May not be of much help. I dont work in security
companies. Just FYI
By far snort is the well known standard. Not sure if
any company would disclose their "secret sauce" openly
unless they comply to some open industry standards.
wildlist.org, cve.mitre.com are some of the other
standards out there. Normally all the files are
baselined as per the timestamp, size of the file so
any changes would result in an alert.
Again, rules at a higher level depends on whether this
solution is targeted towards a central server based
enterprise approach or host solution.
enterprise rules may include device management,
quarantine options, patch management, group management
similar to active directory, access controls,
priorities to access intranet files and folders.
IPS signatures may also include distributed denial of
service which some firms such as tipping point have
mastered filtering tcp/ip packets. each behaviorial
condition is a signature (eg: origin validation, virus
string matches/comparisons etc) and significant
research prototypes are built before setting threshold
levels to avoid false positives.
McAfee also posts beta enterprise versions to get user
enterprise feedback. You could attempt signing up to
get a copy as well.
Regards,
Vijay Kakumanu
--- krymson@gmail.com wrote:
I wish I had an answer for you, but I'm in the same
boat as far as trying to figure out McAfee IDS/IPS
rules. I wish you could view their rules to see how
they make em.
Anyway, I wanted to just post that any responses can
be directed to the list (if there are any) rather
than just to Mark, and at least I would benefit as
well! :)
<- snip ->
Does anyone have any experience with writing
signatures for McAfee IPS systems? It's a bit
frustrating compared to a system like Snort, because
the vendor-supplied sigs are "secret sauce". I can't
just look in there for examples similar to what I'm
trying to achieve.
What I'm after in this case should in principle be
relatively simple - I want to catch certain function
calls in an HTTP response, but only in the context
of a javascript block. I'd like to avoid tripping
the signatures if the same strings come up in the
regular text of a page, e.g. a in a mailing list
posting describing an IDS signature or a browser
vulnerability...
Regards
Mark
PS - kindly cc me on replies, as I'm not subscribed
to the list
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
____________________________________________________________________________________Ready
for the edge of your seat?
Check out tonight's top picks on Yahoo! TV.
http://tv.yahoo.com/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
