McAfee HISCDE-AB-IA Product Guide - Page 101
Appendix A — Writing Custom Signatures and Exceptions, Rule structure
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 101 highlights
Appendix A - Writing Custom Signatures and Exceptions This section describes the structure of IPS signatures, including a list of classes, parameters, and directives, and provides information on how to create custom signatures for the various client platforms. This information can also be used when working with the advanced details page for exceptions. Contents Rule structure Windows custom signatures Non-Windows custom signatures Rule structure Every signature contains one or more rules written in ANSI Tool Command Language (TCL) syntax. Each rule contains mandatory and optional sections, with one section per line. Optional sections vary according to the operating system and the class of the rule. Each section defines a rule category and its value. One section always identifies the class of the rule, which defines the rule's overall behavior. The basic structure of a rule is the following: Rule { SectionA value SectionB value SectionC value ... } NOTE: Be sure to review the syntax for writing strings and escape sequences in TCL before attempting to write custom rules. A quick review of any standard reference on TCL should ensure that you enter proper values correctly. A rule to prevent a request to the web server that has "subject" in the http request query has the following format: Rule { Class Isapi Id 4001 level 4 query { Include *subject* } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 101