McAfee HISCDE-AB-IA Product Guide - Page 130
Solaris/Linux class UNIX_apache (HTTP), url namely, abc.
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 130 highlights
Appendix A - Writing Custom Signatures and Exceptions Non-Windows custom signatures Solaris/Linux class UNIX_apache (HTTP) The following table lists the possible sections and values for the UNIX-based class apache: Section Class Id level time user_name Executable url query method zone directives Values UNIX_apache See Common sections. Notes Optional. Matched against the url part of an inomcing request. See Notes 1-4. Optional. Matched against the query part of an incoming request. See Notes 1-4. "GET", "POST", "INDEX" and all Optional. See Note 4. other allowed http methods Name of the zone to which the Solaris 10 or later. See Note 5. signature applies apache:requrl For URL requests. apache:reqquery For query requests. apache:rawdata For raw data requests. Note 1 An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the "url" part of the http request and {query} as the "query" part of the http request. Using this naming convention, we can say that the section "url" is matched against {url} and the section "query" is matched against {query}. For example the following rule is triggered if the http request http:// www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS: Rule { Class UNIX_apache Id 4001 level 1 url { Include "*abc*" } time { Include "*" } application { Include "*"} user_name { Include "*" } directives apache:request } This rule is triggered because {url}=/search/abc.exe, which matches the value of the section "url" (namely, abc). 130 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5