A SERVICE OF

logo

183
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Solaris Custom Signatures
A
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security
events for the class UNIX_Files. The values of these parameters can help you
understand why a signature is triggered.
Class UNIX_apache
The following table lists the possible sections of the class Unix_apache. This class can
be used for the Apache, iPlanet and Netscape Enterprise Web Servers.
Note 1
An incoming http request can be represented as:
http://www.myserver.com/
{url}?{query}
. In this document, we refer to {url} as the “url” part of the http request
and {query} as the “query” part of the http request. Using this naming convention, we
can say that the section “url” will be matched against {url} and the section “query” will
be matched against {query}.
GUI name Explanation
files Names of the file that was accessed or attempted to be
accessed.
source Only applicable when operation is the creation of a symbolic
link between files: name of the new link; or when operation
is the renaming of a file: new name of the file.
file permission Permissions of the file.
source permission Only applicable when operation is the creation of a symbolic
link between files: permissions of the target file (the file to
which the link points).
new permission Only applicable when creating a new file or when doing a
chmod operation: permissions of the new file.
section values meaning/remarks
Class UNIX_apache
Id 4000 – 7999
level 0, 1, 2, 3, 4
time *
user_name user or system
account
application path + application
name
url This section is optional. It is matched against the url
part of an incoming request; see Notes 1, 2,3, 4.
query This section is optional. It is matched against the
query part of an incoming request; see Notes 1, 2,3,
4.
method “GET”, “POST”,
“INDEX” and the
other http methods
This section is optional. See Note 4.
directives -c -d apache:request