Filter
Top Products
167
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Rule Structure
A
For example, to monitor all the text files in C:\test\:
files { Include “C:\\test\\*.txt” }
and to monitor all the files except the text files in C:\test\:
files { Exclude “C:\\test\\*.txt” }
Combine the keywords to exclude values from a set of included values. To monitor all
the text files in folder
C:\test\ except file abc.txt:,
files { Include “C:\\test\\*.txt” }
files { Exclude “C:\\test\\acb.txt” }
Each time you add the same section with the same keyword, you add an operation. To
monitor any text file in folder C:\test\ whose name starts with the string “abc”:
files { Include “C:\\test\\*.txt” }
files { Include “C:\\test\\acb*” }
Optional common sections
A rule’s common optional sections and their values include the item below. For optional
sections relevant to the class section that is selected, see the class section under
Windows, Unix, and Linux Custom Signatures. The keywords Include and Exclude are
used for both dependencies and attributes. Include means that the section works on
the value indicated, and Exclude means that the section works on all values except the
one indicated.
Use of the dependencies section
Add the optional section dependencies to prevent a more general rule from being
triggering along with a more specific rule. For example, if there is one rule to monitor
for a single text file in
C:\test\
files { Include “C:\\test\\abc.txt” }
as well as a rule to monitor all the text files in C:\test\
files { Include “C:\\test\\*.txt” }
Add the section dependencies to the more specific rule, basically telling the system not
to trigger the more general rule if the specific rule is triggered.
files { Include “C:\\test\\abc.txt” }
dependencies –c –d “the general rule”
Section value variables
Wildcards, meta-symbols, and predefined variables can be used as the value in the
available sections.
Section Value Description
dependencies -c -d {Include/Exclude “id of
a rule”}
Defines dependencies
between rules and prevents
the triggering of dependent
rules. Only switches –c and –d
are used.