IDS mailing list archives
Re: Vulnerability vs. Exploit signatures and IPS??
From: Matt.Carpenter () alticor com
Date: Wed, 18 May 2005 14:00:16 -0400
The vulnerabilities often can take many shapes, with arbitrary selections which "work" but are not mandated. Exploits like those found in worms and hacker tools will have a particular signature. Since other code can exploit the same vulnerability but look different on the wire, each exploit requires its own signature. Signatures based on exploits must first have known exploits to identify, making them a strictly reactive defense. Signatures based on the vulnerabilities only require intimate knowledge of the vulnerabilities. They can be developed prior to any known exploits, allowing them to be proactive. This method, done well, is likely to pick up exploits before they are publicly available. Unfortunately, due to the increased vagueness of the signature, this method can also lead to more false-positives unless the sig-developer has intimate knowledge of the protocol as well. More knowledge is required, often more value is delivered. Matthew Carpenter IT Security Specialist Alticor Corporation Phone: 616-787-0287 Email: matt.carpenter () alticor com Page Me (230 characters Max) Email ITSS On-Call Account -----BEGIN PGP PUBLIC KEY FINGERPRINT----- PGP Fingerprint: 52C3 328D C29C 178B 2DFD 9EA8 C710 0042 8CB4 3CDB -----END PGP PUBLIC KEY FINGERPRINT----- Jacob Winston <jctx09 () yahoo com> 16/05/2005 22:57 To focus-ids () securityfocus com cc Subject Vulnerability vs. Exploit signatures and IPS?? Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not exploits. I don't quite understand this. Thank you, -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)