Re: Snort exploits

[Darren Reed <avalon () coombs anu edu au>]

Given your history in "the industry", what is your impression of the
average lag time between a virus being released into the wild and a
fingerprint update being available from a vendor ?  Is it days, weeks
or months ?  Also, what's the average interval in updates for anti-
virus software users ?

Lets say I map out all the web servers on the net, next month.
The next day a new vulnerability in IIS is released.  Within a
day I should be able to "0wn" a number of web servers I know
to be vulnerable.  Unlike a virus, me exploiting them is not
dependant upon them doing anything (ie. reading their email)
except having IIS up and running.  Also, it is "always rush hour
somewhere on the 'net".

Another difference is in what it takes for a virus to work.  It
has to propogate from system to system and will eventually make
itself known.  Once released, it is out of control of the writer
(more or less).

The IDS vs hackers battle is different.  A hacker may develop an
exploit and use it successfully through IDSs for some time, maybe
even years.  The IDS provides a defence against known scripts and
known exploits but there is no reason to believe that this knowledge
is anywhere near the 99% level an anti-virus program will achieve.

If IDS vendors construct good honeypots, there is a chance that they
may pick up otherwise unknown attack signatures.  You might even
venture to say that any IDS vendor that doesn't have a number of
sophisticated honeypots for this purpose is on the road to nowhere.

Darren