1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Software
  5. HISCDE-AB-IA - Host Intrusion Prevention
  6. Product manual

Common Sections - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Product guide for use with epolicy orchestrator 4.5
Hide thumbs
Table of Contents

Advertisement

Appendix A — Writing Custom Signatures and Exceptions
Rule structure
method { Include GET }
time { Include * }
Executable { Include * }
user_name { Include * }
directives isapi:request
}
See Windows custom signatures and Non-Windows custom signatures for an explanation of
the various sections and values.

Common sections

A rule's most common sections and their values include the items below. For sections relevant
to the selected class section, see the class section under Windows or Non-Windows custom
signatures. The keywords Include and Exclude are used for all sections except for tag, Id, level,
and directives. Include means that the section works on the value indicated, and Exclude means
that the section works on all values except the one indicated.
NOTE:
All section names on all platforms are case-sensitive. Values for sections are case-sensitive
on non-Windows platforms only.
Section
Class
tag
Id
level
user_name
102
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Value
Depends on operating system.
Indicates the class this rule
applies to.
Name of the rule in quotes "..."
4000 - 5999
0
1
2
3
4
{Include/Exclude user's name or
system account}
Description
See Windows custom signatures or Non-Windows
custom signatures .
Name of the subrule.
The unique ID number of the signature. The
numbers are the ones available for custom rules.
The severity level of the signature:
0=Disabled
1=Log
2=Low
3= Medium
4= High
The users to whom the rule applies. Specify
particular users or all users.
Remarks for Windows:
For local user: use <machine name>/<local
user name>.
For domain user: use <domain
name>/<domain user name>.
For local system: use Local/System.
Some remotely initiated actions do not
report the ID of the remote user, but use
the local service and its user context
instead. You need to plan accordingly when
developing rules. When a process occurs in
the context of a Null Session, the user and
domain are 'Anonymous'. If a rule applies
to all users, use *. On UNIX, this section is
case sensitive.

Advertisement

Table of Contents
loading

Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention

Related Content for McAfee HISCDE-AB-IA - Host Intrusion Prevention

This manual is also suitable for:

Host intrusion prevention 8.0

Table of Contents