1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Software
  5. HISCDE-AB-IA - Host Intrusion Prevention
  6. Product manual

McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 115

Product guide for use with epolicy orchestrator 4.5
Hide thumbs
Table of Contents

Advertisement

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Advanced details
Some or all of the following parameters appear in the Advanced Details tab of security events
for the class Isapi. The values of these parameters can help you understand why a signature
is triggered.
GUI name
url
query
web server type
method
local file
raw url
user
source
server
content len
The following rule would prevent a request to the web server that has "subject" in the query
part of the HTTP request:
Rule {
tag "Sample7"
Class Isapi
Id 4001
level 1
query { Include "*subject*" }
method { Include "GET" }
Executable { Include "*"}
user_name { Include "*" }
directives isapi:request
}
For example, the GET request http://www.myserver.com/test/
abc.exe?subject=wildlife&environment=ocean would be prevented by this rule.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Explanation
Decoded and normalized location part of an incoming HTTP
request (the part before the '?').
Decoded and normalized query part of an incoming HTTP
request (the part after the first '?').
Type and version of the Web server application used.
Method of the incoming HTTP request (for example, Get,
Put, Post, and Query).
Physical name of the file that is retrieved or attempted to
be retrieved by the request. Decoded and normalized under
IIS.
"Raw" (undecoded and not normalized) Request Line of
the incoming HTTP request. Request Line is "<method>
<location[?query]> <http version> CRLF".
User name of the client making the request; only available
if the request is authenticated.
Client name or IP address of the computer where the HTTP
request originated. The address contains three parts: host
name: address: port number.
Information about the Web server where the event is
created (that's the machine where the client is installed)
in the manner <host name>:<IP address>:<port>. The
host name is the host variable from the HTTP header; it
is left blank if not available.
Number of bytes in the body of the message part of the
query.
115

Advertisement

Table of Contents
loading

Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention

Related Products for McAfee HISCDE-AB-IA - Host Intrusion Prevention

This manual is also suitable for:

Host intrusion prevention 8.0

Table of Contents