Re: Vulnerability & Exploit Signatures

From: Kelly Dowd (loris65_at_gmail.com)
Date: 06/16/05

  • Next message: snort user: "Re: Snort & iptables on the same box" 
    Date: Thu, 16 Jun 2005 08:25:33 -0400
To: Jackson Yu <jackson.yu@earthlink.net>

    I doubt there is any licensing of base signatures between vendors
    (signature engines vary greatly between products, you can't just 'use'
    another products sigs). You will find that some developers look at
    existing signature sets to get 'ideas', but it's far from a
    one-for-one copy. Companies must develop their own sigs just like
    they develop their own appliances... it's a total package.

    -Kelly D.

    On 6/14/05, Jackson Yu <jackson.yu@earthlink.net> wrote:
    > Hi, I'm new to this list, so please bear with my question:
    >
    > ASIC/FPGA/Software/detection techniques aside, I sense that a huge value of IPS
    > vendors are the lab-type organizations that are constantly developing new filters
    > in response to new vulnerabilities and exploits. However, there's no way that such
    > vendors can "hit the market" if you will with 2000+ filters out on day
    > one.
    >
    > Do all these vendors license the same set of "base" filters from, say,
    > Sourcefire / Snort derived rule source in the back? Is there a commonality there? At the end of the day, can I say that "Gee, most vendors' base set of 1500 IPS signatures are the same, its just the 300 or so that the vendors have additionally developed on top of that 1500 that are different!"
    >
    >
    > Thanks
    >
    > Jackson
    >
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: snort user: "Re: Snort & iptables on the same box"

    Relevant Pages

    • Signature URLs/Quoting Adagio
      ... previous posts on the subject. ... I find it a specious argument irregardless of USENET if you ... signature but my position the USENET signature is nothing more than ... Jim, on the issue of vendors placing their URL's into a signature line, ...
      (rec.food.drink.tea)
    • Re: Intrusion Detection Evaluation Datasets
      ... I understand most IDS vendors do not actually use the Snort code ... SourceFire and some vendors who include Snort with hardware appliances ... of interest that one signature based IDS could detect that another ... I say attacks of interest because I am aware of some DoS ...
      (Focus-IDS)
    • Re: [Full-disclosure] Publishing exploit code - what is it good for
      ... is a bitbucket. ... Use the address in the signature to reach me.] ... to the only thing that has any real success at getting vendors to fix ... things without needing the prod of public exploit disclosure. ...
      (Full-Disclosure)
    • RE: strange windows behaviour.
      ... AV vendors do actually analyse malicious code, ... don't just extract a signature. ... virus-specific detection. ...
      (Incidents)
    • RE: Help in writing Network IDS/IPS signature to detect sftp vulnerability
      ... one can create a 'Policy violation' signature. ... It seems that 'WeOnlyDo' is the name of company which made this software. ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)