McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Solaris Custom Signatures |
A
For example the following rule would be triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean would
be received by IIS:
Rule {
Class UNIX_apache
Id 4001
level 1
url { Include “*abc*” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives
}
This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (namely. abc).
Note 2
Before matching is done, sections “url” and “query” are decoded and normalized so that requests cannot be filled with encoding or escape sequences.
Note 3
A maximum length restriction can be defined for the sections “url” and “query”. By adding
Rule {
Class UNIX_Apache
Id 4001
level 1
url { Include “*abc*;500” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives
}
Note 4
A rule needs to contain at least one of the optional sections url, query, method.
184