Filter
Top Products
165
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Rule Structure
A
A rule to prevent a request to the web server that has “subject” in the http request
query has the following format:
Rule {
Class Isapi
Id 4001
level 4
query { Include “*subject*” }
method { Include “GET” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d isapi:request
}
See Windows Custom Signatures for an explanation of the various sections and values.
Mandatory common sections
A rule’s mandatory sections and their values include the items below. For mandatory
sections relevant to the class section that is selected, see the class section under
Windows, Unix, and Linux Custom Signatures.The keywords Include and Exclude are
used for all sections except for Id, level, and directives. Include means that the section
works on the value indicated, and Exclude means that the section works on all values
except the one indicated.
Section Name Value Description
Class Depends on operating system. Indicates the class this rule applies to.
See:
Windows Custom Signatures
Solaris Custom Signatures
Linux Custom Signatures
Id 4000 - 7999 The unique ID number of the signature.
The numbers are the ones available for
custom rules.
level 0
1
2
3
4
The security level of the signature:
0=Disabled
1=White
2=Yellow
3= Orange
4= Red
time {Include “*”} This section has this one value only.