Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: McAfee IDS signature writing

from [Mark Senior] Network Security [Permanent Link]
Subject: Re: McAfee IDS signature writing
Date: Wed, 5 Sep 2007 17:18:44 -0600 
Hello once more

Thought I'd write back with the status.

Thanks very much to Joseph Pressnell and Scott Dexter, I've got a
signature that looks only in scripts

When adding the pattern in the UDS editor, I had been using

string pattern match > http > rsp-message-body > TEXT

Now that my signature uses

string pattern match > http > rsp-block > script

it seems to be correctly ignoring javascript when it's in the body of
a document, but flagging it when it's between script tags.

For some reason, the signature shows the 'source' and 'destination'
the other way around from what I'd expect ('source' is the client,
where browser attack alerts usually show 'source' as the web server).
But, it works, which leaves me feeling more confident about writing
IPS sigs in future.

Regards
Mark


On 8/27/07, Mark Senior <senatorfrog@gmail.com> wrote:

Hello all

Thanks to everyone for the many responses I got.

I should perhaps have given a bit more information - I am using a UDS
for this; So far I have a signature that looks in HTTP responses,
looking in text files only (as far as I can tell, TEXT/HTML,
TEXT/Javascript, TEXT/Plain, etc.), for a Javascript snippet.

However, the signature has a few hiccups which I'm trying to work out.

I now have a case open with McAfee on this - I hadn't realized that
McAfee would offer assistance in this case.

Regards
Mark

On 8/26/07, Soumen Paul wrote:

Hello Mark

What I feel , you are trying to write signature for McAfee Intrushield IPS.
Are you trying for User Defined Signature ? McAfee says it UDS. If yes ,
then there is an UDS editor available for in the McAfee IPS Manager (ISM) .
Check knowledge base of McAfee IPS and check how to write UDS. There are
wonderfull documents kept there.
Also if you are using ISM version 4.1 or atleast 3.x then the UDS editor is
quite flexible.
But if you are using ISM version 2.x or something prior to 3.x then the
flexibility would be very very less.
Apart from this , you can contact McAfee Support for getting help on UDS.
Officially McAfee does not support it. But if you are a platinum customer
and if your business impact is high , then they might help you on this.
The new ISM 4.1 has more flexibility for HTTP Response recognition - I cant
confirm though.. need to check..

Hope this helps..

Regards
Soumen Paul

On 24 Aug 2007 18:07:50 -0000, krymson@gmail.com <krymson@gmail.com> wrote:

I wish I had an answer for you, but I'm in the same boat as far as trying

to figure out McAfee IDS/IPS rules. I wish you could view their rules to see
how they make em.



Anyway, I wanted to just post that any responses can be directed to the

list (if there are any) rather than just to Mark, and at least I would
benefit as well! :)




<- snip ->

Does anyone have any experience with writing signatures for McAfee IPS

systems? It's a bit frustrating compared to a system like Snort, because the
vendor-supplied sigs are "secret sauce". I can't just look in there for
examples similar to what I'm trying to achieve.



What I'm after in this case should in principle be relatively simple - I

want to catch certain function calls in an HTTP response, but only in the
context of a javascript block. I'd like to avoid tripping the signatures if
the same strings come up in the regular text of a page, e.g. a in a mailing
list posting describing an IDS signature or a browser vulnerability...



Regards


Mark


PS - kindly cc me on replies, as I'm not subscribed to the list



------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw

to learn more.


------------------------------------------------------------------------










------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: McAfee IDS signature writing, Mark Senior <=
Previous by Date:  Re: Karalon test report on Snort, Abhishek Bhuyan
Next by Date:  Re: Re: Karalon test report on Snort, jason
Previous by Thread:  IDS Incident Escalation Procedure, jimmy wong
Next by Thread:  Intrusion Detection books, setesh
Indexes:  [Date] [Thread] [Top] [All Lists]