RE: Vulnerability vs. Exploit signatures and IPS??

["Andrew Plato" <andrew.plato () anitian com>]

DISCLAIMER: My firm is a Tipping Point and ISS reseller. 

Hi Jacob. I'd be happy to explain it. While it's a little marketing
fluff, there is actually big benefits to Tipping Point's method. 

A lot of IPS/IDSs have their signatures set to fire on exploit
fingerprints. That is, they release a signature to detect an exploit
after the exploit is released into the wild. This is done by simply
analyzing a packet capture of the exploit, locating some unique pattern
in the exploit packets, and then keying on that pattern. So long as a
packet stream has that pattern in it - the IPS fires an alert. This
works fine, except when the next variant of the exploit comes out, it
can typically fly right by the IPS until the vendor releases a new
signature. 

Alternatively, you can have signatures based on vulnerability. This is
how Tipping Point, ISS, and some others do it. For this technique, you
analyze ALL traffic of a specific protocol. This typically requires the
ability to perform a full protocol analysis (something ISS pioneered).
For example, logon traffic for Windows machines. There are known
vulnerabilities to the logon service. If you send a huge string of
characters to the logon service, you can overflow a buffer and then
write code into memory and execute it. This is how a whole series of
exploits work.  

The Tipping Points have triggers to accomplish this where as ISS uses
thresholds. If the TP sees a Windows logon request with a huge string of
characters being sent, it deems that an attack and can (if so
configured) block it. Since there is no logical reason to have a huge
string of characters there, it's a very effective detection method. Only
after it has detected the trigger will the IPS send the packet stream to
a more in-depth analysis engine that to match the packet stream to a
known exploit. This is typically just to correctly name the attack. The
protection has already worked. 

The benefit of this method is that you can detect and block a whole set
of exploits with a single signature. TP will often release new
signatures simply so the correct name of the exploit is identified
without having to change to original detection signature. 

The end result is that TP and ISS products tend to be better at catching
zero-day exploits than other IPSs. 

_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
GPG public key available at: http://www.anitian.com/corp/keys.htm 


-----Original Message-----
From: Jacob Winston [mailto:jctx09 () yahoo com] 
Sent: Monday, May 16, 2005 7:58 PM
To: focus-ids () securityfocus com
Subject: Vulnerability vs. Exploit signatures and IPS??




Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits?
TippingPoint makes a claim that their IPS is better because they write
signatures based on Vulnerabilities and not exploits. I don't quite
understand this.

Thank you,

------------------------------------------------------------------------
--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------