Re: Vulnerability vs. Exploit signatures and IPS??

["David W. Goodrum" <dgoodrum () nfr com>]

Tipping Point is not the only vendor to do this.  Most vendors now try 
to write signatures based on the vulnerability vs the exploit.  Here's a 
real world example.  SQL Slammer was the result of a vulnerability that 
had been known for many months to the security community.  Shortly after 
it was first announced, there was a proof of concept exploit released 
also.  Some vendors watched for the known exploit, which was to watch 
for a particular string in the released exploit code.  Some vendors (NFR 
being one of many), chose to watch for the vulnerability, which was 
essentially a really long string sent via UDP on port 1434, which causes 
a buffer overflow.  When SQL Slammer hit, months later, vendors who were 
watching for the vulnerability caught SQL Slammer without writing a new 
signature.  Vendors who wrote signatures looking for the exploit did 
not.   There are plenty of other reasons to not watch for exploits.  For 
example, products like ADMutate, which take existing exploits, and 
mutate them to evade exploit-based signatures. 

So, the reason you watch for vulnerabilities, instead of exploits, is to 
catch the 0-day exploit of a known vulnerability, and to also catch 
people trying to evade your IDS/IPS system.  Often vendors will do 
both.  So, they might identify a known exploit as a known exploit.  That 
doesn't mean they're not watching for the vulnerability though.  It just 
means that they were trying to be as accurate as possible, so they saw 
the vulnerability being exploited, and then identified the exploit as 
something known.  It's pretty simply logic, and allows a vendor to give 
the most accurate alert when a vulnerability is exploited.

However, TippingPoint is not doing something unique here.  They are 
doing the right thing... but they're not the only ones.   NFR, ISS, and 
_many_ of the other big names are doing the same thing... not all 
vendors... but many.   So, you should not only ask, but test if they are 
doing this.  Just because a vendor says they watch for vulnerabilities 
vs the exploit, doesn't mean they are actually doing it.  Bring in the 
products from various vendors, download the known exploits, then use 
products such as ADMutate (and others) to try to evade the IDS/IPS.  
Also, be sure to evaluate in IDS and IPS mode, if you plan on doing a 
mixed deployment.  Just because a vendor detects/stops something in IPS 
mode, doesn't mean they'll do it in IDS mode... and vice versa.

hope this helps,

dave

David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com



Jacob Winston wrote:

> Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on 
> Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not 
> exploits. I don't quite understand this.
>
> Thank you,
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------
>
>  

--
David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com

See NFR Security at these upcoming events:

ADRP Conference, May 23-25, Jacksonville, FL
Gartner IT Security Summit, June 6-8, Washington, DC
NetSec 2005, June 13-14, Scottsdale, AZ
Security Ventures 2005, July 13, New York, NY


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------