Re: Vulnerability vs. Exploit signatures and IPS??

• Previous message: Andrew Plato: "RE: Vulnerability vs. Exploit signatures and IPS??"
• In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
• Next in thread: Jason Anderson: "RE: Vulnerability vs. Exploit signatures and IPS??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: jctx09@yahoo.com
Date: Wed, 18 May 2005 14:00:16 -0400

The vulnerabilities often can take many shapes, with arbitrary selections
which "work" but are not mandated.
Exploits like those found in worms and hacker tools will have a particular
signature. Since other code can exploit the same vulnerability but look
different on the wire, each exploit requires its own signature.

Signatures based on exploits must first have known exploits to identify,
making them a strictly reactive defense.

Signatures based on the vulnerabilities only require intimate knowledge of
the vulnerabilities. They can be developed prior to any known exploits,
allowing them to be proactive. This method, done well, is likely to pick
up exploits before they are publicly available. Unfortunately, due to the
increased vagueness of the signature, this method can also lead to more
false-positives unless the sig-developer has intimate knowledge of the
protocol as well. More knowledge is required, often more value is
delivered.

 
Matthew Carpenter
IT Security Specialist
Alticor Corporation
Phone: 616-787-0287
Email: matt.carpenter@alticor.com
Page Me (230 characters Max)
Email ITSS On-Call Account

-----BEGIN PGP PUBLIC KEY FINGERPRINT-----
PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB
-----END PGP PUBLIC KEY FINGERPRINT-----

Jacob Winston <jctx09@yahoo.com>
16/05/2005 22:57

To
focus-ids@securityfocus.com
cc

Subject
Vulnerability vs. Exploit signatures and IPS??

Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint
makes a claim that their IPS is better because they write signatures based
on Vulnerabilities and not exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Andrew Plato: "RE: Vulnerability vs. Exploit signatures and IPS??"
• In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
• Next in thread: Jason Anderson: "RE: Vulnerability vs. Exploit signatures and IPS??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: CVE selection for IDS/IPS signature rules ... signatures for each one of them. ... overflow attacks using few signatures. ... reasons you could see some discrepancy between CVE IDs and signatures. ... Vulnerabilities which can only be exploited after authentication. ... (Focus-IDS) Re: IDS vs. IPS deployment feedback ... I'd be very interested to know how you would know this, since their "signatures" are proprietary. ... ISS can protect against the ... I use both snort and TP daily. ... I suspect the folks at VRT would be highly offended by the implication that they're not professional enough to recognize vulnerabilities, but I'll let them defend themselves. ... (Focus-IDS) Re: IDS vs. IPS deployment feedback ... SNORT is usually behind the curve on new signatures. ... to protect against things that Snort people don't even know about. ... Are you implying that ISS knows about zero-day vulnerabilities it hasn't ... (Focus-IDS) Re: IDS vs. IPS deployment feedback ... would you disagree that waiting a month or two to test a signature in the field before deploying it is unacceptable? ... So the behavioural signatures detect malware and not vulnerabilities. ... (Focus-IDS) Re: Pen testing techniques ... While Core Impact is a great tool, it is only that a tool. ... My skills were tested against a security tool vendor, which was using their tool as a selling point. ... For example, the tool vendor lost, because it was not designed to identify or find vulnerabilities in SAP web-enabled applications. ... Within the source code I found a username and password that was left over by the development team. ... (Pen-Test)