Hello once more
Thought I'd write back with the status.
Thanks very much to Joseph Pressnell and Scott Dexter, I've got a
signature that looks only in scripts
When adding the pattern in the UDS editor, I had been using
string pattern match > http > rsp-message-body > TEXT
Now that my signature uses
string pattern match > http > rsp-block > script
it seems to be correctly ignoring javascript when it's in the body of
a document, but flagging it when it's between script tags.
For some reason, the signature shows the 'source' and 'destination'
the other way around from what I'd expect ('source' is the client,
where browser attack alerts usually show 'source' as the web server).
But, it works, which leaves me feeling more confident about writing
IPS sigs in future.
Regards
Mark
On 8/27/07, Mark Senior <[EMAIL PROTECTED]> wrote:
> Hello all
>
> Thanks to everyone for the many responses I got.
>
> I should perhaps have given a bit more information - I am using a UDS
> for this; So far I have a signature that looks in HTTP responses,
> looking in text files only (as far as I can tell, TEXT/HTML,
> TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet.
>
> However, the signature has a few hiccups which I'm trying to work out.
>
> I now have a case open with McAfee on this - I hadn't realized that
> McAfee would offer assistance in this case.
>
> Regards
> Mark
>
> On 8/26/07, Soumen Paul wrote:
> > Hello Mark
> >
> > What I feel , you are trying to write signature for McAfee Intrushield IPS.
> > Are you trying for User Defined Signature ? McAfee says it UDS. If yes ,
> > then there is an UDS editor available for in the McAfee IPS Manager (ISM) .
> > Check knowledge base of McAfee IPS and check how to write UDS. There are
> > wonderfull documents kept there.
> > Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is
> > quite flexible.
> > But if you are using ISM version 2.x or something prior to 3.x then the
> > flexibility would be very very less.
> > Apart from this , you can contact McAfee Support for getting help on UDS.
> > Officially McAfee does not support it. But if you are a platinum customer
> > and if your business impact is high , then they might help you on this.
> > The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant
> > confirm though.. need to check..
> >
> > Hope this helps..
> >
> > Regards
> > Soumen Paul
> >
> > On 24 Aug 2007 18:07:50 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > I wish I had an answer for you, but I'm in the same boat as far as trying
> > to figure out McAfee IDS/IPS rules. I wish you could view their rules to see
> > how they make em.
> > >
> > >
> > > Anyway, I wanted to just post that any responses can be directed to the
> > list (if there are any) rather than just to Mark, and at least I would
> > benefit as well! :)
> > >
> > >
> > >
> > > <- snip ->
> > >
> > > Does anyone have any experience with writing signatures for McAfee IPS
> > systems? It's a bit frustrating compared to a system like Snort, because the
> > vendor-supplied sigs are "secret sauce". I can't just look in there for
> > examples similar to what I'm trying to achieve.
> > >
> > >
> > > What I'm after in this case should in principle be relatively simple - I
> > want to catch certain function calls in an HTTP response, but only in the
> > context of a javascript block. I'd like to avoid tripping the signatures if
> > the same strings come up in the regular text of a page, e.g. a in a mailing
> > list posting describing an IDS signature or a browser vulnerability...
> > >
> > >
> > > Regards
> > >
> > >
> > > Mark
> > >
> > >
> > > PS - kindly cc me on replies, as I'm not subscribed to the list
> > >
> > >
> > ------------------------------------------------------------------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it
> > > with real-world attacks from CORE IMPACT.
> > > Go to
> > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > > to learn more.
> > >
> > ------------------------------------------------------------------------
> > >
> > >
> >
> >
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
