IDS mailing list archives

Re: Vulnerability vs. Exploit signatures and IPS??

From: Jordan Wiens <numatrix () ufl edu>
Date: Wed, 18 May 2005 16:04:52 -0400 (EDT)

Most vendors claim that.  Some do it.

Let's consider the following hypothetical situation. A vulnerability isannounced in a product, but it's a particularly convoluted and difficultbuffer overflow and I don't quite know how it works. I just wait a bit,and sure enough; the Metasploit guys add an exploit for it. Now I runthat exploit against a vulnerable server and I sniff the network trafficit generates. I write a signature based on that traffic that seems to be'good' in that it doesn't have any other false positives on a large floodof legitimate traffic to the server, and it also successfully catches thecompromise via metasploit every time.

It's quite possible that because I didn't understand which part of theattack was the actual necessary exploit and which was just metasploit'spadding for the overflow, or the backdoor code, or whatever, that someoneelse could come along and write an entirely new exploit that would nottrigger my signature, or even just modify the default metasploit attack,and likewise escape my signature.

A signature written for the vulnerability means that (baring certain typesof obfuscation and evasion) any exploit generated will trigger thatsignature if it triggers the vulnerability.

This is actually a fairly difficult thing to do in some situations. Mostsignature writers will of course try to write to the vulnerability, butbecause of the difficulty, you often see ones written for an exploit.

Of course, in the perfect world, we have both types of signatures. Thatway you not only know you were attacked, but you know with what type ofexploit; or that it's a new unknown variant of an exploit. That's usefulinformation in and of itself.


--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Mon, 17 May 2005, Jacob Winston wrote:




Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on 
Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not 
exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)