Table of Contents
Advertisement
Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
db_user_name
sp_name
sp_param_char_len_one...
sp_param_one...
sp_param_orign_len-one...
sql_line_comment
sql_original_query
sql_query
sql_user_password
transport
directives
Classes and directives per Windows platform
A list of the effective classess and directives per Windows platform:
• Windows XP, SP2, SP3, 32- and 64-bit (XP)
• Windows 2003, R2, R2 SP2, 32- and 64-bit (2K3)
• Windows Vista, 32- and 64-bit (V)
• Windows 2008 R2, (32- and 64-bit (2K8)
• Windows 7, 32- and 64-bit (7)
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
Name of the user if SQL
authentication was used, and
"Trusted User" if Windows
authentication is used.
Stored procedure name.
Contains the length of the
parameter in number of
characters.
Contains the value of the
parameter.
Contains the length of the
parameter in number of bytes.
This value is set to 1 if the query
includes a single line comment
"-" containing a single quote.
This contains the full SQL query
exactly as it was received
(including strings and
whitespaces).
This is the SQL query string with
string values, whitespaces, and
everything behind the comments
stripped out.
This is set to 1 if the password
is NULL and 0 otherwise.
On MSSQL 2005/2008, this is
hard coded to: Shared memory
(LPC).
sql:request.
Notes
Example: sa
This should match a stored procedure name. A
stored procedure is identified by a supplied list of
procedure names that is included for every SQL
agent release (currently SPList.txt in the Agent
directory).
This is always be set to 0 for non-SQL users.
For incoming SQL requests
123
Advertisement
Table of Contents
Troubleshooting
