IDS mailing list archives
Re: Vulnerability & Exploit Signatures
From: dgr8hunt <dhruv_ymca () yahoo com>
Date: Wed, 15 Jun 2005 08:39:10 -0700 (PDT)
IPS signature names would ofcourse be same ha! coz they are all developed to stop some sort of attack ;D. So if a vulnerability comes with xyz name every IPS vendor will come-up with a signature for xyz. But now question is, was there really requirement of updating signature base to overcome this vulnerability? or there was already some mechanism in IPS to block zero day attack. Sort of protocol decoding/header processing/Application layer protection/Protocol Anomaly/Traffic Anomaly etc. etc. If above features are not present or can't protect that specific attack. Then comes signature database. Now questions that come to mind are: Can the signature be bypassed using IDS evasion techniques(Architecture problems)? How good is the architecture and what all functionality[written above..] it provides? A threat was running on the list few days back about Exploit based signatures and Vulnerability based signatures. So see what solution the vendor is providing to the market. Every IPS has its own compiler and language. So even if every vendor take the signatures out of sourcefire you can't comment on that. Coz even if vendor will write its own signture that will also match atleast 95% with snort's signature and vice-versa, condition is that both are writing accurate signature :) So at the EOD IPS user should not see any attacks, that is all he/she would like. Should be least worried about the sources from where signatures can originate to an IPS vendor. Rather should be worried for the response time that the vendor has taken for an attack once attack gets available to public on various security sites. Signature count for an IPS can even go beyond 15,000 or may be more. And preparing a comparision sheet of signatures for all the IPS vendors to see the difference of 300signatures or 1500signatures won't be good way of comparing any IPS product. Feel the technology inside :) cheers! Dhruv --- Jackson Yu <jackson.yu () earthlink net> wrote:
Hi, I'm new to this list, so please bear with my question: ASIC/FPGA/Software/detection techniques aside, I sense that a huge value of IPS vendors are the lab-type organizations that are constantly developing new filters in response to new vulnerabilities and exploits. However, there's no way that such vendors can "hit the market" if you will with 2000+ filters out on day one. Do all these vendors license the same set of "base" filters from, say, Sourcefire / Snort derived rule source in the back? Is there a commonality there? At the end of the day, can I say that "Gee, most vendors' base set of 1500 IPS signatures are the same, its just the 300 or so that the vendors have additionally developed on top of that 1500 that are different!" Thanks Jackson
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Vulnerability & Exploit Signatures Jackson Yu (Jun 15)
- Re: Vulnerability & Exploit Signatures dgr8hunt (Jun 16)
- Re: Vulnerability & Exploit Signatures Kelly Dowd (Jun 16)
- Re: Vulnerability & Exploit Signatures Matt Jonkman (Jun 16)
- Re: Vulnerability & Exploit Signatures MadHat (Jun 16)
- Re: Vulnerability & Exploit Signatures M. Dodge Mumford (Jun 16)
- <Possible follow-ups>
- RE: Vulnerability & Exploit Signatures Kyle Quest (Jun 17)
- RE: Vulnerability & Exploit Signatures Marc Maiffret (Jun 17)
- Re: RE: Vulnerability & Exploit Signatures tk (Jun 20)
- RE: Vulnerability & Exploit Signatures Ofer Shezaf (Jun 20)
- Re: Vulnerability & Exploit Signatures Joel Esler (Jun 21)