McAfee HISCDE-AB-IA Product Guide - Page 131

Appendix A - Writing Custom Signatures and Exceptions Non-Windows custom signatures Note 2 Before matching is done, sections "url" and "query" are decoded and normalized so that requests cannot be filled with encoding or escape sequences. Note 3 A maximum length restriction can be defined for the sections "url" and "query". By adding ";number-of-chars" to the value of these sections, the rule can only match if the {url} or {query} have more characters than "number-of-chars". For example, the following rule matches if the url part of the request contains "abc" and the url part of the request has over 500 characters: Rule { Class UNIX_apache Id 4001 level 1 url { Include "*abc*;500" } time { Include "*" } application { Include "*"} user_name { Include "*" } directives apache:request} } Note 4 A rule needs to contain at least one of the optional sections url, query, method. Note 5 By default, all zones are protected by the signature. To restrict protection to a particular zone, add a zone section in the signature and include the name of the zone. For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule: Rule { ... file { Include "/tmp/test.log" } zone { Include "app_zone" } ... } would apply only to the file in the zone "app_zone" and not in the global zone. Note that in this release, web server protection cannot be restricted to a particular zone. Solaris/Linux class UNIX_Misc The following table lists the possible sections and values for the Solaris or Linux class UNIX_misc: Section Class Id Values UNIX_misc See Common sections. Notes A miscellaneous class that safeguards access protection. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 131