McAfee HISCDE-AB-IA Product Guide - Page 41
Creating custom signatures, Signatures, IPS Signature, Description, IPS Event, Subrules
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 41 highlights
Configuring IPS Policies Define IPS protection To... Add a signature Delete a custom signature Copy a signature to another policy Do this... Multiple. In the page that appears, select the settings for the three editable items, then click OK . Click New or New (Wizard). Under Actions, click Delete. NOTE: Only custom signatures can be deleted. Select a signature and click Copy To to copy it to another policy. Indicate the policy to which to copy the signature and click OK. NOTE: You can copy several signatures at one time by selecting all the signatures before clicking Copy To. 4 Click Save to save any changes. Creating custom signatures Create custom host intrusion prevention signatures from the Signatures tab of the IPS Rules policy to protect specific operations not covered by default signatures. Task For option definitions, click ? in the interface. 1 On the IPS Rules policy Signatures tab, click New. A blank Signature page appears. 2 On the signature's IPS Signature tab, type a name (required) and select the platform, severity level, log status, and whether to allow the creation of client rules. For severity level, client rules, and log status, select the checkbox to change the default values. 3 On the Description tab, type a description of what the signature is protecting. This description appears in the IPS Event when the signature is triggered. 4 On the Subrules tab, select New Standard Sub-Rule or New Expert Subrule to create a rule. Standard method Expert method The Standard method limits the number of types you can include in the signature rule. The Expert method, recommended only for advanced users, enables you to provide the rule syntax without limiting the number of types you can include in the signature. Before writing a rule, make sure you understand rule syntax. 1 Type a name for the signature (required) and 1 Type the rule syntax for the signatures, which choose a rule class type. Options include: Files, can include a name for the rule. Use ANSI Hook, HTTP, Program, Registry, Services, and format and TCL syntax. SQL. 2 Click OK and the rule is added to the list at the 2 Specify the class operations that are blocked top of the Subrule tab. The rule is compiled and and will trigger the signature. the syntax is verified. If the rule fails verification, 3 Indicate whether to include or exclude a particular parameter, what the parameter is and a dialog box describing the error appears. Fix the error and verify the rule again. its value. 4 Include an executable as a parameter with information on at least one of these four values: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 41