McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security events for the class Registry. The values of these parameters can help you understand why a signature is triggered.
GUI Name | explanation |
|
|
Registry Key | Name of the registry key affected, including the path name. |
| The prefix |
| HKEY_LOCAL_MACHINE\, and \REGISTRY\CURRENT_USER\ |
| stands for \HKEY_USER\. |
|
|
Registry Value(s) | Name of the registry value concatenated with the full name of |
| its key. |
|
|
old data New Data old data | Only applicable for registry value changes: data that a registry |
type new data type | value contained before it was changed or attempted to be |
| changed. Only applicable for registry value changes: data that |
| a registry value contains after it was changed or that it would |
| contain if the change went through. Only applicable for |
| registry value changes: type of data type that a registry value |
| contains before it was changed or attempted to be changed |
| Only applicable for registry value changes: type of data that a |
| registry value would contain after it was changed or that it |
| would contain if the change went through. |
|
|
Example
The following rule would prevent anybody and any process from deleting the registry value “abc” under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
Rule {
Class Registry Id 4001 level 4
values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” } time { Include “*” }
application { Include “*”} user_name { Include “*” } directives
}
The various sections of this rule have the following meaning:
Class Registry: indicates that this rule relates to requests send to IIS.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.
values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” }: Indicates that the rule monitors registry value abc under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa . If the rule were to cover multiple values, you would add them in this section in different lines.
A