IDS mailing list archives
Re: McAfee IDS signature writing
From: "Mark Senior" <senatorfrog () gmail com>
Date: Mon, 27 Aug 2007 09:51:06 -0600
Hello all Thanks to everyone for the many responses I got. I should perhaps have given a bit more information - I am using a UDS for this; So far I have a signature that looks in HTTP responses, looking in text files only (as far as I can tell, TEXT/HTML, TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet. However, the signature has a few hiccups which I'm trying to work out. I now have a case open with McAfee on this - I hadn't realized that McAfee would offer assistance in this case. Regards Mark On 8/26/07, Soumen Paul wrote:
Hello Mark What I feel , you are trying to write signature for McAfee Intrushield IPS. Are you trying for User Defined Signature ? McAfee says it UDS. If yes , then there is an UDS editor available for in the McAfee IPS Manager (ISM) . Check knowledge base of McAfee IPS and check how to write UDS. There are wonderfull documents kept there. Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is quite flexible. But if you are using ISM version 2.x or something prior to 3.x then the flexibility would be very very less. Apart from this , you can contact McAfee Support for getting help on UDS. Officially McAfee does not support it. But if you are a platinum customer and if your business impact is high , then they might help you on this. The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant confirm though.. need to check.. Hope this helps.. Regards Soumen Paul On 24 Aug 2007 18:07:50 -0000, krymson () gmail com <krymson () gmail com> wrote:I wish I had an answer for you, but I'm in the same boat as far as tryingto figure out McAfee IDS/IPS rules. I wish you could view their rules to see how they make em.Anyway, I wanted to just post that any responses can be directed to thelist (if there are any) rather than just to Mark, and at least I would benefit as well! :)<- snip -> Does anyone have any experience with writing signatures for McAfee IPSsystems? It's a bit frustrating compared to a system like Snort, because the vendor-supplied sigs are "secret sauce". I can't just look in there for examples similar to what I'm trying to achieve.What I'm after in this case should in principle be relatively simple - Iwant to catch certain function calls in an HTTP response, but only in the context of a javascript block. I'd like to avoid tripping the signatures if the same strings come up in the regular text of a page, e.g. a in a mailing list posting describing an IDS signature or a browser vulnerability...Regards Mark PS - kindly cc me on replies, as I'm not subscribed to the list------------------------------------------------------------------------Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go tohttp://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- McAfee IDS signature writing senatorfrog (Aug 24)
- Re: McAfee IDS signature writing Vijay K (Aug 27)
- <Possible follow-ups>
- Re: McAfee IDS signature writing krymson (Aug 24)
- Message not available
- Re: McAfee IDS signature writing Mark Senior (Aug 27)
- Message not available
- Re: McAfee IDS signature writing Vijay K (Aug 27)
- Re: McAfee IDS signature writing Vijay K (Aug 27)