IDS mailing list archives
Re: Vulnerability vs. Exploit signatures and IPS??
From: Iván Arce <ivan.arce () coresecurity com>
Date: Fri, 20 May 2005 18:43:06 -0300
Its is not a question if which is better in the vacum (signatures based on vulnenabilities vs. signatures based on exploits) but rather which do you or your vendor does best.
To do it right, developing IDS/IPS signatures based on exploits requires the researcher/signature writer to understand those exploits and to be able to discern which portions of them are fixed requirements to trigger the vulnerability and which portions are just implementation decisions of the exploit writer. Some shortcuts can be taken here if the researcher has a very good understanding of exploit 'techniques' rather than just instances of exploits that are publicly available, otherwise the job turns into a reactive arms race against the available exploits.
Good signatures based solely on the vulnerabilities require the researcher/signature writer to fully understand the vuln and all the possible ways to exploit it. For this to be effective, once again, the researcher needs a very good understanding of exploit 'techniques' and/or exploit writing since he is basically trying to outwit ALL possible exploits and hence every exploit writer out there or risk having false negatives. For the pure anomaly behavior detection approach the researcher needs then to figure out ALL possible legitimate uses and operational enviroments of the vulnerable component or risk having false positives.
There are numerous examples of bad signatures (and possibly vendor patches) that were developed presumably based only on available exploits and there are numerous examples of bad signatures (and possibly vendor patches) presumably built using vulnerability analysis as the sole basis for development.
Common sense leads me to think that combining both methods is a good idea. Also there is a clear tradeoff between time and quality of the signature/filter: Assuming the the signature writing team has equally balanced skills for both methods they will need to make a decision between getting signatures out faster and or getting more accurate signatures out. To improve the process one would need to either increae the reserach team's capacity or improve their skills (or both).
Disclaimer: I work for a company that sells an automated penetration testing product that includes professionally developed exploits, it is often used by our customers to develop IDS/IPS signatures , test IDS/IPS deployments and various other things. On the other hand since we write exploits for known vulns and ocasionally find new vulns I know there is a serious amount of vulnerability research involved on all cases. So I sort of have an insight of both methods.
-ivan Jacob Winston wrote:
Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.--------------------------------------------------------------------------
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)