IDS mailing list archives
RE: Vulnerability vs. Exploit signatures and IPS??
From: "Jason Anderson" <janderson () lancope com>
Date: Wed, 18 May 2005 15:47:47 -0400
A vulnerability is typically disclosed before an exploit exists to take advantage of it. From this disclosure it can be possible to create a signature that would fire when the conditions are met that would exploit the vulnerability. For example, a vulnerability may exist in a particular service that doesn't check parameter sizes correctly, allowing a buffer overflow. No known exploit exists, but it is possible for an application to monitor the size of the parameter passed to that service, and if it is of sufficient size to exploit the vulnerability, then block or alarm. Once an exploit is released, it will typically have a more specific set of conditions that can be monitored - perhaps a particular byte sequence, string, padding or a specific parameter size. If those specific conditions are met, then a specific alarm can be raised for that named exploit. Most modern IPS/IDS employ both "vulnerability signatures" and "exploit signatures". Vulnerability signatures can be written sooner, but are less specific, and can be prone to false positives (it's hard to anticipate every possible violation of the standard that might be legitimate, but resemble the attack) as well as false negatives (it's not always possible to create an accurate vulnerability pattern that catches every possible method of exploit). Exploit signatures come after the fact, but are typically more accurate. Jason -- Jason Anderson Director of Engineering and Product Management janderson () lancope com http://www.lancope.com -----Original Message----- From: Jacob Winston [mailto:jctx09 () yahoo com] Sent: Monday, May 16, 2005 10:58 PM To: focus-ids () securityfocus com Subject: Vulnerability vs. Exploit signatures and IPS?? Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)