RE: Exploit-based signature is dead, or not?

["Addepalli Srini-B22160" <saddepalli () freescale com>]

Hi,

Exploit code can be used to figure out the kind of vulnerability that application/system has. Hence the signatures 
developed once the vulnerability is understood can be said that they are vulnerability based signatures as per your 
terminology. But there are exceptions though.

If the vulnerability can be mapped to standard protocol and the exploitation happening due to protocol information, 
then there is a very big possibility that the signature developed stops different variations of exploit taking 
advantage of the vulnerability. 

But if the protocol is proprietary and not publicly known, then it can become difficult to create signature with good 
confidence.  There can be false positives and false negatives.  This may be called exploit based signature.  But these 
signatures at the minimum protect internal resources from script kiddies.

Other cases where there could be problem in developing good signatures are:

- Sensor not having protocol intelligence:  Signatures would be based on raw content and can result into false 
positives and negatives.

- Data based vulnerabilities such as vulnerabilities in ActiveX and Java scripts:  Many signature developed in this 
area would be mostly based on exploits, especially if the IDS/IPS doesn't have intelligence of interpreting Java script 
and HTML pages.

Since many IDP devices in the market today don't do good analysis on data portion (Email attachment, HTML pages, HTML 
download files, FTP transferred files etc..) probability of a signature being 'exploit based' is more in case of client 
protection.

Regards
Srini



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of tanyoo10
Sent: Friday, March 13, 2009 10:21 AM
To: focus-ids
Cc: 肖斌
Subject: Exploit-based signature is dead, or not?

Greetings to everyone.

  I have some questions about exploit-based and vulnerability-based signature of IDS.

  I heard that exploit-based signature is dead (useless), since vulnerability-based signatures are more effective than 
exploit-based signatures in that they can detect unknown exploits if a vulnerability can be utilized by many exploits. 
However, I don't agree with this argument, for the following reasons: 
(1) When a vulnerability is unknown, exploit-based might be a good solution. 
(2) Exploit-based signatures are still irrepetable for early defense of zero-day worms or zero-day exploits, since 
exploit-based signatures can be generated more timely. 
(3) In the perfect world, we need to generate both types of signatures (even finally we only use vulnerability-based 
signature in detection). That way we not only know we were attacked, but we know with what type of exploit; or that 
it's a new unknown variant of an exploit. That's useful information in and of itself. 

        To support the above viewpoints, I have some concrete questions needed to be answered: 
(1) Were there some attacks that have exploit-based signature but have not vulnerability-based signature? Can someone 
give me some exmples? 
(2) Were there some examples to show that exploit-based signatures were generated much quickly and timely than the 
generation of vulnerability-based signatures for the historical worms or attacks ? 
(3) Does current IDS (e.g. Snort) use both signature types of exploit-based and vulnerability? If so, what percentage 
of sigantures are exploit-based? 
     
 
Thanks for you any input of discussing "exploit-based vs. vulnerability-based signature" !