IDS mailing list archives

Re: Vulnerability vs. Exploit signatures and IPS??

From: "Ed Gibbs" <ed () digitalconclave com>
Date: Wed, 18 May 2005 13:00:54 -0700

Jacob,

Vulnerabilities are the flaw, while an exploit is what takes advantage ofthe vulnerability.

For example, Blaster. The vulnerability was in Microsoft's DCE RPC code,while "Blaster" was the name of the exploit that took advantage of the flawin the code. When Blaster first hit the net, signature writers werescrambling to develop a signature that would detect it, but kept producingsignatures for the exploit, which kept changing, and therefore newsignatures were coming out (some as high as 16 different signatures).

TippingPoint is correct in their assertion that writing signatures for thevulnerability is better. Signatures based on exploits run into problems,simply because exploits have variances and can morph, which makes signaturesbased on the exploit ineffective. However, signatures based on thevulerability typically doesn't change.


Ed Gibbs
IPS Security Technologist
ed () digitalconclave com





Exploit

----- Original Message -----From: "Jacob Winston" <jctx09 () yahoo com>

To: <focus-ids () securityfocus com>
Sent: Monday, May 16, 2005 7:57 PM
Subject: Vulnerability vs. Exploit signatures and IPS??

Can someone explain to me the difference in writing signatures based onVulnerabilities versus writing signatures based on Exploits? TippingPointmakes a claim that their IPS is better because they write signatures basedon Vulnerabilities and not exploits. I don't quite understand this.


Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)