Re: McAfee IDS signature writing

[krymson () gmail com]

I wish I had an answer for you, but I'm in the same boat as far as trying to figure out McAfee IDS/IPS rules. I wish 
you could view their rules to see how they make em.

Anyway, I wanted to just post that any responses can be directed to the list (if there are any) rather than just to 
Mark, and at least I would benefit as well! :)


<- snip ->
Does anyone have any experience with writing signatures for McAfee IPS systems? It's a bit frustrating compared to a 
system like Snort, because the vendor-supplied sigs are "secret sauce". I can't just look in there for examples similar 
to what I'm trying to achieve.

What I'm after in this case should in principle be relatively simple - I want to catch certain function calls in an 
HTTP response, but only in the context of a javascript block. I'd like to avoid tripping the signatures if the same 
strings come up in the regular text of a page, e.g. a in a mailing list posting describing an IDS signature or a 
browser vulnerability...

Regards

Mark

PS - kindly cc me on replies, as I'm not subscribed to the list

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------