Value of "richer" signatures?

From: Ken Arora (kenarora@olympus-mons.net)
Date: 06/20/02

• Previous message: counter.spy@gmx.de: "IDS Project"
• Next in thread: Vitaly Osipov: "Re: Value of "richer" signatures?"
• Reply: Vitaly Osipov: "Re: Value of "richer" signatures?"
• Reply: Robert Graham: "Re: Value of "richer" signatures?"
• Reply: Stephen P. Berry: "Re: Value of "richer" signatures?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 20 Jun 2002 19:09:28 -0000
From: Ken Arora <kenarora@olympus-mons.net>
To: focus-ids@securityfocus.com

('binary' encoding is not supported, stored as-is)

Hi,

  I'm just getting to learn about the IDS space, and have looked at some
the exploits and Snort/Arachnid signatures to identify them. While I was
researching, I was slightly surprised to see that most of the IDS's out
there used simple string matches for signatures (at least in the payload)
There were a few efforts to try and handle more complex signatures (some
companies talk of "regular expression" level of signatures).

I wanted to find out if you (especially those of you who come up with such
signatures) thought that such sophisticated signature vocabularies were
useful/worth pursuing? Looking at some of the exploits, I can see where
finding a string "in context" (context might be "these two string on the
same line" or "this string in the context of a GIF comment field" or ...)
might be useful, at least to eliminate false positives, maybe as the only
way of dealing with more subtle attacks?

If more of the IDS software out there could do this, would we see more
advanced signatures? (is this just a chicken-and-egg problem?) How
useful would they be, in the real world?

Thanks!
--ken

---

• Previous message: counter.spy@gmx.de: "IDS Project"
• Next in thread: Vitaly Osipov: "Re: Value of "richer" signatures?"
• Reply: Vitaly Osipov: "Re: Value of "richer" signatures?"
• Reply: Robert Graham: "Re: Value of "richer" signatures?"
• Reply: Stephen P. Berry: "Re: Value of "richer" signatures?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How can I insert the default Outlook signature into a document ... Instead of assuming that the signatures will be on drive C: ... ByVal lpUserName As String, ... 'Buffer size for the return string. ... (microsoft.public.word.vba.general) Re: How good is PERL at searching ASCII files? ... The key elements being the string CONVERT, ... parens in quotes will *not* be ignored as they should. ... Please don't top-post and please don't quote signatures (top-posting ... function in 'perldoc -f open'. ... (comp.lang.perl.misc) Re: difference between method overridding and method over loading ... Overloading is the technique of defining the same method with different ... signatures, such as one version which takes a string as a parameter, another ... which takes a string and a bool, and another which takes an integer. ... If the base class method or property is not virtual, ... (microsoft.public.dotnet.languages.csharp) Re: How can I insert the default Outlook signature into a document ... The signatures are located in the following folder: ... ByVal lpUserName As String, ... I have yet to try non-WordMail signatures though. ... (microsoft.public.word.vba.general) Re: How can I insert the default Outlook signature into a document ... Instead of assuming that the signatures will be on drive C: ... I'm using the APPDATA environment variable. ... ByVal lpUserName As String, ... (microsoft.public.word.vba.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-06