Linux Custom Signatures, 185 | McAfee 6.1 manual

McAfee® Host Intrusion Prevention 6.1 Product Guide	Writing Custom Signatures
	Linux Custom Signatures

A

Linux Custom Signatures

This topic describes how to write Linux custom signatures.

The class of the signature depends on the nature of the security issue and on the protection the rules offer. The table below lists the available Linux classes:

class	meaning / remarks

UNIX_file	Used for file or directory operations. See Class UNIX_file.

Class UNIX_file

The following table lists the possible sections of the class Files.

section	values	meaning/remarks

Class	UNIX_file

Id	4000 - 7999

level	0, 1, 2, 3, 4

time	*

user_name	user or system account

application	user or system account path +
	application name

files	source file(s)	Files to look for. This is optional if
		section source is used; see Note 1.

directives	unixfile:link	Creating hard links.

	unixfile:read	Opening the file in Read mode.

	unixfile:write	Opening the file in Write mode.

	unixfile:unlink	Deleting a file from a directory or
		deleting the directory.

	unixfile:rename	Renaming the file.

	unixfile:setattr	Changing the permissions and file
		ownership of the directory or file.

	unixfile:create	Creating a file.

	unixfile:mkdir	Creating a directory.

	unixfile:rmdir	Removing a directory.

185

Image 185

McAfee 6.1 manual Linux Custom Signatures, 185

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Audience Using this guide This guide uses the following conventions ConventionsBold Condensed Example Standard documentation Getting product information Contact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Events Behavioral rulesReactions Exception rules Client firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Reports Tuning „ Deploy Host Intrusion Prevention clients Using ePolicy Orchestrator EPolicy Orchestrator console EPolicy Orchestrator console Assign Policies Policy management Host Intrusion Prevention operations Installing the Host Intrusion Prevention serverAssigning owners to policies Generating notifications Viewing and working with client data Deploying Host Intrusion Prevention clients Placing clients in Adaptive or Learn mode Policy viewing alerts Configuring policies Active X control security warning Fine-tuning Help navigation procedures Using Help IPS Events/Signatures Help in the user interfaceIPS Exception Rules IPS Signature Rules Overview IPS Policies Benefits of Host IPS Host and network IPS signature rules Benefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access To create a new IPS Options policy Click ApplyIPS Options dialog box appears Select the needed options Configuring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policy Select the type of reaction for each severity level IPS Protection dialog box appears To create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details To create an exception Creating exception rules To edit an exception rule Editing exception rulesYou can view and edit details of an existing exception Enabling and disabling exception rules To disable/enable an exceptionDeleting exception rules Moving exception rules to another policy Types of signatures SignaturesHost signatures Custom host signatures IPS Rules-Signatures tab Viewing signatures Modifying host and network signatures To modify default signaturesCreating custom signatures To modify the view of signatures To create signatures using the wizard Using the wizard to create signatures To create a signature with the standard mode Using the standard mode to create signatures New Custom Signature-General tab Deleting custom signatures Editing custom signaturesTo use Standard Method To use Expert Method To edit a custom signature 11 Application Protection Rules analysis Application Protection Rules 12 IPS Rules-Application Protection Rules To create an application protection rule 13 New Trusted Application dialog box-General tab Editing Application Protection Rules IPS EventsEnabling and disabling Application Protection Rules Deleting Application Protection Rules To view IPS events Viewing events To change the event view Configuring the event viewFiltering events To mark an event as read Marking eventsTo mark an event as unread To hide an event To mark similar events Marking similar events„ Agent „ Signatures „ User „ Process „ Severity Level Hidden To view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based trusted application To create an event-based exception To search for a related exception IPS Client RulesSearching for related exceptions To migrate client rules to an IPS Rules policy Regular View Click the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules To search for exceptions and manage the list of exceptions Search IPS Exception Rules 22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rules Stateful packet inspection State tableStateful packet filtering Ordering the firewall rule list How firewall rules work Stateful filtering process How stateful filtering works Protocol Description of handling How stateful packet inspection worksStateful protocol tracking TCP Firewall rule groups and connection-aware groups Overview Stateful filtering Firewall Learn and Adaptive modes Quarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules To configure the Firewall Options policy Configuring the Firewall Options policySelect For these settings Off McAfee Default Learn „ Select New Policy Create New Policy dialog box appears To create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Server High Select this For this protection Policy Server Medium Do any of the following Viewing and editing firewall rulesTo view and edit a firewall rule Add Policy or Duplicate Policy To create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group Firewall Rule Group dialog box appears To create a new rule groupTo create a connection-aware group Type a name for this group in the Name field To delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view details of an aggregated firewall rule To view aggregated firewall client rules Select New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy Quarantine Rules policy provides access for Configuring the Quarantine Rules policyCreating new Quarantine Rules policies To create a Quarantine Rules policy Click Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule Deleting a quarantine rule or group Creating a new quarantine rule or groupTo create a quarantine rule To delete a quarantine rule or group Application creation Application Blocking Policies Application hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies To view and edit an application blocking rule Viewing and editing Application Blocking Rules To create a new application blocking rule Creating new Application Blocking RulesApplication Rule dialog box appears 100 Viewing application client rules Deleting an application blocking ruleTo delete an application blocking rule To view all client application rules To view details of an aggregated client application rule To view aggregated client application rules General Policies General feature contains four policy categories Preset General policies Configuring the Client UI policy Configuring Enforce PoliciesTo change the policy setting Regular User To configure a Client UI policy Administrator UserCreating and applying a Client UI policy Disconnected User 107 Setting passwords 108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Edit Select To do this AddRemove Include Local Subnet Creating and applying Trusted Applications policies Configuring the Trusted Applications policyTo create a new policy Trusted Application tab appears To create a trusted application Creating trusted applications Editing trusted applications To disable/enable a trusted applicationEnabling and disabling trusted applications Deleting trusted applications Fine-tuning a deployment MaintenanceAnalyzing IPS events 115 Working with client exception rules Creating exception rules and trusted application rulesCreating and applying new policies For details on working with client rules, see To view and reset broken inheritance below a specific node Policy maintenance and tasksPolicies tab Policy inheritance and assignment Click Copy policy assignments To copy and paste policy assignments of a node Policy Catalog To view nodes where a policy is assignedViewing policy information To view all policies that have been created Editing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Directory Gateway Running server tasksEvent Archiver Property Translator Creating rules Setting up notifications for eventsHow notifications work 124 Host Intrusion Prevention notifications Report repository Running reportsPre-defined reports Host Intrusion Prevention reports Report content controlSummary information and details IPS Events Summary by Signature Signature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Top 10 Triggered Signatures Top 10 Attacked Nodes for IPSBlocked Application Summary Filters on platform and signature type Initial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications To add update packages automatically Checking in the update packageUpdating From the Task type list, select Repository Pull To run an update task To add update packages manuallyTo have a client request an update Updating clients Windows client Host Intrusion Prevention Client 133 System tray iconClient console Unlocking the client interface Setting optionsTo unlock the Host Intrusion Prevention interface To customize client options Troubleshooting Error ReportingShow tray icon Error Reporting Select For this Security Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts Firewall alerts To respond to a firewall Learn Mode alert138 Has the Treat rule match as an intrusion option selected Application Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts IP Spoof Detected Alert dialog box 141 IPS Policy options IPS Policy tabTo customize IPS Policy options 142 Exception rules list IPS Policy exception rulesTo edit the exception rules 143 Firewall Policy options Firewall Policy tabTo customize Firewall Policy options 144 145 Firewall Policy RulesFirewall rules list Application Policy options Application Policy tabTo customize Application Policy options 146 147 Application Policy rulesApplication rules list Blocked Hosts list Blocked Hosts tab148 Column What it shows Until removed To edit the Blocked Hosts list149 Application Protection list Application Protection tabThis list shows all monitored processes on the client 150 Activity Log options Activity Log tabTo customize Activity Log options 151 152 Activity Log listSelect Create Sniffer Capture... McAfee Host Intrusion Prevention Options Client installation issues TroubleshootingSolaris client Policy enforcement with the Solaris client Run this command To do this Client operations issues154 File/Directory Name Description 155 To stop a Solaris clientTo restart a Solaris client Policy enforcement with the Linux client Linux client File Name Description Verifying the client is running 158 Troubleshooting tool To stop a Linux client Run the command hipts agent offTo restart a Linux client 159 What is a policy? Frequently Asked QuestionsWhat is the McAfee Default policy? 160 161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients? How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy? Rule Structure Writing Custom SignaturesBasic structure of a rule is the following 164 Section Name Value Description Mandatory common sections165 Name/domain user name Use of Include and Exclude Use of the dependencies section Optional common sectionsSection value variables Use of environment variables Use of wildcardsUse of predefined variables Windows IIS Web Server 169 MS SQL Database ServerSolaris Apache and iPlanet Windows Custom Signatures This topic describes how to write Windows custom signaturesClass Files 170 171 GUI name Explanation Advanced Details Class Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class Services GUI Name Explanation Possible Values Windows Custom Signatures Solaris Custom Signatures This topic describes how to write Solaris custom signaturesClass UNIXfile 181 Directive File Source File permission New permission Relevant X directives per section 183 Advanced DetailsClass UNIXapache Solaris Custom Signatures 185 Linux Custom Signatures List of parameters according to type Summary of parameters and directivesList of directives according to type 186 187 Glossary Blocked host 188 Console tree 189 EPolicy Orchestrator database server 190 See also minimal properties 191 Inactive agent 192 Policy enforcement interval 193 Severity level 194 SYN flood 195 Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com