Re: Vulnerability vs. Exploit signatures and IPS??

From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 05/19/05

  • Next message: Ofer Shezaf: "RE: Checkpoint SmartDefense" 
    Date: Thu, 19 May 2005 10:03:28 -0400
To: Jacob Winston <jctx09@yahoo.com>

    Tipping Point is not the only vendor to do this. Most vendors now try
    to write signatures based on the vulnerability vs the exploit. Here's a
    real world example. SQL Slammer was the result of a vulnerability that
    had been known for many months to the security community. Shortly after
    it was first announced, there was a proof of concept exploit released
    also. Some vendors watched for the known exploit, which was to watch
    for a particular string in the released exploit code. Some vendors (NFR
    being one of many), chose to watch for the vulnerability, which was
    essentially a really long string sent via UDP on port 1434, which causes
    a buffer overflow. When SQL Slammer hit, months later, vendors who were
    watching for the vulnerability caught SQL Slammer without writing a new
    signature. Vendors who wrote signatures looking for the exploit did
    not. There are plenty of other reasons to not watch for exploits. For
    example, products like ADMutate, which take existing exploits, and
    mutate them to evade exploit-based signatures.

    So, the reason you watch for vulnerabilities, instead of exploits, is to
    catch the 0-day exploit of a known vulnerability, and to also catch
    people trying to evade your IDS/IPS system. Often vendors will do
    both. So, they might identify a known exploit as a known exploit. That
    doesn't mean they're not watching for the vulnerability though. It just
    means that they were trying to be as accurate as possible, so they saw
    the vulnerability being exploited, and then identified the exploit as
    something known. It's pretty simply logic, and allows a vendor to give
    the most accurate alert when a vulnerability is exploited.

    However, TippingPoint is not doing something unique here. They are
    doing the right thing... but they're not the only ones. NFR, ISS, and
    _many_ of the other big names are doing the same thing... not all
    vendors... but many. So, you should not only ask, but test if they are
    doing this. Just because a vendor says they watch for vulnerabilities
    vs the exploit, doesn't mean they are actually doing it. Bring in the
    products from various vendors, download the known exploits, then use
    products such as ADMutate (and others) to try to evade the IDS/IPS.
    Also, be sure to evaluate in IDS and IPS mode, if you plan on doing a
    mixed deployment. Just because a vendor detects/stops something in IPS
    mode, doesn't mean they'll do it in IDS mode... and vice versa.

    hope this helps,

    dave

    David W. Goodrum
    Senior Systems Engineer
    (nfr)(security)
    http://www.nfr.com

    Jacob Winston wrote:

    >
    >Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this.
    >
    >Thank you,
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from
    >CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >--------------------------------------------------------------------------
    >
    >
    > 

    -- 
David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com
See NFR Security at these upcoming events:
ADRP Conference, May 23-25, Jacksonville, FL
Gartner IT Security Summit, June 6-8, Washington, DC
NetSec 2005, June 13-14, Scottsdale, AZ
Security Ventures 2005, July 13, New York, NY
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Ofer Shezaf: "RE: Checkpoint SmartDefense"

    Relevant Pages

    • On IDS Evasion, Vulnerabilities, and Vendor Hype
      ... On IDS Evasion, Vulnerabilities, and Vendor Hype ... IDS vendors sometimes must completely rewrite parts of their engines ... Eeye cast the first stone with their advisory %u encoding IDS bypass ... vulnerability. ...
      (Focus-IDS)
    • On IDS Evasion, Vulnerabilities, and Vendor Hype
      ... On IDS Evasion, Vulnerabilities, and Vendor Hype ... IDS vendors sometimes must completely rewrite parts of their engines ... Eeye cast the first stone with their advisory %u encoding IDS bypass ... vulnerability. ...
      (Bugtraq)
    • Towards a responsible vulnerability process
      ... I work closely with the vulnerability response process at Microsoft, ... vendors" is being hopelessly overly general. ... and not all of them lead to widespread attacks. ...
      (NT-Bugtraq)
    • CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld
      ... A format string vulnerability may permit an intruder to ... execute code with the privileges of the rwall daemon. ... which would trigger the rwall daemon's error message. ... Appendix A contains information provided by vendors for this advisory. ...
      (Cert)
    • CERT Advisory CA-2002-10 Format String Vulnerability in rpc.rwalld
      ... A format string vulnerability may permit an intruder to ... execute code with the privileges of the rwall daemon. ... which would trigger the rwall daemon's error message. ... Appendix A contains information provided by vendors for this advisory. ...
      (Cert)