Advanced Details

Some or all of the following parameters appear in the Advanced Details tab of events for the class Isapi. The values of these parameters can help you understand why a signature is triggered.

GUI name
explanation
url
Decoded and normalized location part of an incoming HTTP request (the part before the ‘?’).
query
Decoded and normalized query part of an incoming HTTP request (the part after the first ‘?’).
web server type
Type and version of the Web server application used.
method
Method of the incoming HTTP request (such as Get, Put, Post, Query, etc.).
local file
Physical name of the file that is retrieved or attempted to be retrieved by the request. Decoded and normalized under IIS.
raw url
“Raw” (undecoded and not normalized) Request Line of the incoming HTTP request. Request Line is “<method> <location[?query]> <http version> CRLF”.
user
User name of the client making the request; only available if the request is authenticated.
source
Client name or IP address of the computer where the HTTP request originated.
server
Information about the Web server where the event is created (that’s the machine where the Agent is installed) in the manner <host name>:<IP address>:<port>. The host name is the host variable from the HTTP header; it is left blank if not available.
content len
Number of bytes in the body of the message part of the query.

The following rule would prevent a request to the web server that has “subject” in the query part of the http request:

Rule {

Class Isapi

Id 4001

level 4

query { Include “*subject*” }

method { Include “GET” }

time { Include “*” }

application { Include “*”}

user_name { Include “*” }

directives -c -d isapi:request

}

For example, the GET request http://www.myserver.com/test/ abc.exe?subject=wildlife&environment=ocean would be prevented by this rule.

The various sections of this rule have the following meaning:

Copyright © 2006 McAfee, Inc. All Rights Reserved.