McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 129

Appendix A — Writing Custom Signatures and Exceptions
Non-Windows custom signatures
Note 3
The directive unixfile:link has a different meaning when combined with section files and section
source:
• Combined with section files, it means that creating a link to the file in the section files is
monitored.
• Combined with section source, it means that no link can be created with the name as specified
in the section source.
Note 4
The directive unixfile:rename has a different meaning when combined with section files and
section source:
• Combined with section files, it means that renaming of the file in the section files is monitored.
• Combined with section source, it means that no file can be renamed to the file in the section
source.
Note 5
By default, all zones are protected by the signature. To restrict protection to a particular zone,
add a zone section in the signature and include the name of the zone.
For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule:
Rule {
...
file { Include "/tmp/test.log" }
zone { Include "app_zone" }
... }
would apply only to the file in the zone "app_zone" and not in the global zone.
Note that in this release, web server protection cannot be restricted to a particular zone.
Advanced details
Some or all of the following parameters appear in the Advanced Details tab of security events
for the class UNIX_file. The values of these parameters can help you understand why a signature
is triggered.
GUI name
files
source
file permission
source permission
new permission
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Explanation
Names of the file that was accessed or attempted to be
accessed.
Only applicable when operation is the creation of a
symbolic link between files: name of the new link; or when
operation is the renaming of a file: new name of the file.
Permissions of the file.
Only applicable when operation is the creation of a
symbolic link between files: permissions of the target file
(the file to which the link points). Solaris only.
Only applicable when creating a new file or when doing a
chmod operation: permissions of the new file. Solaris only.
129