McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 114

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
method
directives
Note 1
An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In
this document, we refer to {url} as the "URL" part of the http request and {query} as the "query"
part of the http request. Using this naming convention, we can say that the section "URL" is
matched against {url} and the section "query" is matched against {query}. For example the
following rule is triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS:
Rule {
tag "Sample6"
Class Isapi
Id 4001
level 1
url { Include "*abc*" }
Executable { Include "*"}
user_name { Include "*" }
directives isapi:request
}
This rule is triggered because {url}=/search/abc.exe, which matches the value of the section
"url" (i.e. abc).
Note 2
Before matching is done, sections "url" and "query" are decoded and normalized so that requests
cannot be filled with encoding or escape sequences.
Note 3
A maximum length restriction can be defined for the sections "url" and "query". By adding
";number-of-chars" to the value of these sections, the rule can match only if the {url} or {query}
have more characters than "number-of-chars". For example, "abc*;500" matches strings
containing 'abc' that are 500 characters or more; "*abc;xyz*;" matches any string containing
'abc;xyz' regardless of length.
Note 4
A rule needs to contain at least one of the optional sections url, query, method.
114 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
GET, POST, INDEX or any other
allowed HTTP method
isapi:request
isapi:requrl
isapi:reqquery
isapi:rawdata
isapi:response
Notes
One of the required parameters. See Note 4.
For all three types of incoming http requests.
For url requests.
For query requests.
For raw data requests.
For request response.