Hello all Thanks to everyone for the many responses I got.
I should perhaps have given a bit more information - I am using a UDS for this; So far I have a signature that looks in HTTP responses, looking in text files only (as far as I can tell, TEXT/HTML, TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet. However, the signature has a few hiccups which I'm trying to work out. I now have a case open with McAfee on this - I hadn't realized that McAfee would offer assistance in this case. Regards Mark On 8/26/07, Soumen Paul wrote: > Hello Mark > > What I feel , you are trying to write signature for McAfee Intrushield IPS. > Are you trying for User Defined Signature ? McAfee says it UDS. If yes , > then there is an UDS editor available for in the McAfee IPS Manager (ISM) . > Check knowledge base of McAfee IPS and check how to write UDS. There are > wonderfull documents kept there. > Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is > quite flexible. > But if you are using ISM version 2.x or something prior to 3.x then the > flexibility would be very very less. > Apart from this , you can contact McAfee Support for getting help on UDS. > Officially McAfee does not support it. But if you are a platinum customer > and if your business impact is high , then they might help you on this. > The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant > confirm though.. need to check.. > > Hope this helps.. > > Regards > Soumen Paul > > On 24 Aug 2007 18:07:50 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I wish I had an answer for you, but I'm in the same boat as far as trying > to figure out McAfee IDS/IPS rules. I wish you could view their rules to see > how they make em. > > > > > > Anyway, I wanted to just post that any responses can be directed to the > list (if there are any) rather than just to Mark, and at least I would > benefit as well! :) > > > > > > > > <- snip -> > > > > Does anyone have any experience with writing signatures for McAfee IPS > systems? It's a bit frustrating compared to a system like Snort, because the > vendor-supplied sigs are "secret sauce". I can't just look in there for > examples similar to what I'm trying to achieve. > > > > > > What I'm after in this case should in principle be relatively simple - I > want to catch certain function calls in an HTTP response, but only in the > context of a javascript block. I'd like to avoid tripping the signatures if > the same strings come up in the regular text of a page, e.g. a in a mailing > list posting describing an IDS signature or a browser vulnerability... > > > > > > Regards > > > > > > Mark > > > > > > PS - kindly cc me on replies, as I'm not subscribed to the list > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > > > ------------------------------------------------------------------------ > > > > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
