RE: Vulnerability & Exploit Signatures

From: Ofer Shezaf (Ofer.Shezaf_at_breach.com)
Date: 06/19/05

  • Next message: Raffael Marty: "IDS Signature Confidence" 
    Date: Sun, 19 Jun 2005 08:22:19 -0400
To: "Kelly Dowd" <loris65@gmail.com>, "Jackson Yu" <jackson.yu@earthlink.net>, <focus-ids@securityfocus.com>

    > From: Kelly Dowd [mailto:loris65@gmail.com]
    > Sent: Thursday, June 16, 2005 3:26 PM
    >
    > I doubt there is any licensing of base signatures between vendors
    > (signature engines vary greatly between products, you can't just 'use'
    > another products sigs). You will find that some developers look at
    > existing signature sets to get 'ideas', but it's far from a
    > one-for-one copy. Companies must develop their own sigs just like
    > they develop their own appliances... it's a total package.
    >

    Actually there is a thriving commercial market for signatures'
    databases. I think that this market is natural due to two reasons:

    a. More and more unified boxed do IDS in addition to other features. It
    is very difficult to maintain the IP required for all those features and
    buying the know-how from specialists is a good way to go.

    b. Vulnerability based signatures are becoming just one of the detection
    tools in the arsenal of a good intrusion detection system. Behavioral
    technologies, misuse technologies more advanced than signatures and
    positive logic (protocol compliance for example) are complementing
    traditional vulnerably signatures. Again, licensing the signatures part
    of the product is a viable alternative.

    ~ Ofer

    Ofer Shezaf
    OWASP Israel Chair
    http://www.owasp.org/local/israel.html

    CTO, Breach Security
    Phone (US): +1 (760) 268.1924 ext. 702
    Phone (Israel): +972 (9) 956.0036 ext.212
    Cell: +972 (54) 443.1119
    ofers@breach.com
    http://www.breach.com

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Raffael Marty: "IDS Signature Confidence"

    Relevant Pages

    • Re: Vulnerability & Exploit Signatures
      ... >> I doubt there is any licensing of base signatures between vendors ... >> another products sigs). ... Again, licensing the signatures part ... > CORE IMPACT. ...
      (Focus-IDS)
    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • RE: Value of "richer" signatures?
      ... Is it that much faster to do "protocol parsing" than ... > Here's an example of how the newer IDS signatures help ... > Let's say you are using a simple packet grepping IDS ...
      (Focus-IDS)
    • RE: Testing IDS/IPS Signatures
      ... can a scanner be used to validate the IDS ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
      (Focus-IDS)
    • RE: Comparing the performance of two IDS products with different architectures
      ... Comparing the performance of two IDS products with different architectures ... An interesting point, “a packet is only tested for a signature when needed, and not when it isn't ... and only tests signatures that apply to those contents. ... could argue all day long about the strengths and weaknesses of “pattern matching” vs “protocol ...
      (Focus-IDS)