rules IPS EventsEditing Application Protection Rules Deleting Application Protection Rules Viewing events To view IPS events To change the event view Configuring the event viewFiltering events To mark an event as unread Marking eventsTo mark an event as read To hide an event „ Agent „ Signatures „ User „ Process „ Severity Level Marking similar eventsTo mark similar events Hidden To view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based exception To create an event-based trusted application To search for a related exception IPS Client RulesSearching for related exceptions Regular View To migrate client rules to an IPS Rules policy Click the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules Search IPS Exception Rules To search for exceptions and manage the list of exceptions 22 Search IPS Exception Rules tab Firewall Policies HIP 6.0 rules HIP 6.1 rules Stateful packet inspection State tableStateful packet filtering How firewall rules work Ordering the firewall rule list How stateful filtering works Stateful filtering process Protocol Description of handling How stateful packet inspection worksStateful protocol tracking Firewall rule groups and connection-aware groups TCP Overview Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules Select For these settings Off McAfee Default Configuring the Firewall Options policyTo configure the Firewall Options policy Learn Create New Policy dialog box appears „ Select New Policy To create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Select this For this protection Policy Server Medium Server High To view and edit a firewall rule Viewing and editing firewall rulesDo any of the following Add Policy or Duplicate Policy To create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group To create a connection-aware group To create a new rule groupFirewall Rule Group dialog box appears Type a name for this group in the Name field To delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view aggregated firewall client rules To view details of an aggregated firewall rule Select New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy Creating new Quarantine Rules policies Configuring the Quarantine Rules policyQuarantine Rules policy provides access for To create a Quarantine Rules policy Click Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule To create a quarantine rule Creating a new quarantine rule or groupDeleting a quarantine rule or group To delete a quarantine rule or group Application Blocking Policies Application creation Application hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies Viewing and editing Application Blocking Rules To view and edit an application blocking rule Application Rule dialog box appears Creating new Application Blocking RulesTo create a new application blocking rule 100 To delete an application blocking rule Deleting an application blocking ruleViewing application client rules To view all client application rules To view aggregated client application rules To view details of an aggregated client application rule General Policies Preset General policies General feature contains four policy categories To change the policy setting Configuring Enforce PoliciesConfiguring the Client UI policy Regular User Creating and applying a Client UI policy Administrator UserTo configure a Client UI policy Disconnected User Setting passwords 107 108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Remove Select To do this AddEdit Include Local Subnet To create a new policy Configuring the Trusted Applications policyCreating and applying Trusted Applications policies Trusted Application tab appears Creating trusted applications To create a trusted application Enabling and disabling trusted applications To disable/enable a trusted applicationEditing trusted applications Deleting trusted applications Analyzing IPS events MaintenanceFine-tuning a deployment 115 Creating and applying new policies Creating exception rules and trusted application rulesWorking with client exception rules For details on working with client rules, see Policies tab Policy maintenance and tasksTo view and reset broken inheritance below a specific node Policy inheritance and assignment To copy and paste policy assignments of a node Click Copy policy assignments Viewing policy information To view nodes where a policy is assignedPolicy Catalog To view all policies that have been created Editing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Event Archiver Running server tasksDirectory Gateway Property Translator Creating rules Setting up notifications for eventsHow notifications work Host Intrusion Prevention notifications 124 Report repository Running reportsPre-defined reports Summary information and details Report content controlHost Intrusion Prevention reports IPS Events Summary by Signature Signature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Blocked Application Summary Top 10 Attacked Nodes for IPSTop 10 Triggered Signatures Filters on platform and signature type Initial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications Updating Checking in the update packageTo add update packages automatically From the Task type list, select Repository Pull To have a client request an update To add update packages manuallyTo run an update task Updating clients Host Intrusion Prevention Client Windows client 133 System tray iconClient console To unlock the Host Intrusion Prevention interface Setting optionsUnlocking the client interface To customize client options Show tray icon Error Reporting Error ReportingTroubleshooting Select For this Security Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts 138 To respond to a firewall Learn Mode alertFirewall alerts Has the Treat rule match as an intrusion option selected Application Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts 141 IP Spoof Detected Alert dialog box To customize IPS Policy options IPS Policy tabIPS Policy options 142 To edit the exception rules IPS Policy exception rulesException rules list 143 To customize Firewall Policy options Firewall Policy tabFirewall Policy options 144 145 Firewall Policy RulesFirewall rules list To customize Application Policy options Application Policy tabApplication Policy options 146 147 Application Policy rulesApplication rules list 148 Blocked Hosts tabBlocked Hosts list Column What it shows Until removed To edit the Blocked Hosts list149 This list shows all monitored processes on the client Application Protection tabApplication Protection list 150 To customize Activity Log options Activity Log tabActivity Log options 151 Select Create Sniffer Capture... Activity Log list152 McAfee Host Intrusion Prevention Options Solaris client TroubleshootingClient installation issues Policy enforcement with the Solaris client 154 Client operations issuesRun this command To do this File/Directory Name Description 155 To stop a Solaris clientTo restart a Solaris client Linux client Policy enforcement with the Linux client Verifying the client is running File Name Description Troubleshooting tool 158 To restart a Linux client Run the command hipts agent offTo stop a Linux client 159 What is the McAfee Default policy? Frequently Asked QuestionsWhat is a policy? 160 161 How do I view IPS events triggered by clients? How do I create an exception based on an IPS Event? How do I create custom signatures for an IPS Policy? How do I find existing policies that match a given profile? Basic structure of a rule is the following Writing Custom SignaturesRule Structure 164 Section Name Value Description Mandatory common sections165 Use of Include and Exclude Name/domain user name Use of the dependencies section Optional common sectionsSection value variables Use of predefined variables Use of wildcardsUse of environment variables Windows IIS Web Server 169 MS SQL Database ServerSolaris Apache and iPlanet Class Files This topic describes how to write Windows custom signaturesWindows Custom Signatures 170 171 Advanced Details GUI name Explanation Class Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Class Services Section Values Meaning/remarks GUI Name Explanation Possible Values Windows Custom Signatures Class UNIXfile This topic describes how to write Solaris custom signaturesSolaris Custom Signatures 181 Relevant X directives per section Directive File Source File permission New permission 183 Advanced DetailsClass UNIXapache Solaris Custom Signatures Linux Custom Signatures 185 List of directives according to type Summary of parameters and directivesList of parameters according to type 186 Glossary 187 188 Blocked host 189 Console tree 190 EPolicy Orchestrator database server 191 See also minimal properties 192 Inactive agent 193 Policy enforcement interval 194 Severity level 195 SYN flood Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com