Filter
Top Products
184
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Solaris Custom Signatures
A
For example the following rule would be triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean
would
be received by IIS:
Rule {
Class UNIX_apache
Id 4001
level 1
url { Include “*abc*” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d apache:request
}
This rule is triggered because {url}=/search/abc.exe, which matches the value of the
section “url” (namely. abc).
Note 2
Before matching is done, sections “url” and “query” are decoded and normalized so
that requests cannot be filled with encoding or escape sequences.
Note 3
A maximum length restriction can be defined for the sections “url” and “query”. By
adding “
;number-of-chars” to the value of these sections, the rule can only match if
the {url} or {query} have more characters than “number-of-chars”. For example, the
following rule will match if the url part of the request contains “abc” and the url part of
the request has over 500 characters:
Rule {
Class UNIX_Apache
Id 4001
level 1
url { Include “*abc*;500” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d apache:request}
}
Note 4
A rule needs to contain at least one of the optional sections url, query, method.