IDS mailing list archives

RE: Vulnerability vs. Exploit signatures and IPS??

From: "Jason Anderson" <janderson () lancope com>
Date: Wed, 18 May 2005 15:47:47 -0400

A vulnerability is typically disclosed before an exploit exists to take
advantage of it. From this disclosure it can be possible to create a
signature that would fire when the conditions are met that would exploit
the vulnerability.

For example, a vulnerability may exist in a particular service that
doesn't check parameter sizes correctly, allowing a buffer overflow. No
known exploit exists, but it is possible for an application to monitor
the size of the parameter passed to that service, and if it is of
sufficient size to exploit the vulnerability, then block or alarm.

Once an exploit is released, it will typically have a more specific set
of conditions that can be monitored - perhaps a particular byte
sequence, string, padding or a specific parameter size. If those
specific conditions are met, then a specific alarm can be raised for
that named exploit.

Most modern IPS/IDS employ both "vulnerability signatures" and "exploit
signatures". Vulnerability signatures can be written sooner, but are
less specific, and can be prone to false positives (it's hard to
anticipate every possible violation of the standard that might be
legitimate, but resemble the attack) as well as false negatives (it's
not always possible to create an accurate vulnerability pattern that
catches every possible method of exploit). Exploit signatures come after
the fact, but are typically more accurate.

Jason

--
Jason Anderson
Director of Engineering and Product Management
janderson () lancope com
http://www.lancope.com


-----Original Message-----
From: Jacob Winston [mailto:jctx09 () yahoo com] 
Sent: Monday, May 16, 2005 10:58 PM
To: focus-ids () securityfocus com
Subject: Vulnerability vs. Exploit signatures and IPS??




Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits?
TippingPoint makes a claim that their IPS is better because they write
signatures based on Vulnerabilities and not exploits. I don't quite
understand this.

Thank you,

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Current thread:

Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)