McAfee 6.1 manual Modifying host and network signatures, Creating custom signatures

Modifying host and network signatures

You can view and modify default signatures on the Signatures tab of the IPS Rules policy. This enables you to change the severity level of the signature if the signature is causing false positives.

To modify default signatures:

1Double-click the signature you want to modify.

The Signature Properties dialog box appears.

2On the General tab, modify the Severity Level, Allow Client Exceptions, or Log Status settings, and enter notes in the Note box to document the change.

3On the Description tab, review what the signature is protecting and what it provides. If there is a link, click it to open a browser page and view more information on the security threat.

4Click OK.

You can modify the severity level of several signatures at one time by selecting the signatures and clicking Modify the Severity Level. In the dialog box that appears, select Modified and the new severity level to be applied to the signatures, or select Default to

return the signatures to their default severity level. Click OK to save the changes. Severity Level settings include High, Medium, Low, Information, and Disabled.

Creating custom signatures

Host Intrusion Prevention gives you the flexibility to create and manage your own signatures and share them between policies. Creating custom signatures, which is recommended only for advanced users, provides additional flexibility for your environment. Refer to Writing Custom Signatures on page 164 for details.

You can use two methods to create signatures:

„Signature Creation Wizard — This is the simplest method, but you cannot change operations that the signature is protecting.

„Standard Mode — This is the more advanced method that enables you to add or delete operations that the signature is protecting.

48