Re: Vulnerability vs. Exploit signatures and IPS??

• Previous message: Jason Anderson: "RE: Vulnerability vs. Exploit signatures and IPS??"
• In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
• Next in thread: Jordan Wiens: "Re: Vulnerability vs. Exploit signatures and IPS??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jacob Winston" <jctx09@yahoo.com>, <focus-ids@securityfocus.com>
Date: Wed, 18 May 2005 13:00:54 -0700

Jacob,

Vulnerabilities are the flaw, while an exploit is what takes advantage of
the vulnerability.

For example, Blaster. The vulnerability was in Microsoft's DCE RPC code,
while "Blaster" was the name of the exploit that took advantage of the flaw
in the code. When Blaster first hit the net, signature writers were
scrambling to develop a signature that would detect it, but kept producing
signatures for the exploit, which kept changing, and therefore new
signatures were coming out (some as high as 16 different signatures).

TippingPoint is correct in their assertion that writing signatures for the
vulnerability is better. Signatures based on exploits run into problems,
simply because exploits have variances and can morph, which makes signatures
based on the exploit ineffective. However, signatures based on the
vulerability typically doesn't change.

Ed Gibbs
IPS Security Technologist
ed@digitalconclave.com

Exploit
----- Original Message -----
From: "Jacob Winston" <jctx09@yahoo.com>
To: <focus-ids@securityfocus.com>
Sent: Monday, May 16, 2005 7:57 PM
Subject: Vulnerability vs. Exploit signatures and IPS??

Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint
makes a claim that their IPS is better because they write signatures based
on Vulnerabilities and not exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Jason Anderson: "RE: Vulnerability vs. Exploit signatures and IPS??"
• In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
• Next in thread: Jordan Wiens: "Re: Vulnerability vs. Exploit signatures and IPS??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]