Filter
Top Products
170
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Windows Custom Signatures
This topic describes how to write Windows custom signatures.
The class section value depends on the nature of the security issue and on the
protection the rules can offer. For Windows these value are available:
Class Files
The following table lists the possible sections of the class Files.
Note
Rules in the Windows class Files use double slashes and rules in the Solaris Class
UNIX_Files use a single slash.
Class When to use
Files For file or directory operations. See Class Files.
Isapi For monitoring request to IIS. See Class Isapi.
Registry For Registry key and value operations. See Class Registry.
Services For Services operations. See Class Services.
Section Values Notes
Class Files
Id 4000 - 7999
level 0, 1, 2, 3, 4
time *
user-name user of system account
application path + application name
files File or folders involved in the
operation
See Note 1, 2
dest_file Destination file, if the operation
involves source and destination
files
This section is optional. See Note
1, 2
directives -c -d files:create Create file directly, or move file
into directory
files:read Open the file in Read mode
files:write Open the file in Write mode
files:execute Execute file (executing a
directory means that this
directory will become the current
directory)
files:delete Delete file from a directory, or
move it to another directory
files:rename Rename a file in the same
directory; see Note 2
files:attribute Change the file attributes.
Monitored attributes are
“Read-only”, “Hidden”,
“Archive” and “System”. The
Windows 2000 only attributes
“Index”, “Compress” and
“Encrypt” are not monitored.