Have a look at the IPS Policy/default, search for "HTTP: Malicious User Agent Detected" and have a look at the description.
You will see the "http-req-user-agent-header matches" XXX is the field you want to focus on - make sure you select HTTP as the protocol matching criteria.
many tnx. I have the default policy as "Default Prevention"and i don't have signature "HTTP: Malicious User Agent Detected".
I solved it with a "snort" rule but it would be great if I could create a rule in McAfee format.