Mandatory common sections

A rule’s mandatory sections and their values include the items below. For mandatory sections relevant to the class section that is selected, see the class section under Windows custom signatures.The keywords Include and Exclude are used for all sections except for Id, level, and directives. Include means that the section works on the value indicated, and Exclude means that the section works on all values except the one indicated.

Section Name
Value
Description
Class
Depends on operating system.
Indicates the class this rule applies to.
Id
4000 - 7999
The unique ID number of the signature. The range of numbers is the one available for custom rules.
level
0
1
2
3
4
The security level of the signature:
  • 0=Disabled
  • 1=Blue (Information)
  • 2=Yellow (Low)
  • 3= Orange (Medium)
  • 4= Red (High)
time
{include “*}
This section has this one value only.
user_name
{include/exclude “user or system account}
 
The users to whom the rule applies. Specify particular users or all users.
Remarks for Windows:
For local user: use <machine name>/<local user name>.
For domain user: use <domain name>/<domain user name>.
For local system: use Local/System; this is equivalent to NT Authority/System in Windows NT, and <domain>/<machine> in Windows 2000.
Some remotely initiated actions do not report the ID of the remote user, but use the local service and its user context instead. You need to plan accordingly when developing rules. When a process occurs in the context of a Null Session, the user and domain are ‘Anonymous’. If a rule applies to all users, use *.
application
{include/exclude “path and application name”}
The full path of the process that performed the operation that created the instance. When the operation is remote, the application is the local service/server that handles the operation.
Some local operations are handled as if they were remote. For example, for Windows the application name will be the local service/server that handles the operation. If a rule applies to all applications, use *.
directives -c -d
operation type
The operation types are class-dependent, and are listed for each class in the later sections. Note that the switches –c and –d must be used.

 

You can create a signature with multiple rules by simply adding one rule after another. Keep in mind that each rule in the same signature must have the same value for its id and level sections.

Copyright © 2006 McAfee, Inc. All Rights Reserved.