May not be of much help. I dont work in security companies. Just FYI By far snort is the well known standard. Not sure if any company would disclose their "secret sauce" openly unless they comply to some open industry standards. wildlist.org, cve.mitre.com are some of the other standards out there. Normally all the files are baselined as per the timestamp, size of the file so any changes would result in an alert.
Again, rules at a higher level depends on whether this solution is targeted towards a central server based enterprise approach or host solution. enterprise rules may include device management, quarantine options, patch management, group management similar to active directory, access controls, priorities to access intranet files and folders. IPS signatures may also include distributed denial of service which some firms such as tipping point have mastered filtering tcp/ip packets. each behaviorial condition is a signature (eg: origin validation, virus string matches/comparisons etc) and significant research prototypes are built before setting threshold levels to avoid false positives. McAfee also posts beta enterprise versions to get user enterprise feedback. You could attempt signing up to get a copy as well. Regards, Vijay Kakumanu --- [EMAIL PROTECTED] wrote: > I wish I had an answer for you, but I'm in the same > boat as far as trying to figure out McAfee IDS/IPS > rules. I wish you could view their rules to see how > they make em. > > Anyway, I wanted to just post that any responses can > be directed to the list (if there are any) rather > than just to Mark, and at least I would benefit as > well! :) > > > <- snip -> > Does anyone have any experience with writing > signatures for McAfee IPS systems? It's a bit > frustrating compared to a system like Snort, because > the vendor-supplied sigs are "secret sauce". I can't > just look in there for examples similar to what I'm > trying to achieve. > > What I'm after in this case should in principle be > relatively simple - I want to catch certain function > calls in an HTTP response, but only in the context > of a javascript block. I'd like to avoid tripping > the signatures if the same strings come up in the > regular text of a page, e.g. a in a mailing list > posting describing an IDS signature or a browser > vulnerability... > > Regards > > Mark > > PS - kindly cc me on replies, as I'm not subscribed > to the list > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > ------------------------------------------------------------------------ > > ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
