McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
Rule {
Class Isapi Id 4001 level 4
query { Include “*subject*” } method { Include “GET” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives
}
For example, the GET request http://www.myserver.com/test/ abc.exe?subject=wildlife&environment=ocean would be prevented by this rule.
The various sections of this rule have the following meaning:
Class Isapi: indicates that this rule relates to the Isapi operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.
query { Include “*subject*” }: Indicates that the rule matches any (GET) request that contains the string “subject” in the query part of the http request. If the rule were to cover multiple query parts files, you would add them in this section in different lines.
method { Include “GET” }: Indicates that the rule can only match GET requests
time { Include “*” }: This section is currently not used, but must be included in this way in the rule.
application { Include “*”}: Indicates that this rule is valid for all processes. If you’d want to limit your rule to specific processes, you would spell them out here, complete with their path name.
user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you’d want to limit your rule to specific user contexts, you would spell them out here in the form Local/user or Domain/user. See paragraph “Mandatory Common Sections” for details.
directives
A
175