I need to help this question:
I have to create a signature ips in my ips NSP environment NSM 8.1.
the signature must take control of the "user-agent" that I have to inspect and possibly block.
how can I build it in a custom? you have a few examples that I import?
Have a look at the IPS Policy/default, search for "HTTP: Malicious User Agent Detected" and have a look at the description.
You will see the "http-req-user-agent-header matches" XXX is the field you want to focus on - make sure you select HTTP as the protocol matching criteria.
many tnx. I have the default policy as "Default Prevention"and i don't have signature "HTTP: Malicious User Agent Detected".
I solved it with a "snort" rule but it would be great if I could create a rule in McAfee format.