McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Windows Custom Signatures

Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of security events for the class Registry. The values of these parameters can help you understand why a signature is triggered.

GUI Name

explanation

 

 

Registry Key

Name of the registry key affected, including the path name.

 

The prefix \REGIS-TRY\MACHINE\ stands for

 

HKEY_LOCAL_MACHINE\, and \REGISTRY\CURRENT_USER\

 

stands for \HKEY_USER\.

 

 

Registry Value(s)

Name of the registry value concatenated with the full name of

 

its key.

 

 

old data New Data old data

Only applicable for registry value changes: data that a registry

type new data type

value contained before it was changed or attempted to be

 

changed. Only applicable for registry value changes: data that

 

a registry value contains after it was changed or that it would

 

contain if the change went through. Only applicable for

 

registry value changes: type of data type that a registry value

 

contains before it was changed or attempted to be changed

 

Only applicable for registry value changes: type of data that a

 

registry value would contain after it was changed or that it

 

would contain if the change went through.

 

 

Example

The following rule would prevent anybody and any process from deleting the registry value “abc” under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”

Rule {

Class Registry Id 4001 level 4

values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” } time { Include “*” }

application { Include “*”} user_name { Include “*” } directives -c -d registry:delete

}

The various sections of this rule have the following meaning:

„Class Registry: indicates that this rule relates to requests send to IIS.

„Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.

„level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.

„values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” }: Indicates that the rule monitors registry value abc under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa . If the rule were to cover multiple values, you would add them in this section in different lines.

A

177

Page 177
Image 177
McAfee 6.1 manual Advanced Details, 177