McAfee HISCDE-AB-IA Product Guide - Page 122
Windows class SQL
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 122 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures The following rule would prevent deactivation of the Alerter service. Rule { tag "Sample9" Class Services Id 4001 level 4 Service { Include "Alerter" } application { Include "*"} user_name { Include "*" } directives service:stop } The various sections of this rule have the following meaning: • Class Services: indicates that this rule relates to file operations class. • Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID. • level 4: Assigns the severity level 'high' to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level. • Service { Include "Alerter" }: Indicates that the rule covers the service with name "Alerter". If the rule covers multiple services, add them in this section in different lines. • application { Include "*"}: Indicates that this rule is valid for all processes. If you want to limit your rule to specific processes, spell them out here, complete with path name. • user_name { Include "*" }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you want to limit your rule to specific user contexts, spell them out here in the form Local/user or Domain/user. See Common Sections for details. • directives service:stop: Indicates that this rule covers deactivation of a service. Windows class SQL The following table lists the possible sections and values for the Windows class SQL: Section Class Id level time user_name Executable authentication_mode client_agent Values MSSQL See Common sections. Notes Boolean value that specifies whether Windows authentication (set to 1) or SQL authentication (set to 0) was used. Name of the utility sending the Example: OSQL-32, Internet Information Services request on the client system. 122 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5