Bugtraq mailing list archives
Re: Snort exploits
From: Darren Reed <avalon () coombs anu edu au>
Date: Thu, 18 Apr 2002 18:08:49 +1000 (Australia/ACT)
Given your history in "the industry", what is your impression of the average lag time between a virus being released into the wild and a fingerprint update being available from a vendor ? Is it days, weeks or months ? Also, what's the average interval in updates for anti- virus software users ? Lets say I map out all the web servers on the net, next month. The next day a new vulnerability in IIS is released. Within a day I should be able to "0wn" a number of web servers I know to be vulnerable. Unlike a virus, me exploiting them is not dependant upon them doing anything (ie. reading their email) except having IIS up and running. Also, it is "always rush hour somewhere on the 'net". Another difference is in what it takes for a virus to work. It has to propogate from system to system and will eventually make itself known. Once released, it is out of control of the writer (more or less). The IDS vs hackers battle is different. A hacker may develop an exploit and use it successfully through IDSs for some time, maybe even years. The IDS provides a defence against known scripts and known exploits but there is no reason to believe that this knowledge is anywhere near the 99% level an anti-virus program will achieve. If IDS vendors construct good honeypots, there is a chance that they may pick up otherwise unknown attack signatures. You might even venture to say that any IDS vendor that doesn't have a number of sophisticated honeypots for this purpose is on the road to nowhere. Darren
Current thread:
- Snort exploits 0xcafebabe (Apr 16)
- Re: Snort exploits Dragos Ruiu (Apr 17)
- Re: Snort exploits Chris Green (Apr 24)
- <Possible follow-ups>
- RE: Snort exploits Grimes, Roger (Apr 17)
- Re: Snort exploits Darren Reed (Apr 18)
- Re: Snort exploits Vern Paxson (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)
- Re: Snort exploits der Mouse (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)