Filter
Top Products
166
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Rule Structure
A
Use of Include and Exclude
When you mark a section value as Include, the section works on the value indicated;
when you mark a section value as Exclude, the section works on all values except the
one indicated. When you use these keywords, they are enclosed in brackets { ... } and
their value in quotes “ ... “.
user_name {Include/Exclude “user or
system account”}
The users to whom the rule applies.
Specify particular users or all users.
Remarks for Windows:
For local user: use <machine
name>/<local user name>.
For domain user: use <domain
name>/<domain user name>.
For local system: use Local/System;
this is equivalent to NT
Authority/System in Windows NT, and
<domain>/<machine> in Windows
2000.
Some remotely initiated actions do not
report the ID of the remote user, but
use the local service and its user
context instead. You need to plan
accordingly when developing rules.
When a process occurs in the context of
a Null Session, the user and domain are
‘Anonymous’. If a rule applies to all
users, use *. On Solaris this section is
case sensitive.
application {Include/Exclude “path
and application name”}
The full path of the process that
performed the operation that created
the instance. When the operation is
remote, the application is the local
service/server that handles the
operation.
Some local operations are handled as if
they were remote. For example, for
Windows the application name will be
the local service/server that handles the
operation. If a rule applies to all
applications, use *. On Solaris this
section is case sensitive.
directives -c -d operation type The operation types are class
dependent, and are listed for each class
in the later sections. Note that the
switches –c and –d must be used.
Note
You can create a signature with multiple rules by simply adding one rule after another.
Keep in mind that each rule in the same signature must have the same value for its id
and level sections.
Section Name Value Description