FYI... To set thresholds especially on IPS, plenty of probability/bayesian/other models math might be involved to get a baseline. one of the reasons, the more trial data one has the better IPS gets. Its kinda like spam filters. Then the identification of origin IP addresses in identifying spoofed IP addresses, patterns that match hostile potential rogue packets. Its a world by itself needs in-depth research. Most companies spend substantial R&D effort.
For how its implemented with examples, honeypot/snort. Not an implementation expert. Cant help you there :) Best Regards, Vijay Kakumanu --- [EMAIL PROTECTED] wrote: > I wish I had an answer for you, but I'm in the same > boat as far as trying to figure out McAfee IDS/IPS > rules. I wish you could view their rules to see how > they make em. > > Anyway, I wanted to just post that any responses can > be directed to the list (if there are any) rather > than just to Mark, and at least I would benefit as > well! :) > > > <- snip -> > Does anyone have any experience with writing > signatures for McAfee IPS systems? It's a bit > frustrating compared to a system like Snort, because > the vendor-supplied sigs are "secret sauce". I can't > just look in there for examples similar to what I'm > trying to achieve. > > What I'm after in this case should in principle be > relatively simple - I want to catch certain function > calls in an HTTP response, but only in the context > of a javascript block. I'd like to avoid tripping > the signatures if the same strings come up in the > regular text of a page, e.g. a in a mailing list > posting describing an IDS signature or a browser > vulnerability... > > Regards > > Mark > > PS - kindly cc me on replies, as I'm not subscribed > to the list > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > ------------------------------------------------------------------------ > > ____________________________________________________________________________________ Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
