Re: Vulnerability & Exploit Signatures

From: dgr8hunt (dhruv_ymca_at_yahoo.com)
Date: 06/15/05

  • Next message: Anton A. Chuvakin: "RE: on NIDS/NIPS tuning" 
    Date: Wed, 15 Jun 2005 08:39:10 -0700 (PDT)
To: Jackson Yu <jackson.yu@earthlink.net>, focus-ids@securityfocus.com

    IPS signature names would ofcourse be same ha! coz
    they are all developed to stop some sort of attack ;D.
    So if a vulnerability comes with xyz name every IPS
    vendor will come-up with a signature for xyz.
     
    But now question is, was there really requirement of
    updating signature base to overcome this
    vulnerability? or there was already some mechanism in
    IPS to block zero day attack. Sort of protocol
    decoding/header processing/Application layer
    protection/Protocol Anomaly/Traffic Anomaly etc. etc.

    If above features are not present or can't protect
    that specific attack. Then comes signature database.
    Now questions that come to mind are:

    Can the signature be bypassed using IDS evasion
    techniques(Architecture problems)? How good is the
    architecture and what all functionality[written
    above..] it provides?

    A threat was running on the list few days back about
    Exploit based signatures and Vulnerability based
    signatures. So see what solution the vendor is
    providing to the market.

    Every IPS has its own compiler and language. So even
    if every vendor take the signatures out of sourcefire
    you can't comment on that. Coz even if vendor will
    write its own signture that will also match atleast
    95% with snort's signature and vice-versa, condition
    is that both are writing accurate signature :)

    So at the EOD IPS user should not see any attacks,
    that is all he/she would like. Should be least worried
    about the sources from where signatures can originate
    to an IPS vendor. Rather should be worried for the
    response time that the vendor has taken for an attack
    once attack gets available to public on various
    security sites.

    Signature count for an IPS can even go beyond 15,000
    or may be more. And preparing a comparision *** of
    signatures for all the IPS vendors to see the
    difference of 300signatures or 1500signatures won't be
    good way of comparing any IPS product.

    Feel the technology inside :)

    cheers!

    Dhruv

    --- Jackson Yu <jackson.yu@earthlink.net> wrote:

    > Hi, I'm new to this list, so please bear with my
    > question:
    >
    > ASIC/FPGA/Software/detection techniques aside, I
    > sense that a huge value of IPS
    > vendors are the lab-type organizations that are
    > constantly developing new filters
    > in response to new vulnerabilities and exploits.
    > However, there's no way that such
    > vendors can "hit the market" if you will with 2000+
    > filters out on day
    > one.
    >
    > Do all these vendors license the same set of "base"
    > filters from, say,
    > Sourcefire / Snort derived rule source in the back?
    > Is there a commonality there? At the end of the
    > day, can I say that "Gee, most vendors' base set of
    > 1500 IPS signatures are the same, its just the 300
    > or so that the vendors have additionally developed
    > on top of that 1500 that are different!"
    >
    >
    > Thanks
    >
    > Jackson
    >
    >
    >
    >
    --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with
    > real-world attacks from
    > CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >
    > to learn more.
    >
    --------------------------------------------------------------------------
    >
    >

                    
    __________________________________
    Discover Yahoo!
    Use Yahoo! to plan a weekend, have fun online and more. Check it out!
    http://discover.yahoo.com/

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Anton A. Chuvakin: "RE: on NIDS/NIPS tuning"
    • Quantcast