McAfee 6.1 Marine Radio User Manual


  Open as PDF
of 201
 
177
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security
events for the class Registry. The values of these parameters can help you understand
why a signature is triggered.
Example
The following rule would prevent anybody and any process from deleting the registry
value “abc” under registry key
“\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
Rule {
Class Registry
Id 4001
level 4
values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d registry:delete
}
The various sections of this rule have the following meaning:
Class Registry: indicates that this rule relates to requests send to IIS.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules,
every one of these rules would need to use the same ID.
level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had
multiple rules, every one of these rules would need to use the same level.
values { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc”
}: Indicates that the rule monitors registry value abc under registry key
“\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa . If the rule
were to cover multiple values, you would add them in this section in different lines.
GUI Name explanation
Registry Key Name of the registry key affected, including the path name.
The prefix \REGIS-TRY\MACHINE\ stands for
HKEY_LOCAL_MACHINE\, and \REGISTRY\CURRENT_USER\
stands for \HKEY_USER\.
Registry Value(s) Name of the registry value concatenated with the full name of
its key.
old data New Data old data
type new data type
Only applicable for registry value changes: data that a registry
value contained before it was changed or attempted to be
changed. Only applicable for registry value changes: data that
a registry value contains after it was changed or that it would
contain if the change went through. Only applicable for
registry value changes: type of data type that a registry value
contains before it was changed or attempted to be changed
Only applicable for registry value changes: type of data that a
registry value would contain after it was changed or that it
would contain if the change went through.
 previous next