GUI Name Explanation Possible Values | McAfee 6.1 guide

McAfee® Host Intrusion Prevention 6.1 Product Guide	Writing Custom Signatures
	Windows Custom Signatures

Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of security events for the class Services. The values of these parameters can help you understand why a signature is triggered.

GUI Name	Explanation	Possible Values

display names	Name of the Windows service
	as it is displayed in the Services
	Manager control panel.

services	System name of the Windows
	service (shown in
	HKLM\CurrentControlSet\Servic
	es\); this may be different from
	the name displayed in the
	Services Manager control panel.

params	Only applicable for starting a
	service: parameters passed to
	the service upon activation.

old startup	Only applicable for creating or	Boot, System, Automatic, Manual,
	changing the startup mode of a	Disabled
	service: indicates the startup
	mode before it was changed or
	attempted to be changed.

new startup	Only applicable for changing the	Boot, System, Automatic, Manual,
	startup mode of a service:	Disabled
	indicates the startup mode that a
	service has after it was changed,
	or that it would have if the
	change went through.

logon	Only applicable for changes in
	the logon mode of a service:
	logon information (system or
	user account)used by the
	service.

The following rule would prevent deactivation of the Alerter service.

Rule {

Class Services Id 4001 level 4

Service { Include “Alerter” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives -c -d service:stop

}

The various sections of this rule have the following meaning:

Class Services: indicates that this rule relates to file operations class.

Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.

A

179

Image 179

McAfee 6.1 manual GUI Name Explanation Possible Values

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Audience Using this guide Example ConventionsThis guide uses the following conventions Bold Condensed Standard documentation Getting product information Contact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Exception rules Behavioral rulesEvents Reactions Client firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Reports Tuning „ Deploy Host Intrusion Prevention clients Using ePolicy Orchestrator EPolicy Orchestrator console EPolicy Orchestrator console Assign Policies Policy management Generating notifications Installing the Host Intrusion Prevention serverHost Intrusion Prevention operations Assigning owners to policies Viewing and working with client data Deploying Host Intrusion Prevention clients Placing clients in Adaptive or Learn mode Policy viewing alerts Configuring policies Active X control security warning Fine-tuning Help navigation procedures Using Help IPS Signature Rules Help in the user interfaceIPS Events/Signatures IPS Exception Rules Overview IPS Policies Benefits of Host IPS Host and network IPS signature rules Benefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access Select the needed options Click ApplyTo create a new IPS Options policy IPS Options dialog box appears Configuring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policy Select the type of reaction for each severity level IPS Protection dialog box appears To create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details To create an exception Creating exception rules To edit an exception rule Editing exception rulesYou can view and edit details of an existing exception Moving exception rules to another policy To disable/enable an exceptionEnabling and disabling exception rules Deleting exception rules Custom host signatures SignaturesTypes of signatures Host signatures IPS Rules-Signatures tab Viewing signatures To modify the view of signatures To modify default signaturesModifying host and network signatures Creating custom signatures To create signatures using the wizard Using the wizard to create signatures To create a signature with the standard mode Using the standard mode to create signatures New Custom Signature-General tab To edit a custom signature Editing custom signaturesDeleting custom signatures To use Standard Method To use Expert Method 11 Application Protection Rules analysis Application Protection Rules 12 IPS Rules-Application Protection Rules To create an application protection rule 13 New Trusted Application dialog box-General tab Deleting Application Protection Rules IPS EventsEditing Application Protection Rules Enabling and disabling Application Protection Rules To view IPS events Viewing events To change the event view Configuring the event viewFiltering events To hide an event Marking eventsTo mark an event as read To mark an event as unread Hidden Marking similar eventsTo mark similar events „ Agent „ Signatures „ User „ Process „ Severity Level To view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based trusted application To create an event-based exception To search for a related exception IPS Client RulesSearching for related exceptions To migrate client rules to an IPS Rules policy Regular View Click the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules To search for exceptions and manage the list of exceptions Search IPS Exception Rules 22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rules Stateful packet inspection State tableStateful packet filtering Ordering the firewall rule list How firewall rules work Stateful filtering process How stateful filtering works Protocol Description of handling How stateful packet inspection worksStateful protocol tracking TCP Firewall rule groups and connection-aware groups Overview Stateful filtering Firewall Learn and Adaptive modes Quarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules Learn Configuring the Firewall Options policyTo configure the Firewall Options policy Select For these settings Off McAfee Default „ Select New Policy Create New Policy dialog box appears To create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Server High Select this For this protection Policy Server Medium Add Policy or Duplicate Policy Viewing and editing firewall rulesDo any of the following To view and edit a firewall rule To create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group Type a name for this group in the Name field To create a new rule groupFirewall Rule Group dialog box appears To create a connection-aware group To delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view details of an aggregated firewall rule To view aggregated firewall client rules Select New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy To create a Quarantine Rules policy Configuring the Quarantine Rules policyQuarantine Rules policy provides access for Creating new Quarantine Rules policies Click Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule To delete a quarantine rule or group Creating a new quarantine rule or groupDeleting a quarantine rule or group To create a quarantine rule Application creation Application Blocking Policies Application hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies To view and edit an application blocking rule Viewing and editing Application Blocking Rules 100 Creating new Application Blocking RulesTo create a new application blocking rule Application Rule dialog box appears To view all client application rules Deleting an application blocking ruleViewing application client rules To delete an application blocking rule To view details of an aggregated client application rule To view aggregated client application rules General Policies General feature contains four policy categories Preset General policies Regular User Configuring Enforce PoliciesConfiguring the Client UI policy To change the policy setting Disconnected User Administrator UserTo configure a Client UI policy Creating and applying a Client UI policy 107 Setting passwords 108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Include Local Subnet Select To do this AddEdit Remove Trusted Application tab appears Configuring the Trusted Applications policyCreating and applying Trusted Applications policies To create a new policy To create a trusted application Creating trusted applications Deleting trusted applications To disable/enable a trusted applicationEditing trusted applications Enabling and disabling trusted applications 115 MaintenanceFine-tuning a deployment Analyzing IPS events For details on working with client rules, see Creating exception rules and trusted application rulesWorking with client exception rules Creating and applying new policies Policy inheritance and assignment Policy maintenance and tasksTo view and reset broken inheritance below a specific node Policies tab Click Copy policy assignments To copy and paste policy assignments of a node To view all policies that have been created To view nodes where a policy is assignedPolicy Catalog Viewing policy information Editing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Property Translator Running server tasksDirectory Gateway Event Archiver Creating rules Setting up notifications for eventsHow notifications work 124 Host Intrusion Prevention notifications Report repository Running reportsPre-defined reports IPS Events Summary by Signature Report content controlHost Intrusion Prevention reports Summary information and details Signature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Filters on platform and signature type Top 10 Attacked Nodes for IPSTop 10 Triggered Signatures Blocked Application Summary Initial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications From the Task type list, select Repository Pull Checking in the update packageTo add update packages automatically Updating Updating clients To add update packages manuallyTo run an update task To have a client request an update Windows client Host Intrusion Prevention Client 133 System tray iconClient console To customize client options Setting optionsUnlocking the client interface To unlock the Host Intrusion Prevention interface Select For this Error ReportingTroubleshooting Show tray icon Error Reporting Security Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts Has the Treat rule match as an intrusion option selected To respond to a firewall Learn Mode alertFirewall alerts 138 Application Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts IP Spoof Detected Alert dialog box 141 142 IPS Policy tabIPS Policy options To customize IPS Policy options 143 IPS Policy exception rulesException rules list To edit the exception rules 144 Firewall Policy tabFirewall Policy options To customize Firewall Policy options 145 Firewall Policy RulesFirewall rules list 146 Application Policy tabApplication Policy options To customize Application Policy options 147 Application Policy rulesApplication rules list Column What it shows Blocked Hosts tabBlocked Hosts list 148 Until removed To edit the Blocked Hosts list149 150 Application Protection tabApplication Protection list This list shows all monitored processes on the client 151 Activity Log tabActivity Log options To customize Activity Log options McAfee Host Intrusion Prevention Options Activity Log list152 Select Create Sniffer Capture... Policy enforcement with the Solaris client TroubleshootingClient installation issues Solaris client File/Directory Name Description Client operations issuesRun this command To do this 154 155 To stop a Solaris clientTo restart a Solaris client Policy enforcement with the Linux client Linux client File Name Description Verifying the client is running 158 Troubleshooting tool 159 Run the command hipts agent offTo stop a Linux client To restart a Linux client 160 Frequently Asked QuestionsWhat is a policy? What is the McAfee Default policy? 161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients? How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy? 164 Writing Custom SignaturesRule Structure Basic structure of a rule is the following Section Name Value Description Mandatory common sections165 Name/domain user name Use of Include and Exclude Use of the dependencies section Optional common sectionsSection value variables Windows IIS Web Server Use of wildcardsUse of environment variables Use of predefined variables 169 MS SQL Database ServerSolaris Apache and iPlanet 170 This topic describes how to write Windows custom signaturesWindows Custom Signatures Class Files 171 GUI name Explanation Advanced Details Class Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class Services GUI Name Explanation Possible Values Windows Custom Signatures 181 This topic describes how to write Solaris custom signaturesSolaris Custom Signatures Class UNIXfile Directive File Source File permission New permission Relevant X directives per section 183 Advanced DetailsClass UNIXapache Solaris Custom Signatures 185 Linux Custom Signatures 186 Summary of parameters and directivesList of parameters according to type List of directives according to type 187 Glossary Blocked host 188 Console tree 189 EPolicy Orchestrator database server 190 See also minimal properties 191 Inactive agent 192 Policy enforcement interval 193 Severity level 194 SYN flood 195 Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com