McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Solaris Custom Signatures |
A
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security events for the class UNIX_Files. The values of these parameters can help you understand why a signature is triggered.
GUI name | Explanation |
|
|
files | Names of the file that was accessed or attempted to be |
| accessed. |
|
|
source | Only applicable when operation is the creation of a symbolic |
| link between files: name of the new link; or when operation |
| is the renaming of a file: new name of the file. |
|
|
file permission | Permissions of the file. |
|
|
source permission | Only applicable when operation is the creation of a symbolic |
| link between files: permissions of the target file (the file to |
| which the link points). |
|
|
new permission | Only applicable when creating a new file or when doing a |
| chmod operation: permissions of the new file. |
|
|
Class UNIX_apache
The following table lists the possible sections of the class Unix_apache. This class can be used for the Apache, iPlanet and Netscape Enterprise Web Servers.
section | values | meaning/remarks |
|
|
|
Class | UNIX_apache |
|
|
|
|
Id | 4000 – 7999 |
|
|
|
|
level | 0, 1, 2, 3, 4 |
|
|
|
|
time | * |
|
|
|
|
user_name | user or system |
|
| account |
|
|
|
|
application | path + application |
|
| name |
|
|
|
|
url |
| This section is optional. It is matched against the url |
|
| part of an incoming request; see Notes 1, 2,3, 4. |
|
|
|
query |
| This section is optional. It is matched against the |
|
| query part of an incoming request; see Notes 1, 2,3, |
|
| 4. |
|
|
|
method | “GET”, “POST”, | This section is optional. See Note 4. |
| “INDEX” and the |
|
| other http methods |
|
|
|
|
directives | apache:request |
|
|
|
|
Note 1
An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the “url” part of the http request and {query} as the “query” part of the http request. Using this naming convention, we can say that the section “url” will be matched against {url} and the section “query” will be matched against {query}.
