McAfee HISCDE-AB-IA Product Guide - Page 123

Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Section db_user_name sp_name sp_param_char_len_one... sp_param_one... sp_param_orign_len-one... sql_line_comment sql_original_query sql_query sql_user_password transport directives Values Notes Name of the user if SQL authentication was used, and "Trusted User" if Windows authentication is used. Example: sa Stored procedure name. This should match a stored procedure name. A stored procedure is identified by a supplied list of procedure names that is included for every SQL agent release (currently SPList.txt in the Agent directory). Contains the length of the parameter in number of characters. Contains the value of the parameter. Contains the length of the parameter in number of bytes. This value is set to 1 if the query includes a single line comment "-" containing a single quote. This contains the full SQL query exactly as it was received (including strings and whitespaces). This is the SQL query string with string values, whitespaces, and everything behind the comments stripped out. This is set to 1 if the password This is always be set to 0 for non-SQL users. is NULL and 0 otherwise. On MSSQL 2005/2008, this is hard coded to: Shared memory (LPC). sql:request. For incoming SQL requests Classes and directives per Windows platform A list of the effective classess and directives per Windows platform: • Windows XP, SP2, SP3, 32- and 64-bit (XP) • Windows 2003, R2, R2 SP2, 32- and 64-bit (2K3) • Windows Vista, 32- and 64-bit (V) • Windows 2008 R2, (32- and 64-bit (2K8) • Windows 7, 32- and 64-bit (7) McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 123