Re: McAfee IDS signature writing

["Mark Senior" <senatorfrog () gmail com>]

Hello all

Thanks to everyone for the many responses I got.

I should perhaps have given a bit more information - I am using a UDS
for this; So far I have a signature that looks in HTTP responses,
looking in text files only (as far as I can tell, TEXT/HTML,
TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet.

However, the signature has a few hiccups which I'm trying to work out.

I now have a case open with McAfee on this - I hadn't realized that
McAfee would offer assistance in this case.

Regards
Mark

On 8/26/07, Soumen Paul wrote:
> Hello Mark
>
> What I feel , you are trying to write signature for McAfee Intrushield IPS.
> Are you trying for User Defined Signature ? McAfee says it UDS. If yes ,
> then there is an UDS editor available for in the McAfee IPS Manager (ISM) .
> Check knowledge base of McAfee IPS and check how to write UDS. There are
> wonderfull documents kept there.
> Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is
> quite flexible.
> But if you are using ISM version 2.x or something prior to 3.x then the
> flexibility would be very very less.
> Apart from this , you can contact McAfee Support for getting help on UDS.
> Officially McAfee does not support it. But if you are a platinum customer
> and if your business impact is high , then they might help you on this.
> The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant
> confirm though.. need to check..
>
> Hope this helps..
>
> Regards
> Soumen Paul
>
> On 24 Aug 2007 18:07:50 -0000, krymson () gmail com <krymson () gmail com> wrote:
> > I wish I had an answer for you, but I'm in the same boat as far as trying
> to figure out McAfee IDS/IPS rules. I wish you could view their rules to see
> how they make em.
> > Anyway, I wanted to just post that any responses can be directed to the
> list (if there are any) rather than just to Mark, and at least I would
> benefit as well! :)
> > <- snip ->
> >
> > Does anyone have any experience with writing signatures for McAfee IPS
> systems? It's a bit frustrating compared to a system like Snort, because the
> vendor-supplied sigs are "secret sauce". I can't just look in there for
> examples similar to what I'm trying to achieve.
> > What I'm after in this case should in principle be relatively simple - I
> want to catch certain function calls in an HTTP response, but only in the
> context of a javascript block. I'd like to avoid tripping the signatures if
> the same strings come up in the regular text of a page, e.g. a in a mailing
> list posting describing an IDS signature or a browser vulnerability...
> > Regards
> >
> >
> > Mark
> >
> >
> > PS - kindly cc me on replies, as I'm not subscribed to the list
> ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > to learn more.
> ------------------------------------------------------------------------
> >

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------