Filter
Top Products
168
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Rule Structure
A
Use of wildcards
Use of environment variables
Use of predefined variables
Use of wildcards
You can use wildcards for some of the section values.
Use of environment variables
Use environment variables, the iEnv command with one parameter (the variable
name), as a shorthand to specify Windows file and directory path names.
Use of predefined variables
Host Intrusion Prevention provides pre-defined variables for rule writing. These
variables, are preceded by “$,” and are listed below.
Windows IIS Web Server
Character What is represents
? (question mark)
A single character.
* (asterisk)
Multiple characters.
user_name { Include “*” }
& (ampersand)
Multiple characters except / and \.. Use to match the
root-level contents of a folder but not any subfolders.
files { Include “C:\\test\\&.txt” }
! (exclamation mark)
Wildcard escape.
files { Include “C:\\test\\yahoo!!.txt” }
Environment
variable
What is represents
iEnv SystemRoot C:\winnt\, where C is the drive that contains the Windows System folder.
For example:
files {Include “[iEnv SystemRoot]\\system32\\abc.txt” }
iEnv SystemDrive C:\ where C is the drive that contains the Windows System folder.
For example:
files {Include “[iEnv System Root]\\system32\\abc.txt”}
Variable Meaning
IIS_BinDir Directory where inetinfo.exe is located
IIS_Computer Machine name that IIS runs on
IIS_Envelope Includes all files that IIS is allowed to access
IIS_Exe_Dirs Virtual directories that allow file execution including system root and IIS
root"
IIS_Ftp_Dir FTP site root directories
IIS_FTP_USR Local ftp Anonymous user account name
IIS_FtpLogDir FTP log files directory
IIS_IUSR Local web anonymous user account name