McAfee® Host Intrusion Prevention 6.1 Product Guide

Writing Custom Signatures

 

Solaris Custom Signatures

A

For example the following rule would be triggered if the http request http://

www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean would

be received by IIS:

Rule {

Class UNIX_apache

Id 4001

level 1

url { Include “*abc*” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives -c -d apache:request

}

This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (namely. abc).

Note 2

Before matching is done, sections “url” and “query” are decoded and normalized so that requests cannot be filled with encoding or escape sequences.

Note 3

A maximum length restriction can be defined for the sections “url” and “query”. By adding ;number-of-chars to the value of these sections, the rule can only match if the {url} or {query} have more characters than “number-of-chars”. For example, the following rule will match if the url part of the request contains “abc” and the url part of the request has over 500 characters:

Rule {

Class UNIX_Apache

Id 4001

level 1

url { Include “*abc*;500” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives -c -d apache:request}

}

Note 4

A rule needs to contain at least one of the optional sections url, query, method.

184

Page 184
Image 184
McAfee 6.1 manual Solaris Custom Signatures