Re: File-format based vulns - How do IDS/IPS vendors detect them?

[Matt Hargett <matt () use net>]

Joshua Russel wrote:
> After the recent announcement of file-format based vulnerabilities in
> MS Patch Tuesday, I was wondering how do IPS/IDS vendors claim to
> protect against them (most of them like TippingPoint claim to do so).
> Do they scan data transfer streams (SMTP, FTP, HTTP etc) for these
> malicious files or is it a local check? If they do detect it on the
> network doesn't it screw up their device due to high chance of false
> positives and high resource consumption.

I imagine they wait for files that exploit the bug(s) in the wild, or 
craft their own. Then they probably make a signature for a specific 
sequence of bytes within said file. There might be other sanity 
checking, it really depends on how much state they can keep in memory at 
wire-speed, which depends on how much (if any) packet reassembly they 
do, if they decode base64 email attachment streams, etc.

I haven't worked on IDSes in years, so if there are more articulate 
practices now, someone please correct me.