After my previous email I had a good dig around in the HIP client log files for more info. I come across a file called shield_db.txt which shows you a TCL output of all the IPS signatures. This is extremely useful for two reasons:
One, it shows you all the classes used by IPS, including the un-documented SQL class. It also shows you additional directives or class operation. For example the documentations only references the isapi:request directive where there is actually an additional isapi:requrl directive.
Two, it shows you when you should expect a trigger to fire. Have a look at the SQL signatures as you will notice some client_agent exclusions. This is key, if like me you expected to be protected by the default signatures.
I’m still finding my feet with this product so anybody with any experience out there would be very useful.
I would be extremely keen to here about anybody using regexp. The TCL code supports the command but I’m not sure which variables I can pass.
I am just beginning to work with custom signatures and would like to review the file you mentioned that contains the TCL for all the signatures. However, I cannot find this file on my system. Does anyone know if this file has been renamed or if there is another place to view the code for McAfee signatures?