Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Advanced Details, GUI name Explanation

Models: 6.1

1 201
Download 201 pages 13.13 Kb
Page 172
Image 172

McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Windows Custom Signatures

Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of security events for the class Files. The values of these parameters can help you understand why a signature is triggered.

GUI name

Explanation

 

 

files

Name of the file that was accessed

 

 

dest file

Only applicable for renaming files: new name that the file was

 

changed to

 

 

The following rule would prevent anybody and any process from creating the file ‘abc.txt’ in the folder C:\test\.

Rule {

Class Files Id 4001 level 4

files { Include “C:\\test\\abc.txt” } time { Include “*” }

application { Include “*”} user_name { Include “*” } directives -c -d files:create

}

The various sections of this rule have the following meaning:

„Class Files: indicates that this rule relates to file operations class.

„id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.

„level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.

„files { Include “C:\\test\\abc.txt” }: Indicates that the rule covers the specific file and path C:\test\abc.txt. If the rule were to cover multiple files, you would add them in this section in different lines. For example when monitoring for files C:\test\abc.txt and C:\test\xyz.txt the section changes to: files { Include “C:\\test\\abc.txt” “C:\\test\\xyz.txt” }.

„time { Include “*” }: This section is currently not used, but must be included in this way in the rule.

„application { Include “*”}: Indicates that this rule is valid for all processes. If you’d want to limit your rule to specific processes, you would spell them out here, complete with their path name.

„user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you’d want to limit your rule to specific user contexts, you would spell them out here in the form Local/user or Domain/user. See paragraph “Mandatory Common Sections” for details.

„directives -c -d files:create: Indicates that this rule covers the creation of a file. The switches –c and –d must always be used in the directives section.

A

172

Page 171 Page 173
Page 172
Image 172
McAfee 6.1 manual Advanced Details, GUI name Explanation
Page 171 Page 173