IDS mailing list archives

Re: Exploit-based signature is dead, or not?

From: "tanyoo10" <tanyoo10 () 163 com>
Date: Wed, 18 Mar 2009 22:18:43 +0800

        Maybe this is an example for Q(2)  ( http://vil.nai.com/vil/Content/v_vul31280.htm ), such that the first 
exploit for MS07-029 vulnerability was found on 4/14/2007, its signature was released on 4/17/2007, and the signature 
was continually updated with the discovery of some new exploits. From the statement "McAfee Avert Labs will continue to 
update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge", we know that the 
signature should be an exploit-based signature. 

Regards
Yong

Greetings to everyone.

I have some questions about exploit-based and vulnerability-based signature of IDS.

I heard that exploit-based signature is dead (useless), since vulnerability-based signatures are more effective than
exploit-based signatures in that they can detect unknown exploits if a vulnerability can be utilized by many
exploits. However, I don't agree with this argument, for the following reasons:
(1) When a vulnerability is unknown, exploit-based might be a good solution.
(2) Exploit-based signatures are still irrepetable for early defense of zero-day worms or zero-day exploits, since
exploit-based signatures can be generated more timely.
(3) In the perfect world, we need to generate both types of signatures (even finally we only use vulnerability-based
signature in detection). That way we not only know we were attacked, but we know with what type of exploit; or that
it's a new unknown variant of an exploit. That's useful information in and of itself.

To support the above viewpoints, I have some concrete questions needed to be answered:
(1) Were there some attacks that have exploit-based signature but have not vulnerability-based signature? Can someone
give me some exmples?
(2) Were there some examples to show that exploit-based signatures were generated much quickly and timely than the
generation of vulnerability-based signatures for the historical worms or attacks ?
(3) Does current IDS (e.g. Snort) use both signature types of exploit-based and vulnerability? If so, what percentage
of sigantures are exploit-based?

Thanks for you any input of discussing "exploit-based vs. vulnerability-based signature" !

Current thread:

Re: Intrusion Detection Evaluation Datasets, (continued)
- - - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Sam Gorton (Mar 13)
  - Re: Intrusion Detection Evaluation Datasets Raffael Marty (Mar 13)
  - Exploit-based signature is dead, or not? tanyoo10 (Mar 16)
    - Re: Exploit-based signature is dead, or not? Sergio 'shadown' Alvarez (Mar 16)
    - Re: Exploit-based signature is dead, or not? Jackie Lai (Mar 17)
    - Re: Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 17)
    - RE: Exploit-based signature is dead, or not? Addepalli Srini-B22160 (Mar 17)
    - Re: Exploit-based signature is dead, or not? Joel Esler (Mar 30)
  - Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 18)
- Re: Re: Intrusion Detection Evaluation Datasets zubair . shafiq (Mar 13)