IDS mailing list archives

Re: Vulnerability vs. Exploit signatures and IPS??

From: Matt.Carpenter () alticor com
Date: Wed, 18 May 2005 14:00:16 -0400

The vulnerabilities often can take many shapes, with arbitrary selections 
which "work" but are not mandated.
Exploits like those found in worms and hacker tools will have a particular 
signature.  Since other code can exploit the same vulnerability but look 
different on the wire, each exploit requires its own signature.

Signatures based on exploits must first have known exploits to identify, 
making them a strictly reactive defense.

Signatures based on the vulnerabilities only require intimate knowledge of 
the vulnerabilities.  They can be developed prior to any known exploits, 
allowing them to be proactive.  This method, done well, is likely to pick 
up exploits before they are publicly available.  Unfortunately, due to the 
increased vagueness of the signature, this method can also lead to more 
false-positives unless the sig-developer has intimate knowledge of the 
protocol as well.  More knowledge is required, often more value is 
delivered.



 
Matthew Carpenter
IT Security Specialist
Alticor Corporation
Phone: 616-787-0287
Email: matt.carpenter () alticor com
Page Me (230 characters Max)
Email ITSS On-Call Account


-----BEGIN PGP PUBLIC KEY FINGERPRINT-----
PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB
-----END PGP PUBLIC KEY FINGERPRINT-----




Jacob Winston <jctx09 () yahoo com> 
16/05/2005 22:57

To
focus-ids () securityfocus com
cc

Subject
Vulnerability vs. Exploit signatures and IPS??









Can someone explain to me the difference in writing signatures based on 
Vulnerabilities versus writing signatures based on Exploits? TippingPoint 
makes a claim that their IPS is better because they write signatures based 
on Vulnerabilities and not exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)