IDS mailing list archives

Re: McAfee IDS signature writing

From: Vijay K <globevk () yahoo com>
Date: Fri, 24 Aug 2007 21:40:47 -0700 (PDT)

Just to follow up, There are also many BOHS (Browser
Hijack Sessions) implementations infact open source
with open source code.

FYI...two cents of advice

Regards,
Vijay 

--- senatorfrog () gmail com wrote:

Hello list

Does anyone have any experience with writing
signatures for McAfee IPS systems?  It's a bit
frustrating compared to a system like Snort, because
the vendor-supplied sigs are "secret sauce".  I
can't just look in there for examples similar to
what I'm trying to achieve.

What I'm after in this case should in principle be
relatively simple - I want to catch certain function
calls in an HTTP response, but only in the context
of a javascript block.  I'd like to avoid tripping
the signatures if the same strings come up in the
regular text of a page, e.g. a in a mailing list
posting describing an IDS signature or a browser
vulnerability...

Regards
Mark

PS - kindly cc me on replies, as I'm not subscribed
to the list

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw


to learn more.

------------------------------------------------------------------------




       
____________________________________________________________________________________
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
http://mobile.yahoo.com/go?refer=1GNXIC

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

McAfee IDS signature writing senatorfrog (Aug 24)
- Re: McAfee IDS signature writing Vijay K (Aug 27)
- <Possible follow-ups>
- Re: McAfee IDS signature writing krymson (Aug 24)
  - Message not available
    - Re: McAfee IDS signature writing Mark Senior (Aug 27)
  - Re: McAfee IDS signature writing Vijay K (Aug 27)
  - Re: McAfee IDS signature writing Vijay K (Aug 27)