Filter
Top Products
173
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Class Isapi
The following table lists the possible sections of the class Isapi.
Note 1
An incoming http request can be represented as: http://www.myserver.com/
{url}?{query}. In this document, we refer to {url} as the “url” part of the http request and
{query} as the “query” part of the http request. Using this naming convention, we can
say that the section “url” will be matched against {url} and the section “query” will be
matched against {query}.
For example the following rule would be triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean would be
received by IIS:
Rule {
Class Isapi
Id 4001
level 1
url { Include “*abc*” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d isapi:request
}
This rule is triggered because {url}=/search/abc.exe, which matches the value of the
section “url” (i.e. abc).
Note 2
Before matching is done, sections “url” and “query” are decoded and normalized so
that requests cannot be filled with encoding or escape sequences.
Section Values Notes
Class Isapi
Id 4000 - 7999
level 0, 1, 2, 3, 4
time *
user_name user or system account
application path + application name
url This section is optional. It
is section is matched
against the url part of an
incoming request; see
notes 1, 2,3, 4.
query This section is optional. It
is matched against the
query part of an incoming
request; see notes 1, 2,3,
4.
method “GET”, “POST”, “INDEX” and all other
allowed http methods
This section is optional.
See note 4.
directives -c -d isapi:request