McAfee 6.1 - page 174

174

McAfee® Host Intrusion Prevention6.1 Product Guide Writing Custom Signatures

Windows Custom Signatures A

Note 3

A maximum length restriction can be defined for the sections “url” and “query”. By

adding “;number-of-chars” to the value of these sections, the rule can only match if

the {url} or {query} have more characters than “number-of-chars”. For example, the

following rule will match if the url part of the request contains “abc” and the url part of

the request has over 500 characters:

Rule {

Class Isapi

Id 4001

level 1

url { Include “*abc*;500” }

time { Include “*” }

application { Include “*”}

user_name { Include “*” }

directives -c -d isapi:request}

}

Note 4

A rule needs to contain at least one of the optional sections url, query, method.

Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of security

events for the class Isapi. The values of these parameters can help you understand why

a signature is triggered.

The following rule would prevent a request to the web server that has “subject” in the

query part of the http request:

GUI name explanation

url Decoded and normalized location part of an incoming HTTP request

(the part before the ‘?’).

query Decoded and normalized query part of an incoming HTTP request

(the part after the first ‘?’).

web server type Type and version of the Web server application used.

method Method of the incoming HTTP request (such as Get, Put, Post,

Query, etc.).

local file Physical name of the file that is retrieved or attempted to be

retrieved by the request. Decoded and normalized under IIS.

raw url “Raw” (undecoded and not normalized) Request Line of the

incoming HTTP request. Request Line is “<method>

<location[?query]> <http version> CRLF”.

user User name of the client making the request; only available if the

request is authenticated.

source Client name or IP address of the computer where the HTTP request

originated.

server Information about the Web server where the event is created (that’s

the machine where the client is installed) in the manner <host

name>:<IP address>:<port>. The host name is the host variable

from the HTTP header; it is left blank if not available.

content len Number of bytes in the body of the message part of the query.

Contents

Main Page Page COPYRIGHT TRADEMARK ATTRIBUTIONS LICENSE INFORMATION License Agreement Attributions PATENT INFORMATION Contents 1 Introducing Host Intrusion Prevention 9 2Basic Concepts 15 3 Using ePolicy Orchestrator 23 4 IPS Policies 33 5 Firewall Policies 68 6 Application Blocking Policies 94 7 General Policies 103 8 Maintenance 115 9 Host Intrusion Prevention Client 132 Page 1 Prevention Whats new in this release Changes from the previous release New features Using this guide Audience Conventions This guide uses the following conventions: Bold Condensed Getting product information Standard documentation Contact information Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Download Site Technical Support Customer Service 2 IPS feature Signature rules Behavioral rules Events Reactions Exception rules Firewall feature Firewall rules Client firewall rules Application Blocking feature Client application blocking rules General feature Policy management Policy enforcement Policies and policy categories Policy inheritance and assignment Policy ownership Policy assignment locking Deployment and management Preset protection Adaptive and Learn mode Tuning Reports 3 ePolicy Orchestrator operations used with Host Intrusion Prevention ePolicy Orchestrator console Policy management Assigning owners to policies Generating notifications Generating reports Host Intrusion Prevention operations Installing the Host Intrusion Prevention server Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Using Help Help navigation procedures Help in the user interface Table3-1 Host Intrusion Prevention icons IPS Events/Signatures IPS Signature Rules 4 Host and network IPS signature rules HIPS NIPS Behavioral rules Preset IPS policies Configuring the IPS Options policy Page Configuring the IPS Protection policy Page The IPS Protection dialog box appears. 3Select the type of reaction for each severity level: 4Click Apply, and then click Close. 5Click Apply on the IPS Protection category line. Configuring the IPS Rules policy IPS Rules policy details Exception Rules Creating exception rules Editing exception rules Enabling and disabling exception rules Deleting exception rules Moving exception rules to another policy Signatures Types of signatures Viewing signatures Modifying host and network signatures Creating custom signatures Using the wizard to create signatures Using the standard mode to create signatures Page 5Click Apply to apply the new settings, and then OK. Editing custom signatures Deleting custom signatures To use Standard Method: To use Expert Method: Application Protection Rules Page Page Editing Application Protection Rules Enabling and disabling Application Protection Rules Deleting Application Protection Rules IPS Events Viewing events Configuring the event view Filtering events Marking events Marking similar events Viewing event details Creating event-based exceptions and trusted applications Example Searching for related exceptions IPS Client Rules Regular View Aggregated View Search IPS Exception Rules Page 5 HIP 6.0 rules HIP 6.1 rules State table State table functionality How firewall rules work Ordering the firewall rule list How stateful filtering works How stateful packet inspection works Stateful protocol tracking Firewall rule groups and connection-aware groups Page Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policies Configuring the Firewall Options policy Page Configuring the Firewall Rules policy Creating new Firewall Rules policies Minimal (Default) Subnet Automatically Learning Starter Subnet Automatically Client Medium The Create New Policy dialog box appears. Viewing and editing firewall rules Creating a new firewall rule or firewall group Page Deleting a firewall rule or group Viewing firewall client rules Page Configuring the Quarantine Options policy Configuring the Quarantine Rules policy Creating new Quarantine Rules policies Viewing and editing quarantine rules Creating a new quarantine rule or group Deleting a quarantine rule or group 6 Application creation Application hooking Preset Application Blocking policies Configuring the Application Blocking Options policy Page Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policies Viewing and editing Application Blocking Rules Creating new Application Blocking Rules Deleting an application blocking rule Viewing application client rules Page 7 Preset General policies Configuring Enforce Policies Configuring the Client UI policy Creating and applying a Client UI policy Setting passwords Page Tray icon control Configuring the Trusted Networks policy 5Do any of the following: Configuring the Trusted Applications policy Creating and applying Trusted Applications policies Creating trusted applications Editing trusted applications Enabling and disabling trusted applications Deleting trusted applications 8 Fine-tuning a deployment Analyzing IPS events Creating exception rules and trusted application rules Working with client exception rules Creating and applying new policies Policy maintenance and tasks Policies tab Policy inheritance and assignment Page Policy Catalog Viewing policy information Editing policy information Page Running server tasks Directory Gateway Event Archiver Property Translator Setting up notifications for events How notifications work Creating rules Host Intrusion Prevention notifications Running reports Pre-defined reports Report repository Summary information and details Report content control Host Intrusion Prevention reports The Host Intrusion Prevention report templates include: IPS Events Summary by Signature Use this report to view IPS events per signature. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. IPS Event Summary by Target Use this report to view IPS events per host. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. Network Intrusion Summary by Source IP Use this report to view network intrusion events per source IP. Details include: Top 10 Attacked Nodes for IPS Filters on platform and signature type. Top 10 Triggered Signatures Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include: Filters on platform and signature type. Top 10 Blocked Applications Use this report to view a bar chart of the 10 most blocked applications. Details include: Filters on application description, host name, and event time. Failed Quarantine Updates Use this report to view failed quarantine updates per host. Details include: Updating Checking in the update package Updating clients 9 Windows client System tray icon Client console Unlocking the client interface Setting options Error Reporting Troubleshooting Logging Host IPS engines Alerts Intrusion alerts Firewall alerts Application Blocking alerts Quarantine alerts Spoof Detected alerts Page IPS Policy tab IPS Policy options IPS Policy exception rules Exception rules list Firewall Policy tab Firewall Policy options Firewall Policy Rules Firewall rules list Application Policy tab Application Policy options Application Policy rules Application rules list Blocked Hosts tab Blocked Hosts list Page Application Protection tab Application Protection list Activity Log tab Activity Log options Activity Log list You can clear the list either by deleting the log contents or saving it to a .txt file. Note: McAfee Host Intrusion Prevention Options Solaris client Policy enforcement with the Solaris client Troubleshooting Client installation issues Verifying installation files Client operations issues Starting and stopping the client Linux client Policy enforcement with the Linux client Notes about the Linux client Troubleshooting Client installation issues Verifying installation files Verifying the client is running Client operations issues Troubleshooting tool Starting and stopping the client 10 Page Page Page A Rule Structure See Windows Custom Signatures for an explanation of the various sections and values. Mandatory common sections Use of Include and Exclude Optional common sections Use of the dependencies section Section value variables Use of wildcards Use of environment variables Use of predefined variables MS SQL Database Server Solaris Apache and iPlanet Windows Custom Signatures The following table lists the possible sections of the class Files. Class Files Page Page Class Isapi Page Page Class Registry Page Class Services The following rule would prevent deactivation of the Alerter service. The various sections of this rule have the following meaning: every one of these rules would need to use the same ID. Page Solaris Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Page Advanced Details Class UNIX_apache Page Linux Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Summary of parameters and directives The following is a summary of parameters and directives according to type. List of parameters according to type List of directives according to type Glossary Page Page Page Page Page Page Page Page Index A B C D G H I K L Q R S T U