McAfee HISCDE-AB-IA Product Guide - Page 102
Common s, Windows custom signatures, Include
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 102 highlights
Appendix A - Writing Custom Signatures and Exceptions Rule structure method { Include GET } time { Include * } Executable { Include * } user_name { Include * } directives isapi:request } See Windows custom signatures and Non-Windows custom signatures for an explanation of the various sections and values. Common sections A rule's most common sections and their values include the items below. For sections relevant to the selected class section, see the class section under Windows or Non-Windows custom signatures. The keywords Include and Exclude are used for all sections except for tag, Id, level, and directives. Include means that the section works on the value indicated, and Exclude means that the section works on all values except the one indicated. NOTE: All section names on all platforms are case-sensitive. Values for sections are case-sensitive on non-Windows platforms only. Section Class tag Id level Value Description Depends on operating system. See Windows custom signatures or Non-Windows Indicates the class this rule custom signatures. applies to. Name of the rule in quotes "..." Name of the subrule. 4000 - 5999 The unique ID number of the signature. The numbers are the ones available for custom rules. 0 The severity level of the signature: 1 0=Disabled 2 1=Log 3 2=Low 4 3= Medium 4= High user_name {Include/Exclude user's name or The users to whom the rule applies. Specify system account} particular users or all users. Remarks for Windows: • For local user: use /. • For domain user: use /. • For local system: use Local/System. • Some remotely initiated actions do not report the ID of the remote user, but use the local service and its user context instead. You need to plan accordingly when developing rules. When a process occurs in the context of a Null Session, the user and domain are 'Anonymous'. If a rule applies to all users, use *. On UNIX, this section is case sensitive. 102 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5