McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

IPS Rules policy details

4

.

To use Standard Method:

To use Expert Method:

 

 

The Standard Method limits the number of

The Expert Method, recommended only for

types you can include in the signature rule.

advanced users, enables you to provide the

 

rule syntax without limiting the number of

 

types you can include in the signature rule.

 

Before writing a rule, make sure you

 

understand rule syntax. Refer to Writing

 

Custom Signatures on page 164.

 

 

1 Click Add. The New Standard Rule dialog

1 On the Rules tab of the Custom Signature

box appears.

dialog box, select Expert and

2 On the General tab, enter a name for the

2 Click Add. The New Expert Rule dialog

signature and choose a type.

box appears.

3 On the Operations tab, specify the

3 On the General tab, type a name for the

operations that trigger the selected rule.

rule in the Rule Name box and any notes

4 On the Parameters tab, include or exclude

in the Note box.

4 On the Rule Syntax tab, type the rule.

particular parameters in the rule.

5 On the Rule Syntax tab, view the rule

Rules are written in ANSI format and

syntax that was generated for the

TCL syntax. See Writing Custom

Signatures on page 164 for details.

signature you are creating.

5 Click OK. The rule is compiled and the

6 Click OK. The rule is compiled and the

syntax is verified. If there is an error and

syntax is verified. If there is an error and

the rule(s) fails verification, a dialog box

the rule fails verification, a dialog box

describing the error appears. You can

describing the error appears. You can

then fix the error and verify the rule

then fix the error and verify the rule again.

again.

 

 

 

5Click Apply to apply the new settings, and then OK.

You can include multiple rules in a signature.

Editing custom signatures

You can edit custom signatures to add, remove, or modify rules or other data contained within the signature.

To edit a custom signature:

1On the Signature tab, double-click the custom signature you want to edit. The Custom Signature Properties dialog box appears.

2Make changes on each tab as needed. Click Help in the dialog box for details.

3Click OK to save the changes.

Deleting custom signatures

In addition to creating and editing custom signatures, you can also delete them. When you delete a custom signature, all existing events that were triggered by this signature will have the signature ID appended to its name in the IPS Events tab.

To delete a custom signature:

1On the Signature tab, select the custom signature you want to delete and click Delete on the shorcut menu or the toolbar.

2In the dialog box that appears asking to confirm the deletion, click OK.

52

Page 52
Image 52
McAfee 6.1 manual Editing custom signatures, Deleting custom signatures, To use Standard Method To use Expert Method