McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
A
Class Registry
The following table lists the possible sections of the class Registry.
Section | Values | Notes |
|
|
|
Class | Registry |
|
|
|
|
Id | 4000 - 7999 |
|
|
|
|
level | 0, 1, 2, 3, 4 |
|
|
|
|
time | * |
|
|
|
|
user_name | user or system account |
|
|
|
|
application | path + application name |
|
|
|
|
keys or values | registry key or value | See Note 1 |
|
|
|
old data | Previous data of the value | This section is optional. It is only for |
|
| <directive> Modify; see Note 2. |
|
|
|
new data | New data of the value | This section is optional. It is only for |
|
| <directive> Modify or Create; see Note 2. |
|
|
|
directives | registry:delete | Deletion of a registry key/value |
|
|
|
| registry:modify | Modification of the content of a registry |
|
| value or the modification of the info of a |
|
| registry key |
|
|
|
| registry:permissions | Modification of the permissions of a |
|
| registry key. |
|
|
|
| registry:read | Obtaining registry key information |
|
| (number of subkeys, etc), or, getting the |
|
| content of a registry value. |
|
|
|
| registry:enumerate | Enumeration of a registry key, that is, |
|
| getting the list of all the key’s subkeys and |
|
| values. |
|
|
|
Note 1
HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and CurrentControlSet is replaced by ControlSet. For example the registry value “abc” under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Control\\Lsa\\abc.
Note 2
The data of the sections old data and new data must be in hexadecimal. For example, the data ‘def’ of registry value “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc” must be represented as old_data { Include “%64%65%66”}.
176