Appendix A — Writing Custom Signatures and Exceptions
Non-Windows custom signatures
Section
level
time
user_name
Executable
zone
directives
Solaris class UNIX_bo
The following table lists the possible sections and values for the Solaris class_bo (Buffer
Overflow):
Section
Class
Id
level
time
user_name
Executable
program
zone
directives
Note 1
By default, all zones are protected by the signature. To restrict protection to a particular zone,
add a zone section in the signature and include the name of the zone.
For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule:
Rule {
...
file { Include "/tmp/test.log" }
zone { Include "app_zone" }
132
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
Name of the zone to which the
signature applies
unixmisc:killagent
Values
UNIX_bo
See Common sections .
Program name
Name of the zone to which the
signature applies
unixbo:binargs
unixbo:illegal_address
unixbo:exec
unixbo:environment
unixbo:binenv
unixbo:libc
Notes
Solaris 10 or later.
Prevents SIGKILL signal to be sent to the client.
Notes
Program to look for.
Solaris 10 or later. See note 1.
Binary arguments.
Illegal address, such as running a program from
the stack.
Program execution.
Program environment.
Binary environment.
Used when the return address for a function is
not in the proper stack frame.