McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Windows Custom Signatures

A

Note 3

A maximum length restriction can be defined for the sections “url” and “query”. By adding ;number-of-chars to the value of these sections, the rule can only match if the {url} or {query} have more characters than “number-of-chars”. For example, the following rule will match if the url part of the request contains “abc” and the url part of the request has over 500 characters:

Rule {

Class Isapi Id 4001 level 1

url { Include “*abc*;500” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives -c -d isapi:request}

}

Note 4

A rule needs to contain at least one of the optional sections url, query, method.

Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of security events for the class Isapi. The values of these parameters can help you understand why a signature is triggered.

GUI name

explanation

 

 

url

Decoded and normalized location part of an incoming HTTP request

 

(the part before the ‘?’).

 

 

query

Decoded and normalized query part of an incoming HTTP request

 

(the part after the first ‘?’).

 

 

web server type

Type and version of the Web server application used.

 

 

method

Method of the incoming HTTP request (such as Get, Put, Post,

 

Query, etc.).

 

 

local file

Physical name of the file that is retrieved or attempted to be

 

retrieved by the request. Decoded and normalized under IIS.

 

 

raw url

“Raw” (undecoded and not normalized) Request Line of the

 

incoming HTTP request. Request Line is “<method>

 

<location[?query]> <http version> CRLF”.

 

 

user

User name of the client making the request; only available if the

 

request is authenticated.

 

 

source

Client name or IP address of the computer where the HTTP request

 

originated.

 

 

server

Information about the Web server where the event is created (that’s

 

the machine where the client is installed) in the manner <host

 

name>:<IP address>:<port>. The host name is the host variable

 

from the HTTP header; it is left blank if not available.

 

 

content len

Number of bytes in the body of the message part of the query.

 

 

The following rule would prevent a request to the web server that has “subject” in the query part of the http request:

174

Page 173 Page 175
Page 174
Image 174
McAfee 6.1 manual Machine where the client is installed in the manner host
Page 173 Page 175
Top Page Image Contents