Re: McAfee IDS signature writing

Hello once more

Thought I'd write back with the status.

Thanks very much to Joseph Pressnell and Scott Dexter, I've got a
signature that looks only in scripts

When adding the pattern in the UDS editor, I had been using

string pattern match > http > rsp-message-body > TEXT

Now that my signature uses

string pattern match > http > rsp-block > script

it seems to be correctly ignoring javascript when it's in the body of
a document, but flagging it when it's between script tags.

For some reason, the signature shows the 'source' and 'destination'
the other way around from what I'd expect ('source' is the client,
where browser attack alerts usually show 'source' as the web server).
But, it works, which leaves me feeling more confident about writing
IPS sigs in future.

Regards
Mark


On 8/27/07, Mark Senior <senatorfrog@xxxxxxxxx> wrote:
Hello all

Thanks to everyone for the many responses I got.

I should perhaps have given a bit more information - I am using a UDS
for this; So far I have a signature that looks in HTTP responses,
looking in text files only (as far as I can tell, TEXT/HTML,
TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet.

However, the signature has a few hiccups which I'm trying to work out.

I now have a case open with McAfee on this - I hadn't realized that
McAfee would offer assistance in this case.

Regards
Mark

On 8/26/07, Soumen Paul wrote:
Hello Mark

What I feel , you are trying to write signature for McAfee Intrushield IPS.
Are you trying for User Defined Signature ? McAfee says it UDS. If yes ,
then there is an UDS editor available for in the McAfee IPS Manager (ISM) .
Check knowledge base of McAfee IPS and check how to write UDS. There are
wonderfull documents kept there.
Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is
quite flexible.
But if you are using ISM version 2.x or something prior to 3.x then the
flexibility would be very very less.
Apart from this , you can contact McAfee Support for getting help on UDS.
Officially McAfee does not support it. But if you are a platinum customer
and if your business impact is high , then they might help you on this.
The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant
confirm though.. need to check..

Hope this helps..

Regards
Soumen Paul

On 24 Aug 2007 18:07:50 -0000, krymson@xxxxxxxxx <krymson@xxxxxxxxx> wrote:
I wish I had an answer for you, but I'm in the same boat as far as trying
to figure out McAfee IDS/IPS rules. I wish you could view their rules to see
how they make em.


Anyway, I wanted to just post that any responses can be directed to the
list (if there are any) rather than just to Mark, and at least I would
benefit as well! :)



<- snip ->

Does anyone have any experience with writing signatures for McAfee IPS
systems? It's a bit frustrating compared to a system like Snort, because the
vendor-supplied sigs are "secret sauce". I can't just look in there for
examples similar to what I'm trying to achieve.


What I'm after in this case should in principle be relatively simple - I
want to catch certain function calls in an HTTP response, but only in the
context of a javascript block. I'd like to avoid tripping the signatures if
the same strings come up in the regular text of a page, e.g. a in a mailing
list posting describing an IDS signature or a browser vulnerability...


Regards


Mark


PS - kindly cc me on replies, as I'm not subscribed to the list


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.

------------------------------------------------------------------------






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: McAfee IDS signature writing
    ... I should perhaps have given a bit more information - I am using a UDS ... the signature has a few hiccups which I'm trying to work out. ... McAfee would offer assistance in this case. ... The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant ...
    (Focus-IDS)
  • Re: WMF Windows security flaw - change your browser
    ... or McAfee have had the chance to identify it and distribute a signature for it. ... Since these viruses, unlike nearly all others, can infect a machine without any overt action on the part of the user, it is possible that they will propagate much more quickly than others have. ... So while keeping your virus definition file up to date is a very good idea, it is far from a complete solution. ...
    (rec.audio.pro)
  • Re: "tibprxy" Process?
    ... McAfee now recognizes this as; "Generic Downloader" ... It's signature will be released in the full DAT in either v4573 or v4574. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast