RE: Vulnerability vs. Exploit signatures and IPS??
From: Jason Anderson (janderson_at_lancope.com)
Date: 05/18/05
- Previous message: Matt.Carpenter_at_alticor.com: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Maybe in reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: Ed Gibbs: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 15:47:47 -0400 To: "Jacob Winston" <jctx09@yahoo.com>, <focus-ids@securityfocus.com>
A vulnerability is typically disclosed before an exploit exists to take
advantage of it. From this disclosure it can be possible to create a
signature that would fire when the conditions are met that would exploit
the vulnerability.
For example, a vulnerability may exist in a particular service that
doesn't check parameter sizes correctly, allowing a buffer overflow. No
known exploit exists, but it is possible for an application to monitor
the size of the parameter passed to that service, and if it is of
sufficient size to exploit the vulnerability, then block or alarm.
Once an exploit is released, it will typically have a more specific set
of conditions that can be monitored - perhaps a particular byte
sequence, string, padding or a specific parameter size. If those
specific conditions are met, then a specific alarm can be raised for
that named exploit.
Most modern IPS/IDS employ both "vulnerability signatures" and "exploit
signatures". Vulnerability signatures can be written sooner, but are
less specific, and can be prone to false positives (it's hard to
anticipate every possible violation of the standard that might be
legitimate, but resemble the attack) as well as false negatives (it's
not always possible to create an accurate vulnerability pattern that
catches every possible method of exploit). Exploit signatures come after
the fact, but are typically more accurate.
Jason
-- Jason Anderson Director of Engineering and Product Management janderson@lancope.com http://www.lancope.com -----Original Message----- From: Jacob Winston [mailto:jctx09@yahoo.com] Sent: Monday, May 16, 2005 10:58 PM To: focus-ids@securityfocus.com Subject: Vulnerability vs. Exploit signatures and IPS?? Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Matt.Carpenter_at_alticor.com: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Maybe in reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: Ed Gibbs: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
