Appendix A — Writing Custom Signatures and Exceptions
Non-Windows custom signatures
Solaris/Linux class UNIX_apache (HTTP)
The following table lists the possible sections and values for the UNIX-based class apache:
Section
Class
Id
level
time
user_name
Executable
url
query
method
zone
directives
Note 1
An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In
this document, we refer to {url} as the "url" part of the http request and {query} as the "query"
part of the http request. Using this naming convention, we can say that the section "url" is
matched against {url} and the section "query" is matched against {query}.
For example the following rule is triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean is received by IIS:
Rule {
Class UNIX_apache
Id 4001
level 1
url { Include "*abc*" }
time { Include "*" }
application { Include "*"}
user_name { Include "*" }
directives apache:request
}
This rule is triggered because {url}=/search/abc.exe, which matches the value of the section
"url" (namely, abc).
130
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
UNIX_apache
See Common sections .
"GET", "POST", "INDEX" and all
other allowed http methods
Name of the zone to which the
signature applies
apache:requrl
apache:reqquery
apache:rawdata
Notes
Optional. Matched against the url part of an
inomcing request. See Notes 1-4.
Optional. Matched against the query part of an
incoming request. See Notes 1-4.
Optional. See Note 4.
Solaris 10 or later. See Note 5.
For URL requests.
For query requests.
For raw data requests.