IDS mailing list archives

Re: CVE selection for IDS/IPS signature rules

From: Enigma <enigma () security-fu com>
Date: Tue, 03 Jun 2008 13:43:47 -0400

Ravi Chunduru wrote:

Hi,

There are over 30000 CVE vulnerability reports.  Many IDS/IPS devices
have around 4000-5000 signature rules. My guess is that these
signatures may cover (detect)around 4000-7000 attacks.  23000 to 26000
CVEs, that is, significant number of CVEs are not covered by IDS/IPS
devices.

I am guessing that there is reason for this. IDS/IPS vendors may be
selecting few CVEs for developing signatures. What is the selection
criteria followed in industry? One criteria, I know is that Network
IDS/IPS devices don't need to worry about attacks that can only be
mounted on the local machine, that is,  NIDS/NIPS devices only need to
worry about detection of attacks mounted remotely. Are there any other
considerations?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Couple of things:

  1. If you are talking about Network IDS/IPS, not all vulnerabilities

are remotely exploitable. Some local vulnerabilities can only bedetected by a HIDS if they can be detected at all.

  2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
     so it covers any vulnerability where IDS/IPS are generally
     exploit-centric.  How are you going to detect if a vulnerability
     is exploited if there is no publicly known exploit?  How do you
     find something when you don't know what it looks like?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

Re: CVE selection for IDS/IPS signature rules abhicc285 (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Jose Nazario (Jun 03)
- <Possible follow-ups>
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 03)
  - RE: CVE selection for IDS/IPS signature rules Dimitris Patsos (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Leon Ward (Jun 03)
    - Re: CVE selection for IDS/IPS signature rules Enigma (Jun 05)
    - Re: CVE selection for IDS/IPS signature rules Joel Esler (Jun 05)
- RE: CVE selection for IDS/IPS signature rules Srinivasa Addepalli (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Ravi Chunduru (Jun 03)