FYI...
To set thresholds especially on IPS, plenty of
probability/bayesian/other models math might be
involved to get a baseline. one of the reasons, the
more trial data one has the better IPS gets. Its kinda
like spam filters. Then the identification of origin
IP addresses in identifying spoofed IP addresses,
patterns that match hostile potential rogue packets.
Its a world by itself needs in-depth research. Most
companies spend substantial R&D effort.
For how its implemented with examples, honeypot/snort.
Not an implementation expert. Cant help you there :)
Best Regards,
Vijay Kakumanu
--- krymson@gmail.com wrote:
I wish I had an answer for you, but I'm in the same
boat as far as trying to figure out McAfee IDS/IPS
rules. I wish you could view their rules to see how
they make em.
Anyway, I wanted to just post that any responses can
be directed to the list (if there are any) rather
than just to Mark, and at least I would benefit as
well! :)
<- snip ->
Does anyone have any experience with writing
signatures for McAfee IPS systems? It's a bit
frustrating compared to a system like Snort, because
the vendor-supplied sigs are "secret sauce". I can't
just look in there for examples similar to what I'm
trying to achieve.
What I'm after in this case should in principle be
relatively simple - I want to catch certain function
calls in an HTTP response, but only in the context
of a javascript block. I'd like to avoid tripping
the signatures if the same strings come up in the
regular text of a page, e.g. a in a mailing list
posting describing an IDS signature or a browser
vulnerability...
Regards
Mark
PS - kindly cc me on replies, as I'm not subscribed
to the list
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel
and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
