McAfee HISCDE-AB-IA Product Guide - Page 114
Note 1, matched against {url} and the query is matched against {query}. For example
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 114 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Section method directives Values Notes GET, POST, INDEX or any other One of the required parameters. See Note 4. allowed HTTP method isapi:request For all three types of incoming http requests. isapi:requrl For url requests. isapi:reqquery For query requests. isapi:rawdata For raw data requests. isapi:response For request response. Note 1 An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the "URL" part of the http request and {query} as the "query" part of the http request. Using this naming convention, we can say that the section "URL" is matched against {url} and the section "query" is matched against {query}. For example the following rule is triggered if the http request http:// www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS: Rule { tag "Sample6" Class Isapi Id 4001 level 1 url { Include "*abc*" } Executable { Include "*"} user_name { Include "*" } directives isapi:request } This rule is triggered because {url}=/search/abc.exe, which matches the value of the section "url" (i.e. abc). Note 2 Before matching is done, sections "url" and "query" are decoded and normalized so that requests cannot be filled with encoding or escape sequences. Note 3 A maximum length restriction can be defined for the sections "url" and "query". By adding ";number-of-chars" to the value of these sections, the rule can match only if the {url} or {query} have more characters than "number-of-chars". For example, "abc*;500" matches strings containing 'abc' that are 500 characters or more; "*abc;xyz*;" matches any string containing 'abc;xyz' regardless of length. Note 4 A rule needs to contain at least one of the optional sections url, query, method. 114 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5