Re: Vulnerability & Exploit Signatures

[dgr8hunt <dhruv_ymca () yahoo com>]

IPS signature names would ofcourse be same ha! coz
they are all developed to stop some sort of attack ;D.
So if a vulnerability comes with xyz name every IPS
vendor will come-up with a signature for xyz.
 
But now question is, was there really requirement of
updating signature base to overcome this
vulnerability? or there was already some mechanism in
IPS to block zero day attack. Sort of protocol
decoding/header processing/Application layer
protection/Protocol Anomaly/Traffic Anomaly etc. etc.

If above features are not present or can't protect
that specific attack. Then comes signature database.
Now questions that come to mind are:

Can the signature be bypassed using IDS evasion
techniques(Architecture problems)? How good is the
architecture and what all functionality[written
above..] it provides?

A threat was running on the list few days back about
Exploit based signatures and Vulnerability based
signatures. So see what solution the vendor is
providing to the market. 

Every IPS has its own compiler and language. So even
if every vendor take the signatures out of sourcefire
you can't comment on that. Coz even if vendor will
write its own signture that will also match atleast
95% with snort's signature and vice-versa, condition
is that both are writing accurate signature :)

So at the EOD IPS user should not see any attacks,
that is all he/she would like. Should be least worried
about the sources from where signatures can originate
to an IPS vendor. Rather should be worried for the
response time that the vendor has taken for an attack
once attack gets available to public on various
security sites.

Signature count for an IPS can even go beyond 15,000
or may be more. And preparing a comparision sheet of
signatures for all the IPS vendors to see the
difference of 300signatures or 1500signatures won't be
good way of comparing any IPS product. 

Feel the technology inside :)

cheers!

Dhruv


--- Jackson Yu <jackson.yu () earthlink net> wrote:

> Hi, I'm new to this list, so please bear with my
> question:
>
> ASIC/FPGA/Software/detection techniques aside, I
> sense that a huge value of IPS 
> vendors are the lab-type organizations that are
> constantly developing new filters
> in response to new vulnerabilities and exploits. 
> However, there's no way that such
> vendors can "hit the market" if you will with 2000+
> filters out on day
> one.
>
> Do all these vendors license the same set of "base"
> filters from, say,
> Sourcefire / Snort derived rule source in the back? 
> Is there a commonality there?  At the end of the
> day, can I say that "Gee, most vendors' base set of
> 1500 IPS signatures are the same, its just the 300
> or so that the vendors have additionally developed
> on top of that 1500 that are different!"
>
>
> Thanks
>
> Jackson
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from 
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>



                
__________________________________ 
Discover Yahoo! 
Use Yahoo! to plan a weekend, have fun online and more. Check it out! 
http://discover.yahoo.com/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------