IDS mailing list archives
Re: CVE selection for IDS/IPS signature rules
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 29 May 2008 14:35:41 -0400
Ravi Chunduru wrote:
Hi, There are over 30000 CVE vulnerability reports. Many IDS/IPS devices have around 4000-5000 signature rules. My guess is that these signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 CVEs, that is, significant number of CVEs are not covered by IDS/IPS devices. I am guessing that there is reason for this. IDS/IPS vendors may be selecting few CVEs for developing signatures. What is the selection criteria followed in industry? One criteria, I know is that Network IDS/IPS devices don't need to worry about attacks that can only be mounted on the local machine, that is, NIDS/NIPS devices only need to worry about detection of attacks mounted remotely. Are there any other considerations? Thanks Ravi
Hi Ravi, There are several reasons, probably more. Some NIDS vendors try to code for generic exploit vectors and not specific vulnerabilities. Some try to do both. Many of the CVEs not covered are for products that have come and gone, are very old, don't work over TCP/IP and so on. Some CVE entries focus on weak encryption and denial of service attacks which can be difficult to see with NIDS technology. Ron Gula Tenable Network Security http://www.nessus.org ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- CVE selection for IDS/IPS signature rules Ravi Chunduru (May 29)
- Re: CVE selection for IDS/IPS signature rules Ron Gula (May 29)