Re: Vulnerability vs. Exploit signatures and IPS??

From: Iván Arce (ivan.arce_at_coresecurity.com)
Date: 05/20/05

  • Next message: Surasak H.: "Re: IDS\IPS that can handle one Gig" 
    Date: Fri, 20 May 2005 18:43:06 -0300
To: focus-ids@securityfocus.com

    Its is not a question if which is better in the vacum (signatures based
    on vulnenabilities vs. signatures based on exploits) but rather which do
    you or your vendor does best.

    To do it right, developing IDS/IPS signatures based on exploits requires
    the researcher/signature writer to understand those exploits and to be
    able to discern which portions of them are fixed requirements to trigger
    the vulnerability and which portions are just implementation decisions
    of the exploit writer. Some shortcuts can be taken here if the
    researcher has a very good understanding of exploit 'techniques' rather
    than just instances of exploits that are publicly available, otherwise
    the job turns into a reactive arms race against the available exploits.

    Good signatures based solely on the vulnerabilities require the
    researcher/signature writer to fully understand the vuln and all the
    possible ways to exploit it. For this to be effective, once again, the
    researcher needs a very good understanding of exploit 'techniques'
    and/or exploit writing since he is basically trying to outwit ALL
    possible exploits and hence every exploit writer out there or risk
    having false negatives.
    For the pure anomaly behavior detection approach the researcher needs
    then to figure out ALL possible legitimate uses and operational
    enviroments of the vulnerable component or risk having false positives.

    There are numerous examples of bad signatures (and possibly vendor
    patches) that were developed presumably based only on available exploits
    and there are numerous examples of bad signatures (and possibly vendor
    patches) presumably built using vulnerability analysis as the sole basis
    for development.

    Common sense leads me to think that combining both methods is a good
    idea. Also there is a clear tradeoff between time and quality of the
    signature/filter: Assuming the the signature writing team has equally
    balanced skills for both methods they will need to make a decision
    between getting signatures out faster and or getting more accurate
    signatures out. To improve the process one would need to either increae
    the reserach team's capacity or improve their skills (or both).

    Disclaimer: I work for a company that sells an automated penetration
    testing product that includes professionally developed exploits, it is
    often used by our customers to develop IDS/IPS signatures , test IDS/IPS
    deployments and various other things. On the other hand since we write
    exploits for known vulns and ocasionally find new vulns I know there is
    a serious amount of vulnerability research involved on all cases. So I
    sort of have an insight of both methods.

    -ivan

    Jacob Winston wrote:
    >
    >
    > Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this.
    >
    > Thank you,
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    > 

    -- 
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Surasak H.: "Re: IDS\IPS that can handle one Gig"

    Relevant Pages

    • Re: Snort and Nessus Signature
      ... >> information for many of the snort signatures (CVE, BID, descriptions, ... we have found that there can be multiple CVE entries ... > exploitation of a vulnerability not an exploit. ... > bugtraq reference: 1565 ...
      (Focus-IDS)
    • RE: Vulnerability & Exploit Signatures
      ... | Subject: Re: Vulnerability & Exploit Signatures ... companies who have built security "appliances", web interfaces on top of ... does make for an easier way to kick start your own security company. ... Obviously to sit down and truly write your own IDS/IPS and Vulnerability ...
      (Focus-IDS)
    • RE: IDS vs. IPS deployment feedback
      ... the vulnerability was initially announced, the SNORT community (I do not ... know which exact group created these signatures) added approximately 300 ... SNORT engine itself, ...
      (Focus-IDS)
    • Re: Article on WebDAV Vulnerability (MS03-007)
      ... >> Vulnerability, ... the reference to ISS for signatures to detect this exploit, ... With the WebDAV patch alone, ... there is a detection rule from the Nessus website. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Article on WebDAV Vulnerability (MS03-007)
      ... >> Vulnerability, ... the reference to ISS for signatures to detect this exploit, ... With the WebDAV patch alone, ... there is a detection rule from the Nessus website. ...
      (microsoft.public.win2000.security)