Solaris/Linux Class Unix_Misc - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Product guide for use with epolicy orchestrator 4.5

Table of Contents

Appendix A — Writing Custom Signatures and Exceptions

Non-Windows custom signatures

Note 2

Before matching is done, sections "url" and "query" are decoded and normalized so that requests

cannot be filled with encoding or escape sequences.

Note 3

A maximum length restriction can be defined for the sections "url" and "query". By adding

";number-of-chars" to the value of these sections, the rule can only match if the {url} or {query}

have more characters than "number-of-chars". For example, the following rule matches if the

url part of the request contains "abc" and the url part of the request has over 500 characters:

Rule {

Class UNIX_apache

Id 4001

level 1

url { Include "*abc*;500" }

time { Include "*" }

application { Include "*"}

user_name { Include "*" }

directives apache:request}

}

Note 4

A rule needs to contain at least one of the optional sections url, query, method.

Note 5

By default, all zones are protected by the signature. To restrict protection to a particular zone,

add a zone section in the signature and include the name of the zone.

For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule:

Rule {

...

file { Include "/tmp/test.log" }

zone { Include "app_zone" }

... }

would apply only to the file in the zone "app_zone" and not in the global zone.

Note that in this release, web server protection cannot be restricted to a particular zone.