McAfee® Host Intrusion Prevention 6.1 Product Guide | IPS Policies |
| IPS Rules policy details |
4
.
To use Standard Method: | To use Expert Method: | |
|
| |
The Standard Method limits the number of | The Expert Method, recommended only for | |
types you can include in the signature rule. | advanced users, enables you to provide the | |
| rule syntax without limiting the number of | |
| types you can include in the signature rule. | |
| Before writing a rule, make sure you | |
| understand rule syntax. Refer to Writing | |
| Custom Signatures on page 164. | |
|
| |
1 Click Add. The New Standard Rule dialog | 1 On the Rules tab of the Custom Signature | |
box appears. | dialog box, select Expert and | |
2 On the General tab, enter a name for the | 2 Click Add. The New Expert Rule dialog | |
signature and choose a type. | box appears. | |
3 On the Operations tab, specify the | 3 On the General tab, type a name for the | |
operations that trigger the selected rule. | rule in the Rule Name box and any notes | |
4 On the Parameters tab, include or exclude | in the Note box. | |
4 On the Rule Syntax tab, type the rule. | ||
particular parameters in the rule. | ||
5 On the Rule Syntax tab, view the rule | Rules are written in ANSI format and | |
syntax that was generated for the | TCL syntax. See Writing Custom | |
Signatures on page 164 for details. | ||
signature you are creating. | ||
5 Click OK. The rule is compiled and the | ||
6 Click OK. The rule is compiled and the | ||
syntax is verified. If there is an error and | ||
syntax is verified. If there is an error and | ||
the rule(s) fails verification, a dialog box | ||
the rule fails verification, a dialog box | ||
describing the error appears. You can | ||
describing the error appears. You can | ||
then fix the error and verify the rule | ||
then fix the error and verify the rule again. | ||
again. | ||
| ||
|
|
5Click Apply to apply the new settings, and then OK.
You can include multiple rules in a signature.
Editing custom signatures
You can edit custom signatures to add, remove, or modify rules or other data contained within the signature.
To edit a custom signature:
1On the Signature tab,
2Make changes on each tab as needed. Click Help in the dialog box for details.
3Click OK to save the changes.
Deleting custom signatures
In addition to creating and editing custom signatures, you can also delete them. When you delete a custom signature, all existing events that were triggered by this signature will have the signature ID appended to its name in the IPS Events tab.
To delete a custom signature:
1On the Signature tab, select the custom signature you want to delete and click Delete on the shorcut menu or the toolbar.
2In the dialog box that appears asking to confirm the deletion, click OK.
52
