IDS mailing list archives
RE: Vulnerability vs. Exploit signatures and IPS??
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Wed, 18 May 2005 10:51:06 -0700
DISCLAIMER: My firm is a Tipping Point and ISS reseller. Hi Jacob. I'd be happy to explain it. While it's a little marketing fluff, there is actually big benefits to Tipping Point's method. A lot of IPS/IDSs have their signatures set to fire on exploit fingerprints. That is, they release a signature to detect an exploit after the exploit is released into the wild. This is done by simply analyzing a packet capture of the exploit, locating some unique pattern in the exploit packets, and then keying on that pattern. So long as a packet stream has that pattern in it - the IPS fires an alert. This works fine, except when the next variant of the exploit comes out, it can typically fly right by the IPS until the vendor releases a new signature. Alternatively, you can have signatures based on vulnerability. This is how Tipping Point, ISS, and some others do it. For this technique, you analyze ALL traffic of a specific protocol. This typically requires the ability to perform a full protocol analysis (something ISS pioneered). For example, logon traffic for Windows machines. There are known vulnerabilities to the logon service. If you send a huge string of characters to the logon service, you can overflow a buffer and then write code into memory and execute it. This is how a whole series of exploits work. The Tipping Points have triggers to accomplish this where as ISS uses thresholds. If the TP sees a Windows logon request with a huge string of characters being sent, it deems that an attack and can (if so configured) block it. Since there is no logical reason to have a huge string of characters there, it's a very effective detection method. Only after it has detected the trigger will the IPS send the packet stream to a more in-depth analysis engine that to match the packet stream to a known exploit. This is typically just to correctly name the attack. The protection has already worked. The benefit of this method is that you can detect and block a whole set of exploits with a single signature. TP will often release new signatures simply so the correct name of the exploit is identified without having to change to original detection signature. The end result is that TP and ISS products tend to be better at catching zero-day exploits than other IPSs. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: Jacob Winston [mailto:jctx09 () yahoo com] Sent: Monday, May 16, 2005 7:58 PM To: focus-ids () securityfocus com Subject: Vulnerability vs. Exploit signatures and IPS?? Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)