McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Windows Custom Signatures

A

Class Registry

The following table lists the possible sections of the class Registry.

Section

Values

Notes

 

 

 

Class

Registry

 

 

 

 

Id

4000 - 7999

 

 

 

 

level

0, 1, 2, 3, 4

 

 

 

 

time

*

 

 

 

 

user_name

user or system account

 

 

 

 

application

path + application name

 

 

 

 

keys or values

registry key or value

See Note 1

 

 

 

old data

Previous data of the value

This section is optional. It is only for

 

 

<directive> Modify; see Note 2.

 

 

 

new data

New data of the value

This section is optional. It is only for

 

 

<directive> Modify or Create; see Note 2.

 

 

 

directives -c -d

registry:delete

Deletion of a registry key/value

 

 

 

 

registry:modify

Modification of the content of a registry

 

 

value or the modification of the info of a

 

 

registry key

 

 

 

 

registry:permissions

Modification of the permissions of a

 

 

registry key.

 

 

 

 

registry:read

Obtaining registry key information

 

 

(number of subkeys, etc), or, getting the

 

 

content of a registry value.

 

 

 

 

registry:enumerate

Enumeration of a registry key, that is,

 

 

getting the list of all the key’s subkeys and

 

 

values.

 

 

 

Note 1

HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and CurrentControlSet is replaced by ControlSet. For example the registry value “abc” under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Control\\Lsa\\abc.

Note 2

The data of the sections old data and new data must be in hexadecimal. For example, the data ‘def’ of registry value “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc” must be represented as old_data { Include “%64%65%66”}.

176

Page 176
Image 176
McAfee 6.1 manual Class Registry, Section Values