Table of Contents
Advertisement
Appendix A — Writing Custom Signatures and Exceptions
Non-Windows custom signatures
Non-Windows custom signatures
This section describes how to write custom signatures for the Solaris and Linux platforms.
NOTE:
Rules in the Windows class Files use double slashes, while rules in the non-Windows
class UNIX_file use a single slash.
The class of the signature depends on the nature of the security issue and the protection the
signature can offer. For Solaris and Linux, these classes are available:
Class
UNIX_file
UNIX_apache
UNIX_Misc
UNIX_bo
UNIX_map
UNIX_GUID
Solaris/Linux class UNIX_file
The following table lists the possible sections and values for the Unix-based class UNIX_file:
Section
Class
Id
level
time
user_name
Executable
files
source
file
new
zone
directives
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
When to use
For file or directory operations on Solaris and Linux.
For http requests on Solaris and Linux.
For safeguarding access protection on Solaris and Linux.
For buffer overflow. Solaris only.
For mapping files or devices into memory. Solaris only.
For allowing users to run an executable with the
permissions of the executable's owner or group. Solaris
only.
Values
UNIX_file
See Common sections .
File or folder involved in the
operation
Target file names
List of permissions of source file
names
Permission mode of newly
created file or modified
permission
Name of the zone to which the
signature applies
unixfile:chdir
unixfile:chmod
unixfile:chown
unixfile:create
Notes
One of the required parameters. Files to look for.
See Note 1.
One of the required parameters. See Note 1.
Solaris Only. Optional. See Note 2.
Solaris Only. Optional. See Note 2.
Solaris 10 or later. See Note 5.
Changes the working directory.
Changes the permissions on a directory or file.
Changes the ownership of a directory or file.
Creates a file.
127
Advertisement
Table of Contents
Troubleshooting
