Table of Contents
Advertisement
Configuring IPS Policies
Define IPS protection
To...
Add a signature
Delete a custom signature
Copy a signature to another policy
4
Click Save to save any changes.
Creating custom signatures
Create custom host intrusion prevention signatures from the Signatures tab of the IPS Rules
policy to protect specific operations not covered by default signatures.
Task
For option definitions, click ? in the interface.
1
On the IPS Rules policy Signatures tab, click New. A blank Signature page appears.
2
On the signature's IPS Signature tab, type a name (required) and select the platform,
severity level, log status, and whether to allow the creation of client rules. For severity
level, client rules, and log status, select the checkbox to change the default values.
3
On the Description tab, type a description of what the signature is protecting. This
description appears in the IPS Event when the signature is triggered.
4
On the Subrules tab, select New Standard Sub-Rule or New Expert Subrule to create
a rule.
Standard method
The Standard method limits the number of types you
can include in the signature rule.
1
Type a name for the signature (required) and
choose a rule class type. Options include: Files,
Hook, HTTP, Program, Registry, Services, and
SQL.
Specify the class operations that are blocked
2
and will trigger the signature.
3
Indicate whether to include or exclude a
particular parameter, what the parameter is and
its value.
4
Include an executable as a parameter with
information on at least one of these four values:
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Do this...
Multiple. In the page that appears, select the settings
for the three editable items, then click OK .
Click New or New (Wizard).
Under Actions, click Delete.
NOTE:
Only custom signatures can be deleted.
Select a signature and click Copy To to copy it to
another policy. Indicate the policy to which to copy the
signature and click OK.
NOTE:
You can copy several signatures at one time by
selecting all the signatures before clicking Copy To.
Expert method
The Expert method, recommended only for advanced
users, enables you to provide the rule syntax without
limiting the number of types you can include in the
signature. Before writing a rule, make sure you
understand rule syntax.
1
Type the rule syntax for the signatures, which
can include a name for the rule. Use ANSI
format and TCL syntax.
2
Click OK and the rule is added to the list at the
top of the Subrule tab. The rule is compiled and
the syntax is verified. If the rule fails verification,
a dialog box describing the error appears. Fix
the error and verify the rule again.
41
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention
Related Products for McAfee HISCDE-AB-IA - Host Intrusion Prevention
- McAfee Agent 4.0
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE ANTI-THEFT FILE PROTECTION
- McAfee AVDCDE-AA-AA - Active Virus Defense Suite
- McAfee AVDCDE-BA-CA - Active Virus Defense Suite
- McAfee AVM85M - VirusScan For Mac
- McAfee Data Loss Prevention 9.2.1
- McAfee DFFCDE-AA-DA - Endpoint Encryption For Files