McAfee HISCDE-AB-IA Product Guide - Page 115

Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Advanced details Some or all of the following parameters appear in the Advanced Details tab of security events for the class Isapi. The values of these parameters can help you understand why a signature is triggered. GUI name url query web server type method local file raw url user source server content len Explanation Decoded and normalized location part of an incoming HTTP request (the part before the '?'). Decoded and normalized query part of an incoming HTTP request (the part after the first '?'). Type and version of the Web server application used. Method of the incoming HTTP request (for example, Get, Put, Post, and Query). Physical name of the file that is retrieved or attempted to be retrieved by the request. Decoded and normalized under IIS. "Raw" (undecoded and not normalized) Request Line of the incoming HTTP request. Request Line is " CRLF". User name of the client making the request; only available if the request is authenticated. Client name or IP address of the computer where the HTTP request originated. The address contains three parts: host name: address: port number. Information about the Web server where the event is created (that's the machine where the client is installed) in the manner ::. The host name is the host variable from the HTTP header; it is left blank if not available. Number of bytes in the body of the message part of the query. The following rule would prevent a request to the web server that has "subject" in the query part of the HTTP request: Rule { tag "Sample7" Class Isapi Id 4001 level 1 query { Include "*subject*" } method { Include "GET" } Executable { Include "*"} user_name { Include "*" } directives isapi:request } For example, the GET request http://www.myserver.com/test/ abc.exe?subject=wildlife&environment=ocean would be prevented by this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 115