IDS mailing list archives
Re: Exploit-based signature is dead, or not?
From: Joel Esler <eslerj () gmail com>
Date: Sat, 28 Mar 2009 21:11:35 -0400
I just found an email thread about this exact subject back in May of 05. http://archives.neohapsis.com/archives/sf/ids/2005-q2/ Joel 2009/3/13 tanyoo10 <tanyoo10 () 163 com>
Greetings to everyone. I have some questions about exploit-based and vulnerability-based signature of IDS. I heard that exploit-based signature is dead (useless), since vulnerability-based signatures are more effective than exploit-based signatures in that they can detect unknown exploits if a vulnerability can be utilized by many exploits. However, I don't agree with this argument, for the following reasons: (1) When a vulnerability is unknown, exploit-based might be a good solution. (2) Exploit-based signatures are still irrepetable for early defense of zero-day worms or zero-day exploits, since exploit-based signatures can be generated more timely. (3) In the perfect world, we need to generate both types of signatures (even finally we only use vulnerability-based signature in detection). That way we not only know we were attacked, but we know with what type of exploit; or that it's a new unknown variant of an exploit. That's useful information in and of itself. To support the above viewpoints, I have some concrete questions needed to be answered: (1) Were there some attacks that have exploit-based signature but have not vulnerability-based signature? Can someone give me some exmples? (2) Were there some examples to show that exploit-based signatures were generated much quickly and timely than the generation of vulnerability-based signatures for the historical worms or attacks ? (3) Does current IDS (e.g. Snort) use both signature types of exploit-based and vulnerability? If so, what percentage of sigantures are exploit-based? Thanks for you any input of discussing "exploit-based vs. vulnerability-based signature" !
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Sam Gorton (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Raffael Marty (Mar 13)
- Exploit-based signature is dead, or not? tanyoo10 (Mar 16)
- Re: Exploit-based signature is dead, or not? Sergio 'shadown' Alvarez (Mar 16)
- Re: Exploit-based signature is dead, or not? Jackie Lai (Mar 17)
- Re: Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 17)
- RE: Exploit-based signature is dead, or not? Addepalli Srini-B22160 (Mar 17)
- Re: Exploit-based signature is dead, or not? Joel Esler (Mar 30)
- Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 18)
- Re: Re: Intrusion Detection Evaluation Datasets zubair . shafiq (Mar 13)