RE: Vulnerability vs. Exploit signatures and IPS??
From: Bill Royds (whitehats_at_royds.net)
Date: 05/18/05
- Previous message: Jordan Wiens: "Re: Vulnerability vs. Exploit signatures and IPS??"
- In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: David W. Goodrum: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Jacob Winston'" <jctx09@yahoo.com> Date: Wed, 18 May 2005 16:05:31 -0400
This is a bit of marketspeak, but, in general, an exploit signature would look
at the strings in a particular exploit while vulnerability would try to match
any pattern that would trigger the vulnerability, not just a particular exploit.
For example, program X has a buffer overflow if a certain field is greater
than 255 characters. An exploit is written for this vulnerability which has the
pattern "AAAAAAAAAA...AAAShEllCodeZZZZ" (256 characters) followed by the shell
code strings. An exploit signature would look for the particular pattern in this
exploit (string of "A"s followed by the word "ShEllCode" followed by the NOP
sled followed by some shell code. A vulnerability signature would look for any
string longer than 255 characters and directed to this particular field in this
application. This is harder to write to avoid false positives, but would catch
new exploits, not just the exploit identified by the first signature.
-----Original Message-----
From: Jacob Winston [mailto:jctx09@yahoo.com]
Sent: Monday, May 16, 2005 10:58 PM
To: focus-ids@securityfocus.com
Subject: Vulnerability vs. Exploit signatures and IPS??
Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.
Thank you,
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Jordan Wiens: "Re: Vulnerability vs. Exploit signatures and IPS??"
- In reply to: Jacob Winston: "Vulnerability vs. Exploit signatures and IPS??"
- Next in thread: David W. Goodrum: "Re: Vulnerability vs. Exploit signatures and IPS??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
