Filter
Top Products
175
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Rule {
Class Isapi
Id 4001
level 4
query { Include “*subject*” }
method { Include “GET” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d isapi:request
}
For example, the GET request http://www.myserver.com/test/
abc.exe?subject=wildlife&environment=ocean would be prevented by this rule.
The various sections of this rule have the following meaning:
Class Isapi: indicates that this rule relates to the Isapi operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules,
every one of these rules would need to use the same ID.
level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had
multiple rules, every one of these rules would need to use the same level.
query { Include “*subject*” }: Indicates that the rule matches any (GET) request that
contains the string “subject” in the query part of the http request. If the rule were
to cover multiple query parts files, you would add them in this section in different
lines.
method { Include “GET” }: Indicates that the rule can only match GET requests
time { Include “*” }: This section is currently not used, but must be included in this
way in the rule.
application { Include “*”}: Indicates that this rule is valid for all processes. If you’d
want to limit your rule to specific processes, you would spell them out here,
complete with their path name.
user_name { Include “*” }: Indicates that this rule is valid for all users (or more
precisely, the security context in which a process runs). If you’d want to limit your
rule to specific user contexts, you would spell them out here in the form Local/user
or Domain/user. See paragraph “Mandatory Common Sections” for details.
directives -c -d isapi:request: Indicates that this rule covers an http request. The
switches –c and –d must always be used in the directives section.