Using the standard mode to create signatures

Use this method only if you are an advanced user. It offers the flexibility to select the operations that the signature is protecting, including changing, adding, and deleting operations. You can create an entirely new signature, one based on an existing custom signature, or one based on a duplicate of an existing custom signature.

To create a signature with the standard mode:

  1. Do one of the following:
    • On the Signatures tab, click Create on the shortcut menu or toolbar. A blank New Custom Signature dialog box appears.
    • On the Signatures tab, select a custom signature and click Duplicate on the shortcut menu or toolbar. A prefilled Duplicate Custom Signature dialog box appears.
  2. On the General tab, enter a name and select the platform, severity level. log status, and whether to allow the creation of client rules.
  3. On the Description tab, type a description of what the signature is protecting. This description appears in the IPS Event dialog box when the signature is triggered.
  4. On the Sub-Rule tab, select either Standard Method or Expert Method to create the rule.
  5. To use Standard Method:

    To use Expert Method:

    The Standard Method limits the number of types you can include in the signature rule.
    The Expert Method, recommended only for advanced users, enables you to provide the rule syntax without limiting the number of types you can include in the signature rule. Before writing a rule, make sure you understand rule syntax. Refer to Writing Custom Signatures.
    1. Click Add. The New Standard Rule dialog box appears.
    2. On the General tab, enter a name for the signature and choose a type.
    3. On the Operations tab, specify the operations that trigger the selected rule.
    4. On the Parameters tab, include or exclude particular parameters in the rule.
    5. On the Rule Syntax tab, view the rule syntax that was generated for the signature you are creating.
    6. Click OK. The rule is compiled and the syntax is verified. If there is an error and the rule fails verification, a dialog box describing the error appears. You can then fix the error and verify the rule again.
    1. On the Rules tab of the Custom Signature dialog box, select Expert and
    2. Click Add. The New Expert Rule dialog box appears.
    3. On the General tab, type a name for the rule in the Rule Name box and any notes in the Note box.
    4. On the Rule Syntax tab, type the rule. Rules are written in ANSI format and TCL syntax. See Writing Custom Signatures for details.
    5. Click OK. The rule is compiled and the syntax is verified. If there is an error and the rule(s) fails verification, a dialog box describing the error appears. You can then fix the error and verify the rule again.
    .

  6. Click Apply to apply the new settings, and then OK.

     

    You can include multiple rules in a signature.

Copyright © 2006 McAfee, Inc. All Rights Reserved.