Re: Vulnerability vs. Exploit signatures and IPS??

From: Matthew Watchinski (mwatchinski_at_sourcefire.com)
Date: 05/19/05

  • Next message: THolman_at_toplayer.com: "RE: Router/Switches and viruses" 
    Date: Wed, 18 May 2005 22:29:28 -0400
To: Jacob Winston <jctx09@yahoo.com>

    By looking for the characteristics of a vulnerability it is possible to
    detect all possible exploits that might try and utilize that
    vulnerability. Where as, looking for the signature of an exploit,
    leaves you vulnerable to new exploits utilizing the same vulnerability.

    A simple analogy to this is say you want to find a particular person in
    a crowd of people. You can either walk around with a picture of that
    person and hold it up next to everyone in the crowd (signature based
    detection) or you can find the person based on unique attributes about
    them (rule based detection, as I like to call it). Signature based
    detection is vulnerable to say the person wearing a hat, or glasses, or
    a beard. Rule based detection isn't, as it uses a set of unchangeable
    unique attributes that must exist for it to match on that person (I like
    to call these triggering conditions). Like the distance to the corner
    of each eye from their nose, or the shape and curve of the cheek bones.

    To better understand this difference lets take a real world example.

    Here is the bleedingsnort rule for the IIS PCT vulnerability (MS04-011)

    alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE
    THCIISLame IIS SSL Exploit Attempt";
    reference:url,www.thc.org/exploits/THCIISSLame.c;
    reference:url,isc.sans.org/diary.php?date=2004-07-17;
    content:"THCOWNZIIS!"; flow:to_server,established;
    classtype:web-application-attack; sid:2000559; rev:6;)

    If your not familiar with Snort this signature it essentially looks for
    the content of "THCOWNZIIS!" in any packet heading to port 443 on the
    network defined by $HOME_NET. The public exploit for this vulnerability
    contains "THCOWNZIIS!" which is probably why the bleedingsnort guys
    wrote this signature. Unfortunately this string isn't necessary for
    this exploit to work, so it could just as easily be "MATTOWNIIS", and
    the exploit would still function correctly. This means that the
    signature above is exploit specific and can be easily avoided (unless
    all you want to catch is this particular exploit).

    I think most people want to catch all exploits that attempt to exploit a
    particular vulnerability, which is why you need rules that catch the
    triggering conditions of the vulnerability (detect the vulnerability not
    the exploit). In my opinion, writing exploit-specific signatures brings
    very little value to the table, and also gives people a false sense of
    security, as any intelligent attacker will remove these types of strings
    from public exploits if they need to use them.

    Since I'm a vendor I'm not going to simply tout the Sourcefire solution,
    however, I will say the Sourcefire VRT strives to detect the
    vulnerability and not the exploit with every rule that we release. Ok
    so i touted a little.

    Cheers,
    Matthew Watchinski
    Director, Vulnerability Research
    Sourcefire, Inc.

    Jacob Winston wrote:

    >
    >Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this.
    >
    >Thank you,
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from
    >CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: THolman_at_toplayer.com: "RE: Router/Switches and viruses"

    Relevant Pages