McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Windows Custom Signatures

A

Note 1

If the section files is used, the path to a monitored folder or file can either be the full path or a wildcard. For example, the following are valid path representations:

files { Include “C:\\test\\abc.txt” }

files { Include “*\\test\\abc.txt” }

files { Include “*\\abc.txt” }

If the section dest_file is used, the absolute path cannot be used and a wildcard must be present in the beginning of the path to represent the drive. For example, the following are valid path representations:

dest_file { Include “*\\test\\abc.txt” }

dest_file { Include “*\\abc.txt” }

Note 2

The directive files:rename has a different meaning when combined with section files and section dest_file.

„When combined with section files, it means that renaming of the file in the section files is monitored. For example, the following rule monitors renaming of file C:\test\abc.txt to any other name:

Rule {

Class Files Id 4001 level 1

files { Include “C:\\test\\abc.txt” } time { Include “*” }

application { Include “*”} user_name { Include “*” } directives -c -d files:rename

}

„Combined with section dest_file, it means that no file can be renamed to the file in the section dest_file. For example, the following rule monitors renaming of any file to C:\test\abc.txt:

Rule {

Class Files Id 4001 level 1

dest_file { Include “*\\test\\abc.txt” } time { Include “*” }

application { Include “*”} user_name { Include “*” } directives -c -d files:rename

}

The section files is not mandatory when the section dest_file is used. If section files is used, both sections files and dest_file need to match.

171

Page 171
Image 171
McAfee 6.1 manual 171