Re: Vulnerability vs. Exploit signatures and IPS??
From: Jordan Wiens (numatrix_at_ufl.edu)
Date: 05/18/05
- Previous message: Ed Gibbs: "Re: Vulnerability vs. Exploit signatures and IPS??"
- In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: Bill Royds: "RE: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 16:04:52 -0400 (EDT) To: Jacob Winston <jctx09@yahoo.com>
Most vendors claim that. Some do it.
Let's consider the following hypothetical situation. A vulnerability is
announced in a product, but it's a particularly convoluted and difficult
buffer overflow and I don't quite know how it works. I just wait a bit,
and sure enough; the Metasploit guys add an exploit for it. Now I run
that exploit against a vulnerable server and I sniff the network traffic
it generates. I write a signature based on that traffic that seems to be
'good' in that it doesn't have any other false positives on a large flood
of legitimate traffic to the server, and it also successfully catches the
compromise via metasploit every time.
It's quite possible that because I didn't understand which part of the
attack was the actual necessary exploit and which was just metasploit's
padding for the overflow, or the backdoor code, or whatever, that someone
else could come along and write an entirely new exploit that would not
trigger my signature, or even just modify the default metasploit attack,
and likewise escape my signature.
A signature written for the vulnerability means that (baring certain types
of obfuscation and evasion) any exploit generated will trigger that
signature if it triggers the vulnerability.
This is actually a fairly difficult thing to do in some situations. Most
signature writers will of course try to write to the vulnerability, but
because of the difficulty, you often see ones written for an exploit.
Of course, in the perfect world, we have both types of signatures. That
way you not only know you were attacked, but you know with what type of
exploit; or that it's a new unknown variant of an exploit. That's useful
information in and of itself.
-- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 On Mon, 17 May 2005, Jacob Winston wrote: > > > > Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. > > Thank you, > > -------------------------------------------------------------------------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------------------- > -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Ed Gibbs: "Re: Vulnerability vs. Exploit signatures and IPS??"
- In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: Bill Royds: "RE: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
