Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Solaris Custom Signatures, Class UNIXfile, 181, Class Meaning / remarks

Models: 6.1

1 201

Download 201 pages 13.13 Kb

Page 181

McAfee® Host Intrusion Prevention 6.1 Product Guide	Writing Custom Signatures
	Solaris Custom Signatures

A

Solaris Custom Signatures

This topic describes how to write Solaris custom signatures.

Rules in the Windows class Files use double slashes and rules in the Solaris Class

UNIX_Files use a single slash.

The class of the signature depends on the nature of the security issue and on the protection the rules can offer. The table below lists the available Solaris classes:

class	meaning / remarks

UNIX_file	Used for file or directory operations. SeeClass UNIX_file.

UNIX_apache	Used for http operations. See Class UNIX_apache.

Class UNIX_file

The following table lists the possible sections of the class Files.

section	values	meaning/remarks

Class	UNIX_file

Id	4000 - 7999

level	0, 1, 2, 3, 4

time	*

user_name	user or system account

application	user or system account path +
	application name

files	source file(s)	Files to look for. This is optional if
		section source is used; see Note 1.

source	target file names	This is optional. See Note 1.

file permission]	list of permissions of source file	This is optional. See Note 2.
	names

new permission	permission mode of newly
	created file or modified
	permission

This is optional. See Note 2.

directives	unixfile:symlink	Creating a symbolic link.
	unixfile:link	Creating a hard link. See Note 3.

	unixfile:read	Opening the file in Read mode.

	unixfile:write	Opening the file in Write mode.

	unixfile:unlink	Deleting a file from a directory or
		deleting the directory.

	unixfile:rename	Renaming the file. See Note 4.

	unixfile:chmod	Changing the permissions on the
		directory or file.

	unixfile:chown	Changing the file ownership of the
		directory or file.

	unixfile:create	Creating a file.

	unixfile:mkdir	Creating a directory.

	unixfile:rmdir	Removing a directory.

	unixfile:chdir	Changing the working directory

181

Image 181

McAfee 6.1 Solaris Custom Signatures, Class UNIXfile, This topic describes how to write Solaris custom signatures, 181

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion What’s new in this release New featuresChanges from the previous release Audience Using this guideThis guide uses the following conventions ConventionsBold Condensed ExampleStandard documentation Getting product informationProfessional Services Customer ServiceContact information Basic Concepts IPS featureSignature rules Events Behavioral rulesReactions Exception rulesFirewall rules Firewall featureClient firewall rules General feature Application Blocking featureClient application blocking rules Policy enforcement Policy managementPolicies and policy categories Policy ownership Policy inheritance and assignmentPolicy assignment locking Adaptive and Learn mode Preset protectionDeployment and management Reports Tuning„ Deploy Host Intrusion Prevention clients Using ePolicy OrchestratorEPolicy Orchestrator console EPolicy Orchestrator consoleAssign Policies Policy managementHost Intrusion Prevention operations Installing the Host Intrusion Prevention serverAssigning owners to policies Generating notificationsViewing and working with client data Deploying Host Intrusion Prevention clientsPlacing clients in Adaptive or Learn mode Policy viewing alerts Configuring policiesActive X control security warning Fine-tuningHelp navigation procedures Using HelpIPS Events/Signatures Help in the user interfaceIPS Exception Rules IPS Signature RulesOverview IPS PoliciesBenefits of Host IPS Host and network IPS signature rulesBehavioral rules Preset IPS policiesBenefits of Network IPS Quick access Configuring the IPS Options policyTo configure the IPS Options policy To create a new IPS Options policy Click ApplyIPS Options dialog box appears Select the needed optionsConfiguring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policySelect the type of reaction for each severity level IPS Protection dialog box appearsTo assign IPS Rules policies Configuring the IPS Rules policyTo create a new IPS Rules policy IPS Rules policy details To create an exception Creating exception rulesYou can view and edit details of an existing exception Editing exception rulesTo edit an exception rule Enabling and disabling exception rules To disable/enable an exceptionDeleting exception rules Moving exception rules to another policyTypes of signatures SignaturesHost signatures Custom host signaturesIPS Rules-Signatures tab Viewing signaturesModifying host and network signatures To modify default signaturesCreating custom signatures To modify the view of signaturesTo create signatures using the wizard Using the wizard to create signaturesTo create a signature with the standard mode Using the standard mode to create signaturesNew Custom Signature-General tab Deleting custom signatures Editing custom signaturesTo use Standard Method To use Expert Method To edit a custom signature11 Application Protection Rules analysis Application Protection Rules12 IPS Rules-Application Protection Rules To create an application protection rule13 New Trusted Application dialog box-General tab Editing Application Protection Rules IPS EventsEnabling and disabling Application Protection Rules Deleting Application Protection RulesTo view IPS events Viewing eventsFiltering events Configuring the event viewTo change the event view To mark an event as read Marking eventsTo mark an event as unread To hide an eventTo mark similar events Marking similar events„ Agent „ Signatures „ User „ Process „ Severity Level HiddenCreating event-based exceptions and trusted applications Viewing event detailsTo view event details To create an event-based trusted application To create an event-based exceptionSearching for related exceptions IPS Client RulesTo search for a related exception To migrate client rules to an IPS Rules policy Regular ViewTo aggregate client rules Aggregated ViewClick the Aggregate View tab on the IPS Client Rules tab To search for exceptions and manage the list of exceptions Search IPS Exception Rules22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rulesStateful packet filtering State tableStateful packet inspection Ordering the firewall rule list How firewall rules workStateful filtering process How stateful filtering worksStateful protocol tracking How stateful packet inspection worksProtocol Description of handling TCP Firewall rule groups and connection-aware groupsOverview Stateful filtering Firewall Learn and Adaptive modesQuarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policiesTo migrate rules To configure the Firewall Options policy Configuring the Firewall Options policySelect For these settings Off McAfee Default Learn„ Select New Policy Create New Policy dialog box appearsCreating new Firewall Rules policies Configuring the Firewall Rules policyTo create a Firewall Rules policy Include Local Subnet Automatically selected Server High Select this For this protection Policy Server MediumDo any of the following Viewing and editing firewall rulesTo view and edit a firewall rule Add Policy or Duplicate PolicyCreating a new firewall rule or firewall group Select the appropriate settings Click OKTo create a firewall rule Firewall Rule Group dialog box appears To create a new rule groupTo create a connection-aware group Type a name for this group in the Name fieldTo add predefined rules Deleting a firewall rule or groupTo delete a firewall rule or group To view all firewall client rules Viewing firewall client rulesTo modify the view, do any of the following To view details of an aggregated firewall rule To view aggregated firewall client rulesTo configure the Quarantine Options policy Configuring the Quarantine Options policySelect New Policy Quarantine Rules policy provides access for Configuring the Quarantine Rules policyCreating new Quarantine Rules policies To create a Quarantine Rules policyTo view and edit a quarantine rule Viewing and editing quarantine rulesClick Properties Deleting a quarantine rule or group Creating a new quarantine rule or groupTo create a quarantine rule To delete a quarantine rule or groupApplication creation Application Blocking PoliciesApplication Blocking feature contains two policy categories Preset Application Blocking policiesApplication hooking Select this policy For these settings Off McAfee Default Configuring the Application Blocking Options policyTo apply an Application Blocking Options policy Application Blocking Options Creating new Application Blocking Rules policies Configuring the Application Blocking Rules policyTo create an Application Blocking Rules policy To view and edit an application blocking rule Viewing and editing Application Blocking RulesTo create a new application blocking rule Creating new Application Blocking RulesApplication Rule dialog box appears 100Viewing application client rules Deleting an application blocking ruleTo delete an application blocking rule To view all client application rulesTo view details of an aggregated client application rule To view aggregated client application rulesGeneral Policies General feature contains four policy categories Preset General policiesConfiguring the Client UI policy Configuring Enforce PoliciesTo change the policy setting Regular UserTo configure a Client UI policy Administrator UserCreating and applying a Client UI policy Disconnected User107 Setting passwordsClick the Advanced Options tab in the Client UI policy To create an administrator password108 Tray icon control To create a time-based passwordTo provide tray icon control of Windows UI To configure trusted network options Configuring the Trusted Networks policy110 Edit Select To do this AddRemove Include Local SubnetCreating and applying Trusted Applications policies Configuring the Trusted Applications policyTo create a new policy Trusted Application tab appearsTo create a trusted application Creating trusted applicationsEditing trusted applications To disable/enable a trusted applicationEnabling and disabling trusted applications Deleting trusted applicationsFine-tuning a deployment MaintenanceAnalyzing IPS events 115Working with client exception rules Creating exception rules and trusted application rulesCreating and applying new policies For details on working with client rules, seeTo view and reset broken inheritance below a specific node Policy maintenance and tasksPolicies tab Policy inheritance and assignmentClick Copy policy assignments To copy and paste policy assignments of a nodePolicy Catalog To view nodes where a policy is assignedViewing policy information To view all policies that have been createdTo view assignments where policy enforcement is disabled To view the settings and owner of a policyEditing policy information To edit a policy Directory Gateway Running server tasksEvent Archiver Property TranslatorHow notifications work Setting up notifications for eventsCreating rules 124 Host Intrusion Prevention notificationsPre-defined reports Running reportsReport repository Host Intrusion Prevention reports Report content controlSummary information and details IPS Events Summary by SignatureNetwork Intrusion Summary by Source IP IPS Event Summary by TargetSignature Top 10 Triggered Signatures Top 10 Attacked Nodes for IPSBlocked Application Summary Filters on platform and signature typeTop 10 Blocked Applications Failed Quarantine UpdatesInitial View Drill Down Host Name To add update packages automatically Checking in the update packageUpdating From the Task type list, select Repository PullTo run an update task To add update packages manuallyTo have a client request an update Updating clientsWindows client Host Intrusion Prevention ClientClient console System tray icon133 Unlocking the client interface Setting optionsTo unlock the Host Intrusion Prevention interface To customize client optionsTroubleshooting Error ReportingShow tray icon Error Reporting Select For thisTo set Firewall logging options To set IPS logging optionsSecurity Violations Intrusion alerts Alerts137 Firewall alerts To respond to a firewall Learn Mode alert138 Has the Treat rule match as an intrusion option selectedApplication Blocking alerts Spoof Detected alerts Quarantine alerts„ The IP address that the traffic pretends to come from 140 IP Spoof Detected Alert dialog box 141IPS Policy options IPS Policy tabTo customize IPS Policy options 142Exception rules list IPS Policy exception rulesTo edit the exception rules 143Firewall Policy options Firewall Policy tabTo customize Firewall Policy options 144Firewall rules list Firewall Policy Rules145 Application Policy options Application Policy tabTo customize Application Policy options 146Application rules list Application Policy rules147 Blocked Hosts list Blocked Hosts tab148 Column What it shows149 To edit the Blocked Hosts listUntil removed Application Protection list Application Protection tabThis list shows all monitored processes on the client 150Activity Log options Activity Log tabTo customize Activity Log options 151152 Activity Log listSelect Create Sniffer Capture... McAfee Host Intrusion Prevention OptionsClient installation issues TroubleshootingSolaris client Policy enforcement with the Solaris clientRun this command To do this Client operations issues154 File/Directory Name DescriptionTo restart a Solaris client To stop a Solaris client155 Policy enforcement with the Linux client Linux clientFile Name Description Verifying the client is running158 Troubleshooting toolTo stop a Linux client Run the command hipts agent offTo restart a Linux client 159What is a policy? Frequently Asked QuestionsWhat is the McAfee Default policy? 160161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients?How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy?Rule Structure Writing Custom SignaturesBasic structure of a rule is the following 164165 Mandatory common sectionsSection Name Value Description Name/domain user name Use of Include and ExcludeSection value variables Optional common sectionsUse of the dependencies section Use of environment variables Use of wildcardsUse of predefined variables Windows IIS Web ServerSolaris Apache and iPlanet MS SQL Database Server169 Windows Custom Signatures This topic describes how to write Windows custom signaturesClass Files 170171 GUI name Explanation Advanced DetailsClass Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class ServicesGUI Name Explanation Possible Values Windows Custom Signatures Solaris Custom Signatures This topic describes how to write Solaris custom signaturesClass UNIXfile 181Directive File Source File permission New permission Relevant X directives per sectionClass UNIXapache Advanced Details183 Solaris Custom Signatures 185 Linux Custom SignaturesList of parameters according to type Summary of parameters and directivesList of directives according to type 186187 GlossaryBlocked host 188Console tree 189EPolicy Orchestrator database server 190See also minimal properties 191Inactive agent 192Policy enforcement interval 193Severity level 194SYN flood 195Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com