Appendix A - Writing Custom Signatures And Exceptions; Rule Structure - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Appendix A — Writing Custom Signatures and
Exceptions
This section describes the structure of IPS signatures, including a list of classes, parameters,
and directives, and provides information on how to create custom signatures for the various
client platforms. This information can also be used when working with the advanced details
page for exceptions.
Contents

Rule structure

Windows custom signatures
Non-Windows custom signatures
Rule structure
Every signature contains one or more rules written in ANSI Tool Command Language (TCL)
syntax. Each rule contains mandatory and optional sections, with one section per line. Optional
sections vary according to the operating system and the class of the rule. Each section defines
a rule category and its value. One section always identifies the class of the rule, which defines
the rule's overall behavior.
The basic structure of a rule is the following:
Rule {
SectionA value
SectionB value
SectionC value
...
}
NOTE: Be sure to review the syntax for writing strings and escape sequences in TCL before
attempting to write custom rules. A quick review of any standard reference on TCL should
ensure that you enter proper values correctly.
A rule to prevent a request to the web server that has "subject" in the http request query has
the following format:
Rule {
Class Isapi
Id 4001
level 4
query { Include *subject* }
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 101