Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures



Hi Aviv/Pukhraj & others:
As a security professional and researchers, our aim is to provide
more in-depth information on intrusion (security) aspects, for
example, some virus out-break, new windows vulnerability etc. Aviv is
right by saying that signatures should match the vulnerability, not
the exploits. Signature writing is a very responsible task and, of
course, technical too. But unfortunately, there are not many people,
who have required knowledge ( i m talking in context to india). but
companies need people with the requirement of writing signatures. So,
in this process, so called security professional start looking at
exploits and write signatures (just to mention, I have seen few snort
signatures that match "Shellcode part"!!!) . As Pukharaj mentioned
that there are not many variants found in the wild, such signatures
work and company and hired-security-professionals are happy. I have
heard ( I am not sure whether it is really true) that few products (I
don't even know the name!!) are simply dependent on open sources
(like Snort or bleeding snort or nessus!!!!) for signatures. To
overcome this (pathetic) situation, the solution, being suggested by
Pukhraj makes sense i.e. collect as much exploits as possible and
then try to analyze them and write signature. Here I want to add one
thing that once we have a number of exploits, we should, at least
now, try to understand the vulnerability based on the information
present in all the exploits and try to come out with a common
signature (or a common set of signatures).

regards
-Sanjay

At 11:07 AM 9/28/2006, Pukhraj Singh wrote:
And you tell me how many of these variants you will actually find in
the wild. Won't be a significant number I bet.

Cheers!
Pukhraj

On 9/27/06, avivra <avivra@xxxxxxxxx> wrote:
Hi,

i.e. I can't afford to buy "specialized" security tools/devices for
"speclialized" attacks unless my company relies heavily on web/content
services.

So, you will buy "specialized" security tools like firewall or
Anti-Virus, but not web content filtering tool?

In our company, we established a information-sharing
network with other security companies. So the real-time exploit-facing
signatures were then subjected to live traffic, honeypots and countless
variants; They seemed to work out pretty well.

I would like to see how your real-time signatures get updated with the
randomization implemented in the new VML metasploit module. Your
"countless" exploit variants will become really innumerable.

The problem is that the signatures are written for the exploit, and
not for the vulnerability.

-- Aviv.


Sanjay Rawat
Security Research Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 424
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
Computer Security: A little delay to break into your network.
-- DSR




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
    ... As a security professional and researchers, our aim is to provide more in-depth information on intrusion aspects, for example, some virus out-break, new windows vulnerability etc. Aviv is right by saying that signatures should match the vulnerability, not the exploits. ... but companies need people with the requirement of writing signatures. ... As Pukharaj mentioned that there are not many variants found in the wild, such signatures work and company and hired-security-professionals are happy. ...
    (Bugtraq)
  • [REVS] SQL Injection Signatures Evasion
    ... Get your security news from a reliable source. ... With the rise in SQL Injection attacks, ... Most of this protection, however is Signature based. ... it has lately become a common belief that signatures are indeed ...
    (Securiteam)
  • RE: Specification-based Anomaly Detection
    ... >>shortcomings of signatures, it has to be considered seriously. ... the significance of zero day attacks is way ... "PhpInclude" and Santy, its predecessor, are application layer attacks. ... first worm to exploit a OWASP top 10 security problem and not a specific ...
    (Focus-IDS)
  • Reminder notice about FreeBSD Security Advisories
    ... This is a reminder notice that all FreeBSD Security Advisories are ... A copy of the public key containing more signatures may be retrieved ... The PGP signature should be verified on all FreeBSD Security ...
    (FreeBSD-Security)
  • Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
    ... like Snort or bleeding snort or nessus!!!!) ... signature (or a common set of signatures). ... As a security professional and researchers, ... example, some virus out-break, new windows vulnerability etc. Aviv is ...
    (Full-Disclosure)