McAfee HISCDE-AB-IA Product Guide - Page 104
Optional common s, Wildcards and variables, Use of the dependencies
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 104 highlights
Appendix A - Writing Custom Signatures and Exceptions Rule structure • If a single subrule includes a particular user marketing\jjohns and excludes the same user marketing\jjohns, then the signature does not trigger even when the user marketing\jjohns performs an action triggers the signature. • If a subrule includes all users but excludes the particular user marketing\jjohns, then the signature triggers if the user is NOT marketing\jjohns. • If a subrule includes user marketing\* but excludes marketing\jjohns, then the signature triggers only when the user is marketing\anyone, unless the user is marketing\jjohns, in which case it does not trigger. Optional common sections A rule's optional sections and their values include the item below. For optional sections relevant to the class section that is selected, see the class section under Windows and Non-Windows custom signatures. The keywords Include and Exclude are used for both dependencies and attributes. Include means that the section works on the value indicated, and Exclude means that the section works on all values except the one indicated. Section dependencies attributes Value Description {Include/Exclude "id of a rule"} Defines dependencies between rules and prevents the triggering of dependent rules. -no_log Events from the signature are not sent to the ePO server. -not_auditable No exceptions are generated for the signature when adaptive mode is applied. -no_trusted_apps The trusted application list does not apply to this signature. -inactive The signature is disabled. Use of the dependencies section Add the optional section dependencies to prevent a more general rule from being triggering along with a more specific rule. For example, if there is one rule to monitor for a single text file in C:\test\ files { Include C:\\test\\abc.txt } as well as a rule to monitor all the text files in C:\test\ files { Include C:\\test\\*.txt } Add the section dependencies to the more specific rule, basically telling the system not to trigger the more general rule if the specific rule is triggered. files { Include C:\\test\\abc.txt } dependencies "the general rule" Wildcards and variables Wildcards, meta-symbols, and predefined variables can be used as the value in the available sections. 104 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5