IDS mailing list archives

RE: CVE selection for IDS/IPS signature rules

From: "Dimitris Patsos" <dpat () space gr>
Date: Tue, 3 Jun 2008 21:42:06 +0300

Hi,

Let me add another complexity dimension in this topic.

Few IDS/IPS vendors can correlate their vulnerability assessment tools
with their IDP products (i.e. McAfee,IBM,Tenable,and a few others). None
of them however, can link vulnerabilities with exploits and IDP
signatures as well, which makes sense since IDP detects attacks (i.e.
one or more vulnerabilities exploited in a predefined -not random-
order) not plain vulnerabilities.

The IDP community -to the best of my knowledge- is still missing a
topological-aware mechanism to produce potential attacks based on real
vulnerabilities found in systems/networks. To this extend, it is still
virtually impossible to eliminate false positives in IDP (learning mode
is a nightmare for those who tried, clearly not an option) while it's
also extremely hard to eliminate false negatives in VA tools (it would
be great if a tool could base verdict upon partially discovered signs of
attacks).

What seems of interest and what I've been working on this for the last
couple of years is to integrate post-incident capabilities (e.g. info
from SIEMs) along with vulnerability scoring (like Mitre's CVSS) into
IDP/VA tools. 

This would allow for quite flexible configuration scenarios in IDP,
since vulnerabilities are discovered (VA tool) and (semi)automatically
scored (CVSS), verified (SIEM information) while a smaller set of
signatures (IDP) can detect and block attacks since they can break the
predefined order of vulnerability exploit.

In other words, such a view could allow for policies based on attack
paths and not underlying OS, network topology, collision domains, groups
or VLANs.

Thanks a lot,

Dimitrios Patsos, 
Ph.D.(Cand),M.Sc.,CCSE,CCDA,CCSP,CME

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Enigma
Sent: Tuesday, June 03, 2008 8:44 PM
To: Ravi Chunduru
Cc: Focus IDS
Subject: Re: CVE selection for IDS/IPS signature rules

Ravi Chunduru wrote:

Hi,

There are over 30000 CVE vulnerability reports.  Many IDS/IPS devices
have around 4000-5000 signature rules. My guess is that these
signatures may cover (detect)around 4000-7000 attacks.  23000 to 26000
CVEs, that is, significant number of CVEs are not covered by IDS/IPS
devices.

I am guessing that there is reason for this. IDS/IPS vendors may be
selecting few CVEs for developing signatures. What is the selection
criteria followed in industry? One criteria, I know is that Network
IDS/IPS devices don't need to worry about attacks that can only be
mounted on the local machine, that is,  NIDS/NIPS devices only need to
worry about detection of attacks mounted remotely. Are there any other
considerations?

Thanks
Ravi

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw

to learn more.

------------------------------------------------------------------------

  

Couple of things:

   1. If you are talking about Network IDS/IPS, not all vulnerabilities
      are remotely exploitable.  Some local vulnerabilities can only be 
      detected by a HIDS if they can be detected at all.
   2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
      so it covers any vulnerability where IDS/IPS are generally
      exploit-centric.  How are you going to detect if a vulnerability
      is exploited if there is no publicly known exploit?  How do you
      find something when you don't know what it looks like?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: CVE selection for IDS/IPS signature rules abhicc285 (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Jose Nazario (Jun 03)
- <Possible follow-ups>
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 03)
  - RE: CVE selection for IDS/IPS signature rules Dimitris Patsos (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Leon Ward (Jun 03)
    - Re: CVE selection for IDS/IPS signature rules Enigma (Jun 05)
    - Re: CVE selection for IDS/IPS signature rules Joel Esler (Jun 05)
- RE: CVE selection for IDS/IPS signature rules Srinivasa Addepalli (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Ravi Chunduru (Jun 03)